Cyber Liability and Data Breaches in Commercial Real Estate

While some businesses – notably hospitals and banks – are required by federal law to utilize digital data security systems to protect sensitive information from being leaked or hacked, there are no such laws governing information protection in commercial real estate. Data breaches can occur in commercial real estate, particularly because the industry handles highly sensitive information on a daily basis. Commercial real estate companies, agents, buyers, and sellers all exchange information through leases, rental agreements, and credit reports. Hackers can obtain valuable information from these documents, including Social Security numbers, driver’s license numbers, and even financial information. The second most reported crime is cybercrime. In 2017, 55% of data breaches affected business organizations. Understanding how to minimize the risk for cyber liability and data breaches is necessary for modern commercial real estate businesses.


Cyber Liability

Cyber liability is the risk that an individual or company faces when conducting business using Internet-based services. Because many commercial real estate organizations use cloud-based storage or utilize digital payment systems, the commercial real estate industry must remain wary of the dangers of Internet-based services. Protecting oneself from cyber liability comes in three forms: first, obtaining insurance; second, training staff to recognize potential scams and malicious software; and third, practicing safe browsing online. Selecting the best cyber liability insurance depends on a number of factors, so it is best to consult an IT security specialist in order to determine the most optimal insurance for your business. In addition to exploring insurance options, it is imperative that commercial real estate agents understand how to protect themselves and their data.


Common Forms of Data Breaches – How to Protect Yourself

Business Email Compromise (BEC) Phishing

A Business Email Compromise (BEC) is an email-based attack where a spoofed email address convinces a victim to wire a sum of money to an illegitimate bank account. A spoofed email is a malicious email address that is designed to look legitimate in order to spam, phish, or scam an intended recipient. Spoofed email addresses often impersonate an attorney, CEO, or financial officer, in order to convince a victim that the exchange is authentic. For example, a real CEO’s email address may be [email protected]. The criminal impersonates this email address by designing an account that looks similar (for example, [email protected]). The spoofed email address convinces the victim that they are sending a purchase order or invoice to a real person; however, the criminal instead routes the transaction through a number of bank accounts, often making it very difficult or costly for a business or individual to retrieve their payment. The FBI estimates that over $3 billion have been lost due to BEC attacks since 2015. Some BEC attacks also attach malicious links or files to their email. Once a link or file is clicked, the victim can accidentally activate malware or ransomware on their device.

Thankfully, BEC attacks are easy to prevent. In order to further prevent falling victim to a BEC attack, a company should standardize how all employee’s email addresses are structured. This can ensure that employees can spot a spoofed email address. Additionally, for both individuals and companies, enact a two-factor authentication process whenever exchanging money with a client. Use certified mail for physical cash transactions. When handling a digital transaction, confirm the transaction over the phone before sending any additional materials. Be sure to avoid using new phone numbers that appear in an email.

Another important practice to implement is standardizing how you name digital financial files. Some of the most common file names used to convince a victim to open a malicious attachment include “purchase order,” “payment,” “invoice,” and “receipt.” Since malicious file names are simple, implement a system where all financial file names are internally standardized (e.g. “P.O. 2 April 2018” or “Invoice 20180402”). While BEC attacks are common, their success relies on staff not remaining alert. So long as you implement the above practices, you can remain safe from this financial scam and data breach.  


Malware and Ransomware

cyber liabilityAs mentioned above, some malicious links can download malware onto a computer or device. Malware is a portmanteau of the words “malicious” and “software.” Malware is a data breach that harms both hardware and software. When enabled, malware can disable network and computer servers, steal sensitive information, and break into private networks. Malware does not only affect computers, but also it can infect smart phones and tablets. Malware most commonly targets financial data or sensitive personal information. The first line of defense against malware is remaining vigilant when opening files or links. Sometimes a victim will not know that a malware attack has infected their systems until weeks or months after the initial attack. Working with an IT specialist is important as well, as a business should have up-to-date firewall protections on all devices.

Ransomware is a malware attack that is designed to ransom money from a victim. A ransomware attack will force a victim’s data to be locked down and encrypted, making it impossible to access the infected device. In order to gain access to their own files, the victim must then pay a sum of money to the hacker in order to retrieve all of their data; however, even if a victim pays, there is no guarantee that their data will be returned. Failure to pay the hacker can result in data being destroyed, disseminated, or sold. Ransomware attacks are becoming more common. They are growing at a rate of more than 350% annually. Cyber liability insurance often offers protections against ransomware, and in some cases the insurance can pay the ransom on behalf of your business. The biggest protection against malware and ransomware attacks is remaining vigilant and ensuring that preventative measures exist within a company or network server.


Personal Device Safety Practices

In addition to understanding common data breach and infiltration techniques, it is vital that commercial real estate personnel take care of their personal devices. Laptops, smart phones, and tablets all need to be treated thoughtfully and with care. It is important to secure data in case a device is lost or compromised. Of all lost laptops, 46% contain confidential data and only 30% encrypt their data. Below are some suggestions to protect your devices.  


Safety Through Separation

Many modern Americans conduct business on their personal smart phones. However, it is best to own two smartphones: one that is a personal device and one that is used solely for work purposes. If all of your personal and business information is on one device, then all of your banking information and sensitive information is at risk. This tip is particularly important for commercial real estate agents, since you are often posting your cell phone number on listings and advertisements. By using two separate devices, you can make it more difficult for a hacker to obtain all of your information in one data breach.


Wi-Fi Precautions

Do not connect to the internet using free public Wi-Fi. Public Wi-Fi networks have little to no security. Accessing sensitive information – such as logging into a banking app or checking your email – can be data mined by hackers. Only use Wi-Fi networks in areas that have secure networks. Additionally, be sure to secure your own office’s Wi-Fi network, so that malicious passerby are unable to easily gain access to your network. Work diligently with an IT professional in order to set up a reliable and secure Wi-Fi network for your business or home office.


Scrutinize Apps

When downloading apps for a smartphone, be sure to research the app first. 27% of malicious apps are lifestyle apps, which have the most cybersecurity issues of all applications. Many apps use Facebook connectivity to quickly create an account for a new user; however, take the time to set up an account separate from your social media accounts. If your Facebook account is ever compromised, then you risk compromising all other applications that are linked to your Facebook account. With recent news that at least 50 million Facebook users have been affected by a major security breach, personal data housed on Facebook profiles are now at risk.

When an application is free, the application can make money by selling your own data. Many apps also allow you to save your payment information, such as the App Store on iPhones and the Google Play Store on Android devices. Do not save your payment information on any applications. While completing in-app purchases will take longer, you can ensure that it is more difficult for a hacker to access your financial information. Scrutinizing apps is important for both your business devices and personal devices.

Even though the commercial real estate industry does not have specific laws to abide by when conducting business using digital technology, the risk of being hacked or scammed is growing. BEC, malware, and ransomware attacks are all on the rise. Through precaution and coordination, though, these attacks can be prevented. In the modern era of the Internet, the commercial real estate industry must be prepared for the cyber liability taken on when conducting business online.

Related Articles