When you picture a cyber criminal at work, what comes to mind? For some, it may be an image of a “hacker genius” analyzing and manipulating lines of code to stealthily break into a system undetected. The reality is a little less cinematic.
“Most cyber attackers are pretty lazy,” says Robert Fly, founder of Elevate Security and former VP of Security Engineering at Salesforce. His company works with businesses across industries to consult them on their security practices. From his experience, cyber criminals are generally individuals without much technology skills who hack people—not technology—to carry out their criminal activities. This is why building a company culture that focuses on security is paramount to the safety of any business.
At the Future of Real Estate Summit held this month, Fly sat down with Qualia CTO, Lucas Hansen, to discuss why title & escrow businesses must adopt a culture of security, and how they can motivate teams to make security part of their DNA.
Secure technology is only the starting point
Most cyber criminals don’t possess the skills or motivation to hack into a secure system. That said, technology with the highest security standards is a must-have baseline for building and maintaining a culture of security.
“Before we even wrote the first line of code [at Qualia], we had already thought a lot about security and the necessary architectural decisions,” Hansen said. He walked through a few key areas where Qualia stands apart in its security measures and also noted a few ways Qualia continues to ensure the most up-to-date and highest security standards.
- Two-factor authentication (2FA): Whenever a user logs into Qualia, a text message containing a secret code is sent to the person trying to log in to authenticate the user. “It’s the single-best thing you can do and it’s so easy,” Hansen said of enabling 2FA within Qualia.
- Third-party audits: Qualia earns security certifications (including SOC-2 and ISO 27001) from third-party auditors who ensure Qualia’s technology meets the highest standards for security. “We also hire ‘white hat’ hackers who we pay to attempt to hack into our system,” Hansen noted. “ They have never found anything serious; however, we work closely with them to understand potential issues.”
- IP whitelisting: With this feature, companies can limit access to Qualia to devices inside the walls of the business or in particular peoples’ homes. This ensures any “outsider” attempting to use the software is blocked from use.
Technology is only as secure as the people using it
According to Fly, nearly 90% of security breaches are due to human error. This is why building a culture of security is paramount to reducing the number of security incidents. Fly admitted that this is not an easy task. “The hard part about people security is people,” he said. “It’s hard to get people to do something they don’t want to do.”
Fly broke down 2 ways employers can motivate their teams: intrinsically and extrinsically.
With this type of motivation, a manager or owner compensates or rewards employees for great behavior. For example, an employee may receive a bonus if he or she spots a wire fraud scam. The downside of this type of motivation is that once the reward is taken away, the behavior usually stops.
Instead of rewarding positive behavior, intrinsic motivation seeks to identify ways to make the desired behavior naturally satisfying. Fly delivered an example from Facebook. The company wanted to motivate users to activate 2FA to keep Facebook’s platform more secure. Facebook ran a series of advertisements with different messages to see which would incite action among users:
- The first message centered on encouraging users to enable 2FA because it would make Facebook more secure.
- The second message focused on encouraging users to enable 2FA because it would make the user (personally) more secure.
- The third message encouraged users to enable 2FA by telling them two of their friends enabled it.
The third message outperformed the others by a massive margin. Facebook tapped into the intrinsic desire people have to be like their peers. Title & escrow businesses can act similarly to understand what intrinsically motivates their employees to utilize security best practices.
Adopting a security culture
To get started with building a strong security culture, Fly recommended 3 steps every title & escrow business should take.
- Use a password manager at home and at work. Fly noted that most people use passwords on 100 or more websites or applications. Meanwhile, the average person only uses 6 passwords between those 100-plus websites. This is a problem because if a cyber criminal gains access to one password, he or she will have access to dozens of accounts. A password manager (such as Lastpass) generates random, secure passwords and saves them for a user so he or she doesn’t need to remember each password.
- Adopt the security features your vendor provides. Fly recommends that users turn on and utilize the security features built into their platforms. For example, Qualia users should activate 2FA and IP whitelisting.
- Make security education a priority. Businesses must work to build a company culture where employees buy-in to the value of security and feel motivated to practice security habits daily.
For more information on Qualia’s security features and standards, click below to download our security whitepaper.