Over the past few weeks and months, cyber incidents impacting the real estate and mortgage industry have made headlines. While vigilance around security is nothing new for an industry that’s been targeted for several years, a purchase market (which naturally means more complex transactions and more parties involved than refinances) may expose cybersecurity weak spots.
At Qualia’s 2022 Future of Real Estate Summit (FORES22), Chris Hendricks, Head of Incident Response at Coalition, sat down with Reggie Davis, Qualia General Counsel, to discuss how businesses can take a critical look at their technology infrastructure to minimize security vulnerabilities.
Foundational measures to strengthen your cyber defense
As more businesses come online to market themselves, cybercriminals are able to secure more open sourced intelligence from businesses’ websites to uncover information that can be used to plan and execute an attack. Hendricks stressed that this initial risk can happen to anyone. Therefore, businesses should be less focused on preventing the inevitable and more focused on how they can stop an attempted attack from becoming a catastrophe.
Through his work leading incident response for hundreds of clients across the US, Hendricks has identified several trends that separate businesses who are able to recover quickly from a cyber incident from those that are cripled by an attack. He recommended several best practices for businesses to strengthen their defense.
AVOID SINGLE POINTS OF FAILURE
Hendricks explained that some of his clients attempt to solve security risks by avoiding technology. For example, Hendricks often hears business owners say they want to keep things simple and just operate out of email. “They end up with 25 years worth of thousands of emails including emails with the most private and sensitive data,” Hendricks said. This results in a single point of failure that opens the business up to immense risk.
PRACTICE VENDOR DUE DILIGENCE
Finding the right technology partners and sophisticated platforms is critical to diversify risk; however, businesses must be diligent in their review and selection process. “Vendor diligence has kind of turned into a dirty word,” Hendricks said. “Many businesses want to do business on a handshake, but on your worst day, you’re going to regret that you hadn’t read what your partners are doing [to protect you].”
Hendricks encouraged businesses to not just click through agreements with vendors but to consider vendors as core to their own practices and standards. “Make vendor diligence a front office problem and not an under-the-rug type of problem,” he said.
IMPLEMENTING SYSTEM BACKUPS ISN’T ENOUGH—ALSO BE SURE TO TEST THEM
Often, business leaders may assume that having data backups is enough; however, it’s not just about whether backups exist, but that businesses have tested them and understand how quickly data can be restored. With proper and regularly-tested data backup hygiene and maintenance, leaders can know exactly how long systems will be down in the event of an attack and what gaps exist until the data backups are restored. This fundamental knowledge can make or break a business’ ability to get back on its feet after an incident.
In the case of cloud-hosted solutions like Qualia, much of this hygiene and maintenance is handled by the software provider which helps to reduce risk through guaranteed regular and consistent maintenance.
PRACTICE TABLETOP EXERCISES FREQUENTLY
One of the biggest mistakes businesses make is only involving IT teams in security scenarios and conversations. Hendricks explained that cybercriminals are usually “not hacking a machine, they are hacking a person.” Usually that person is not the IT lead, it’s someone in accounting or finance or in an administrative role. For this reason, it’s important to discuss security and common scenarios with people at every level.
Hendricks also recommends that C-suite and other business leaders participate in tabletop exercises on a regular basis alongside IT teams. During these tabletop exercises, the group can pick one thing that the business relies on and then consider what would happen if that thing went down. From there, the group can discuss what actions they would take to restore it. Hendricks noted that during most tabletop exercises business leaders almost immediately begin to realize where holes exist in their backup plans or perhaps that a plan doesn’t exist at all.
Training teams for security — it’s not (just) about frequency
Hendricks noted that training teams for cybersecurity is less about frequency and more about human psychology and company culture. For example, if staff see that everyone (including their boss) is participating in cybersecurity training and discussions, the information tends to stick more than if it’s “just another training” that staff must click through and complete. Hendricks also emphasized that while periodic security reminders are helpful, scenario-based conversations tend to be more significant and memorable for employees.
Lastly, a company culture that rewards employees for reporting mistakes rather than penalizing them is paramount. “You want to make sure you create a culture where if people make a mistake—which they inevitably will—that it’s going to be safe to report,” Hendricks said. If employees report immediately, there’s a greater chance that the money can be “clawed back” or that the business can work quickly to reverse the impact of a bad situation.
If you’re interested in watching highlights from FORES22 sessions, click below to register for a free FORES+ pass. FORES+ is a limited time online experience starting May 5, 2022.