With huge fund transfers going around, IoT-enabled devices on the rise, and significant amounts of sensitive data being handled, the real estate industry is a hot target for cyber attacks. In this article, we cover the top cyber risks real estate businesses face and how they can mitigate them.
BEC attacks are one of the largest threats faced by the real estate industry. A Proofpoint study found that the real estate industry is the second largest target for email fraud attacks, and according to the 2019 Internet Crime Report by the FBI’s Internet Crime Complaint Center (AKA IC3), there were over $221M in losses due to real estate fraud and over 11,600 victims.
BEC attacks are scams during which cyber attackers spoof or already have access to an executive’s email address to perform fraudulent transfers. These attacks rely heavily on social engineering. For example, a cyber attacker uses a keylogger to figure out the CEO's email password. They login as the CEO and send an email to the company’s accountant telling them to make a wire transfer to a fraudulent destination. Because it’s coming from the CEO’s email address, the accountant thinks it is legitimate and makes the transaction, and the company loses x amount of dollars.
How can real estate companies protect against BEC attacks? Employee security training to identify common signs of BEC attacks is important. Businesses also need to implement policies and procedures so that wire transfers aren’t made so easily. One such policy could be that any time a wire transfer is requested, it needs to be confirmed over the phone or in person.
The real estate industry faces increased risks due to the hyperconnectivity of IoT devices in homes and businesses. In a recent survey of commercial real estate owners and property managers, the top two highest data security risks perceived were “vulnerabilities in connected systems of vendors or third-party service providers” and “unauthorized access of customer data through building systems, such as HVAC or WiFi”.
One of the dangers with IoT is that there are often shadow IoT devices that have been forgotten about that are still connected to your network. These shadow devices, in addition to the ones you know about, can be used in IoT botnet attacks, during which a group of hacked IoT devices, computers, and/or smart appliances are used to conduct cyber attacks like DDoS or cryptocurrency mining. Another issue is if a commercial building’s entry system is controlled by an internet-enabled device; a hacker could remotely control this system and hold access to the building for ransom.
To protect against IoT attacks and botnets, you need to make sure all devices are updated regularly and when emergency patches are released. Segment your network so that not all your IoT devices are connected to the same subnet (network segment) and your most sensitive data is on a different subnet. That way if one subnet gets compromised through an infected IoT device, there is limited access to the other subnets. You must also set strong passwords for your devices; that means not using default passwords and instead using hard-to-guess, long passwords that can withstand brute force attacks.
Ransomware plagues every industry, and real estate is no exception. The past few years have seen a rise in real estate ransomware attacks, including an attack on the property arm of BNP Paribas, France’s largest bank. Large businesses will continue to be a target for ransomware attacks; however, with less resources for cyber protection and ransomware attacks getting more sophisticated, smaller real estate organizations need to beware as well.
As ransomware can often result when an employee clicks on a malicious link or downloads a malicious file in a phishing email, employee training is vital in ransomware protection. Team members, including contractors and interns, need to be taught to recognize phishing and other forms of social engineering. It is also important to back up all your data and systems on a regular basis, have an ransomware attack response plan in place, continuously update all software and hardware, and keep track of what’s happening on your network with either a managed service provider or someone on your team so you can quickly detect anomalies.
Real estate companies should also make sure they have cyber insurance coverage. The right policy will cover for business interruption and extortion so you can move forward from a ransomware attack with minimal disruption and protect your organization from financial ruin.
Zeguro offers an integrated cybersecurity and cyber insurance solution that empowers you to easily manage your business’s cyber risks and quickly recover from attacks. Our Cyber Safety tools include security training, web app vulnerability scanning, and security policy management to help protect against the phishing and BEC attacks that result from employee negligence, secure against web-based attacks, and lay the foundation for your security and compliance programs. Zeguro Cyber Insurance covers data loss, ransomware attacks, third-party lawsuits, payment fraud, regulatory fines, and more. Because Cyber Safety is integrated with our cyber insurance, you can enjoy potential savings of up to 20% or more on your insurance premium. Get a quote now, or start a free trial of Cyber Safety.