Cybersecurity experts predicted that in 2022, there would be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.
Through the COVID-19 pandemic, as a larger segment of the population worked (or continue to work) from home — with all of its attendant distractions — the settings are ripe for exploitation. The humble home router has become the surface attack, and the harried, hurried, tired and stressed employee the target of choice. It’s no wonder that within months of the pandemic’s first lockdown, over 4,000 malicious COVID sites popped up on the internet.
And now with the war in Ukraine, some experts are predicting an all-out cyber assault from Russia toward western countries.
How often do cyberattacks occur?
Cyber attacks hit businesses every day. Former Cisco CEO John Chambers once said, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”
Why do cyber-attacks happen?
Cybercrime has increased every year as people try to benefit from vulnerable business systems. Often, attackers are looking for ransom: 53 per cent of cyber-attacks resulted in damages of $500,000 or more.
Cyberthreats can also be launched with ulterior motives. Some attackers look to obliterate systems and data as a form of “hacktivism.”
Will the authorities help me if I get attacked?
The short answer is no. It is near impossible to track cyber attacks back to the person(s) responsible and therefore you must take a ‘defence mindset’ toward your cyber security. Meaning, you must put in place defensive mechanisms and internal procedures to ensure the best possible protection. Something as simple as turning on two-factor authentication for each website and platform you use can prevent a significant number of common cyber attacks.
If you are attacked, there is very little the authorities can do to help you.
Why is the real estate industry particularly vulnerable?
While the motives behind a cyber attack can be wide-reaching, attackers target real estate businesses mainly for the following reasons:
- To gain a competitive advantage
- To access sensitive data stored in the CRM, trust account software and/or website
- To gain a financial benefit
- For fun (Yes, there are people out there who do this for fun)
One of the other reasons real estate businesses are particularly vulnerable, despite all of the advice out there, is because of the unfortunate lax approach by many businesses toward cyber security.
If you weren’t concerned (or scared) about your own cyber security before, check out this video from John Hammond – a cyber security expert with over 400,000 YouTube subscribers – where he explains just how easy it is to “hire a hacker” on the dark web for as little as $250. If this scares you, and it should, keep reading below to find out how you can protect your business.
Common types of attacks
Malware is a term used to describe malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software. Once inside the system, malware can do the following:
- Blocks access to key components of the network or data in your software systems (ransomware)
- Installs malware or additional harmful software
- Covertly obtains information by transmitting data from the hard drive (spyware)
- Disrupts certain components and renders the system inoperable
How to protect yourself against malware attacks:
- Keep your computer and software updated
- Use a non-administrator account whenever possible
- Think twice before clicking links or downloading anything
- Be careful about opening email attachments or images
- Don’t trust pop-up windows that ask you to download software
- Limit your file-sharing
- Use antivirus software
- Ensure that your email has business-level anti-spam protection
- Ensure your staff are regularly trained on how to act when a suspicious email arrives in their inbox
Phishing is the practice of sending fraudulent communications that appear to come from a reputable source, usually through email. The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine. Phishing is an increasingly common cyberthreat.
How to protect yourself against phishing attacks:
- Employ common sense before handing over sensitive information. When you get an alert from your bank or other major institution, never click the link in the email. Instead, open your browser window and type the address directly into the URL field so you can make sure the site is real.
- Never trust alarming messages. Most reputable companies will not request personally identifiable information or account details, via email. This includes your bank, insurance company, and any company you do business with. If you ever receive an email asking for any type of account information, immediately delete it and then call the company to confirm that your account is OK.
- Do not open attachments in these suspicious or strange emails — especially Word, Excel, PowerPoint or PDF attachments.
- Avoid clicking embedded links in emails at all times, because these can be seeded with malware. Be cautious when receiving messages from vendors or third parties; never click on embedded URLs in the original message. Instead, visit the site directly by typing in the correct URL address to verify the request, and review the vendor’s contact policies and procedures for requesting information.
- Keep your software and operating system up to date. Windows OS products are often targets of phishing and other malicious attacks, so be sure you’re secure and up to date. Especially for those still running anything older than Windows 10.
A denial-of-service attack is whereby a website, server, or network is flooded with large volumes of traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfil legitimate requests, preventing regular visitors from accessing your website. Attackers can also use compromised devices, all linked together around the world, to launch this type of attack.
This is known as a distributed-denial-of-service (DDoS) attack and it is increasingly becoming more common on real estate websites.
How to protect yourself against DDoS attacks:
Even with the strongest and/or most sophisticated firewall in place, DDoS attacks can still occur. One of the biggest mistakes that real estate website developers make is using plugins (typically WordPress plugins) to manage their firewall rules. You need to ensure that your website developer is blocking malicious traffic BEFORE it reaches your website in the first place.
This is done at the server level or via a CDN (content delivery network). WordPress plugins will not prevent a large scale DDoS attack from being performed and such plugins will also slow your website down due to the resources required for the plugin to work. You should avoid using security plugins on your website for these reasons and instead insist to your website provider to implement a system that blocks malicious traffic from ever reaching your website.
Platforms such as Cloudflare sit between your visitors and your website and, in simple terms, it will determine what is good vs. bad traffic – allowing the good and blocking the bad. It also has automated DDoS protection, even on the free version, and allows you to configure more advanced rules should you notice any strange traffic patterns.
Relying on humans (your web developer generally) to manually respond to DDoS attacks is not ideal. You need automated rules in place to ensure that your website is protected. Cloudflare will help you to prevent and mitigate DDoS attacks like this one below, performed on a small independent real estate business whereby the attacker used compromised servers from around the world to flood this website with significant levels of traffic for weeks on end.
The screenshot below shows a snippet of traffic from a 12 hour period whereby 144 million requests flooded the website but were all blocked automatically by Cloudflare’s DDoS detection, Web Application Firewall (WAF) and custom firewall rules.
Typically, DDoS attacks have been known to last for up to 72 hours. However, the example above lasted 3 weeks and was performed on a small independent real estate business, proving that this type of attack can happen to anyone. A DDoS attack can be ordered on the “dark web” for as little as $50 USD.
What is a botnet?
A botnet is a network of devices that has been infected with malicious software, such as a virus. Attackers can control a botnet as a group without the owner’s knowledge with the goal of increasing the magnitude of their attacks. Often, a botnet is used to overwhelm systems in a distributed-denial-of-service attack (DDoS) attack.
Cyber-attacks can be very expensive with the current average cost of an attack on a small to medium sized business estimated at $1.9m.
An increasingly important part of running a business today, Cyber insurance is one of the fastest-growing products in the insurance world and real estate is one of the fastest industries to adopt it. Although there are ways to report cyber-attacks, it is very rare that an attacker is found and/or charged.
You must adopt a defence mindset with your cyber security and cyber insurance may just be the peace of mind you need if you ever fall victim to one of these attacks.
Many insurers are also now implementing stricter policy conditions which are important to note. Simply having cyber insurance in place may not protect you. You must also have policies within your business to meet your insurer’s policy conditions.
A word from Aon insurance:
The insurance market for Cyber Insurance is becoming very contracted. Premiums are increasing dramatically and insurers are imposing more stringent policy conditions, such as the below, before providing cover – particularly if agents wish to cover funds in their trust account.
- Your office must before any change is made to a third party’s account details obtain authorisation from the third party via an authentication method which is different to the original method used to request the change;
- Your office must, before you transfer funds to an account that you haven’t paid into before, obtain authorisation from the recipient of the funds via an authentication method which is different to the original method used to request the transfer;
- Your office must ensure that Multi-factor authentication is always enabled on all of your email accounts;
- Your office must provide staff training on phishing/social engineering scams for all employees involved in transferring funds on behalf of your organisation;
- Your office must provide all clients with a written warning that if they receive a request via email to make a change to any of their account details and/or to transfer any funds that they must not respond to the email and that they must contact your office immediately.
If you wish to discuss further your Cyber/Professional Indemnity requirements with Aon, contact their Real Estate team on [email protected] or phone 1300 734 274.
You’ve worked hard to get your business to where it is today, but one successful cyber-attack could be all it takes to cause significant damage to your organisation and reputation. Cyber threats are becoming more sophisticated with advances in hacking, malware and social engineering techniques. One security breach could corrupt your business’s critical data, causing financial loss, reputational damage and liability to third parties.
Do you have everything in place to protect your business as best you can? I certainly hope that you do, or that you will.
Disclaimer: Reference in this article to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute an endorsement, recommendation, or favouring by Stepps Pty Ltd ATF The Stepps Unit Trust. The contents in this article do not constitute legal or financial advice, are not intended to be a substitute for legal or financial advice and should not be relied upon as such. You should seek legal and financial advice or other professional advice in relation to any particular matters you or your organisation may have in relation to the content in this article.