Not long ago, I received an email from an executive in the commercial real estate field, with an urgent message: “Don’t open the email you may have received from us. We have been hacked.”
Point taken. However, I knew right away that the original email was from a hacker. While these can look very convincing, it serves to illustrate what anyone who works in the commercial real estate space should know: namely, that it is critical to protect your information and infrastructure from being hacked.
No commercial real estate firm or related industry can afford to have its infrastructure compromised. Consider all the sensitive documents stored on the company infrastructure: clients’ and tenants’ Social Security numbers, credit card numbers, credit reports and proprietary financial and personal information. This all needs the highest level of protection. In the wrong hands, this information can lead to identity theft, and can place a business in peril.
The executive was the subject of “phishing.” The sender went to a great deal of effort to create an official-looking email, containing what seemed to be an authentic message from a bank or credit card company. Theses emails make a compelling case to get the recipient to click on a link embedded in the email. Once that happens, the hacker gains access to passwords and in turn the ability to breach the infrastructure.
From that point, hackers sell information to criminals in an underground market, or use the information for their own illegal purposes. Because commercial realtors deal with emails from all sorts of people, phishing is commonplace in this field, but it is only one method by which systems are hacked.
Remember that the hackers are getting more sophisticated and devious every year. One statistic suggests that hackers can earn up to $80,000 – per day – for their activities. Hackers are cunning and relentless – and this has spawned an incredibly large “black market” where people sell information stolen through breaches. In the case of hackers, crime does, in fact, pay – until they get caught.
Cyber criminals have been known to copy digital information from an online listing to create their own listing, collect an initial deposit and rent a property they do not own. In 2012, two people were imprisoned for running an identity theft ring in San Diego based on information that they found from stolen real estate files. In another case, a property management company was fined because the company did not have proper encryption on a laptop, which was then stolen.
Every business needs to declare war against being hacked. Protecting your company’s email and infrastructure is serious business. And the first challenge to a system’s infrastructure can often be found by looking at the weakest link – the human element.
Most employees are not properly trained in the subject of identifying threats to the company infrastructure, or how to respond to them. Given the numerous techniques a hacker could employ – from rummaging through a dumpster to collect improperly discarded documents to showing up at a place of business as a contracted technical employee and gaining access to the main servers – comprehensive educational programs that train employees in detecting and responding to hacking threats are imperative.
Included as part of that training is education about the risks associated with employees using their own mobile devices in the conduct of their work. Every device connected to the company infrastructure, from a smartphone to a tablet, offers hackers yet another opportunity to crash into the system. Policies can and should restrict websites that employees can visit, particularly over the company network. Properly trained employees will follow the boundaries of what the company considers safe use of email and web browsing, and how to be vigilant in identifying and avoiding potential threats.
Additionally, secure architectural engineering principles should be developed and followed when implementing technology and training users. Understanding the flow of corporate data is also important, as this knowledge can provide insight into possible attacks against infrastructure.
In addition to training, companies should run continuous vulnerability assessments against servers, workstations and networking equipment to ensure risks from vulnerabilities are mitigated. Implementing “honeypots,” or traps, around your infrastructure to trap a malicious attempt before it reaches your networks or breaches critical assets is also an incredibly effective component of a containment strategy. Likewise, threat intelligence should be implemented into the infrastructure to catch propagating malware, data exfiltration, and unauthorized access attempts before they cause damage.
Beyond that, developing a system of disaster recovery, business continuity and incident response policies will ensure that data is protected and that backups exist. The combination of vigilance and training can go a long way toward reducing the threats to any company infrastructure.
Andrew Ostashen is co-founder of Vulsec, a Boston-based firm established to provide clients with data protection to safeguard information technology departments from hackers. He can be reached at (617) 648-9815, or aostashen@vulsec.com.