Cybersecurity experts predicted that in 2023, there would be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.
The recent attacks on Optus, Medibank and Latitude Financel (just to name a few of the big public hacks) have highlighted the significant risk posed to all businesses and individuals that are connected to the internet. Unless you’re a Tibetan monk, that’s all of us.
Hackers don’t care how big or small you are, but rather what data or assets they can get their hands on and how they can exploit it for their own personal gain (or pleasure).
Real estate is a tasty target for cybercriminals given how much data we collect as an industry and the revenue that is generated, so it’s no surprise that cyber attacks and cyber insurance claims are rapidly increasing within the real estate industry.
And if you think attackers take a holiday over the Christmas period, think again. Attacks can occur when you least expect them, or when you’re paying attention the least.
Here are 3 reasons why your real estate company is vulnerable to cyber attacks:
1. Your real estate website isn’t optimised for security
a) WAF & CDN
Most real estate website developers allow direct access to their websites with nothing to filter out good traffic from bad traffic. It is critical that your website is protected these days by a WAF (Web Application Firewall) and preferably one with CDN (Content Delivery Network) capabilities as well.
If your web developer/host is not using a WAF and CDN to protect your website and website hosting platform today, your website is at a significantly heightened risk of attack. If your host doesn’t provide these options to you already, insist that they do or consider building your website with a company that provides these services by default.
Common attacks on websites include, but are not limited to:
DDoS (Distributed Denial of Service): Where your website (or another website on the same server) is flooded with traffic, causing your website resources to be exhausted and your website to become inaccessible.
Brute Force Login: Where the login pages of your website (or another website on the same server) are flooded with tonnes of different username and password combinations, in an attempt to ‘brute force’ their way into the backend.
A WAF and CDN can help you prevent both.
A WAF, essentially, puts a firewall between your website and your visitors, allowing you to control who gets access and who doesn’t. And a CDN speeds up your website load times, as your website assets are served to visitors from the server location closest to them.
Cloudflare is a platform that offers both a WAF and CDN in one, allowing you to create powerful security rules and performance enhancements that will protect your website from common (and not-so-common) attacks automatically while also speeding up your website load times for legitimate visitors.
Cloudflare is free to use and get started (they also offer paid plans if you need more functionality), but you might need some help from your web developer to get it set up.
For added security, your website developer should also block all direct connections to your website hosting server, making it only possible to visit your website via Cloudflare IP addresses.
b) Login pages and secure locations
Using default login URLs for your website and allowing public access to the website hosting platform allows attackers to ‘sniff’ around commonly known login page links i.e. /wp-login.php.
Your website developer should change your login URLs from the default to something unique and then block the default URL using a WAF rule, as mentioned above, so that attackers can’t easily hit your login pages with lots of requests. If you have a WordPress website, try visiting yourwebsite.com.au/wp-login.php (change yourwebsite.com.au to your actual domain name). If you can access this page, your login page is accessible to the world and is vulnerable to attack, mainly brute-force login attempts.
You should also limit access to your website hosting platform to IP addresses that belong to you and your website host. If you have a cPanel website host, try visiting yourwebsite.com.au:2083 or yourwebsite.com.au/cpanel (change yourwebsite.com.au to your actual domain name). If you can access this page, your login page for your hosting platform is accessible to the world and is also vulnerable to attacks and brute-force login attempts.
By taking these measures, you’re not only reducing your attack vector but also preventing DDoS attacks from occurring – whereby an attacker will flood these pages with thousands (or millions) of requests, which prevents your website from loading for legitimate visitors.
c) Your website APIs aren’t protected
APIs are fast becoming commonplace in web development. APIs are essentially a technical term for ‘connecting software and allowing platforms to talk to each other’.
Many web developers are implementing APIs for their clients with little regard for security as they focus more on functionality i.e. getting the thing to work. Security should never be compromised for the sake of functionality. Attackers will exploit poorly coded APIs and potentially steal your data, or equally bad, your client’s data.
It is believed that poor API security was to blame for some of the more notable recent attacks on Medibank and Optus.
We recommend adopting the “zero trust” security methodology for all website development, including APIs. Zero trust is the practice of only allowing access to certain features or functionality of your website to IP addresses and/or countries that require it. Your website host should be able to guide you on how to implement a ‘whitelist’ of allowed providers who can access your hosting platform and APIs.
2. You don’t have two-factor/multi-factor authentication turned on
According to a recent report, stolen, reused, and weak passwords remain a leading cause of security breaches. Unfortunately, passwords are still the main (or only) way many companies protect their users. The good news is that cybercrime is in the news so much that 2FA awareness is quickly growing and users are demanding that the companies they do business with have improved security.
Multi-factor authentication (MFA) – also known as two-factor authentication (2FA) – is a security measure that requires two or more proofs of identity to grant you access to a website, app or some platform connected to the web.
Multi-factor authentication typically requires a combination of something the user knows (pin, secret question), something you have (card, token) or something you are (finger print or other biometric).
Businesses as well as individuals should implement MFA wherever possible. Some MFA options include, but are not limited to:
- Physical token
- Random pin
- Biometrics / fingerprint
- Authenticator app
MFA/2FA offers significantly more protection against criminals. They might manage to steal one proof of identity such as your PIN, but they still need to obtain and use the other proofs of identity to access your account.
We often hear from real estate agents who have had their social media accounts hacked, which could have been prevented with the use of MFA/2FA.
The use of MFA/2FA (although stronger physical tokens are recommended) on platforms like Xero and MYOB can also help prevent common attacks whereby online accounting systems are exploited.
While MFA/2FA isn’t guaranteed to block all attacks, it is a significant extra layer that will slow attackers down and motivate them move onto their next target with less secure systems than you.
Extra notes: If you are connecting to the internet via public wifi OR travelling overseas, we strongly recommend the use of a VPN (Virtual Private Network) on your device to protect yourself from attackers getting access to your online profiles. VPNs encrypt your internet traffic and disguise your online identity. They’re very easy to setup on your phone, tablet or computer, and many providers offer a free account option.
3. You aren’t training your staff
Cyber attacks are not only increasing, but they’re also getting more sophisticated and organised. Keeping your staff well informed of what to look out for is a critical step in maintaining a strong security posture. Just one staff member getting hacked can potentially bring down your entire system.
We believe strongly that cyber security training should be part of every real estate agent’s training schedule and CPD.
Training your team doesn’t need to be all that technical. Basic training on how secure ALL of your social media accounts, potential ‘phishing’ or ‘social engineering’ emails to look out for (like this one) or why sharing passwords over email is a bad idea will put your team well ahead of most businesses.
Remember, some attackers want to get in and get out quickly. So if your systems are just that little bit harder for them to crack, they’ll hopefully move on to their next less secure target.
The ACSC (Australian Cyber Security Centre) provides training resources and exercises that can be run in your office to ensure your team is one step ahead of current and emerging cyber threats. ACSC’s “Excercise in a box” is a great program you can run in-house. It’s designed to not only test your readiness for cyber attacks but also harden your cyber defences. Also, consider subscribing to the ACSC’s newsletter to keep up to date with the latest advice and best practice, which should also be shared with your team.
Stepps is a proud ACSC Partner, and we are dedicated to improving the security posture for all real estate agents and businesses in Australia.
You’ve worked hard to get your business to where it is today, but just one little cyber attack could be all it takes to cause significant damage to your organisation and reputation. Cyber threats are becoming more sophisticated with advances in hacking, malware and social engineering techniques. One security breach could corrupt your business’s critical data, causing financial loss, reputational damage and liability to third parties.
Do you have everything in place to protect your business as best you can? I certainly hope that you do, or that you will.