In 2017, the FBI reported that real estate transaction losses due to wire fraud and other cyber criminal attacks totaled more than $1 billion. One may assume that cyber criminals are focusing their attacks on large enterprises where a single successful breach could result in access to thousands of account details. In reality, cyber criminals are increasingly placing their attention on small and medium sized businesses (SMBs) to quickly access low-hanging fruit.
The latest Verizon Data Report which analyzes more than 41,000 security incidents spanning 86 countries worldwide found that while the ways in which cyber criminals are attacking remains relatively consistent, the targets of cybercrime are evolving. This year’s data indicates that cyber attacks on SMBs are on the rise with 43% of breaches occurring at small businesses.
Why are SMBs a Target for Cyber Criminals?
Many smaller title & escrow companies are beginning to utilize digital tools such as email to exchange information between parties. At the same time, these SMB companies are often under-investing in cyber security. Cyber criminals are aware of these vulnerabilities and view SMB title & escrow companies as easy targets for quick-grabs.
Additionally, as SMB title & escrow companies transition to digital practices and workflows, there is often a lack of security knowledge among employees that leaves the business vulnerable to social engineering threats such as phishing and business email compromises (BEC). According to a recent report from FinCEN, real estate was the third highest targeted sector for BEC in 2018. In these types of attacks, cyber criminals often impersonate C-suite executives using nearly-identical email templates and email addresses to convince employees to transfer money into fraudulent accounts. Similarly, a cyber criminal may replicate the company’s email templates to convince homebuyers to wire their funds to fraudulent accounts.
Minutes to Happen, Months to Detect
Verizon’s report indicates that most attacks were conducted in minutes; however, the majority of breaches (56%) took months to discover. IBM’s 2018 Cost of a Data Breach Study found that US companies take an average of 206 days to detect a breach. According to the study creators, the length of time to identify and contain a data breach directly correlates with the financial losses of the security breach — the longer the discovery timeline, the higher the costs of the security incident.
A separate study which surveyed over 1,300 SMB owners found that 83% of SMBs are not financially equipped to deal with the repercussions of a cyber attack. Costs of a cyber attack include ransom, cost of data, downtime, non-compliance fines, and legal fees — averaging out to nearly $3 million.
What Can Title Companies Do to Arm Themselves Against Cyber Criminals?
Qualia software engineer, Mike Lublin, is part of a team designing software that meets the highest-standards for cyber security. He recommends that title companies invest in best-in-class digital security and ask 7 key due-diligence questions to find the best technology partners.
CERTIFICATIONS AND COMPLIANCE
What to ask: Do you meet ALTA best practices and the highest-standards for user data protection and security?
What to listen for: Third party certifications like ISO 27001 and SOC-2 ensure the technology meets the highest standards for information security and integrity of systems used to process user data.
Data center security
What to ask: How and where is the data physically stored?
What to listen for: The provider should use data centers with physical security standards including professional security staff, video surveillance, and intrusion detection systems. Additionally, the data center should have safeguards that protect the data from environmental factors such as fires or other natural disasters, temperature changes, and power outages.
What to ask: What application frameworks are in place to mitigate software vulnerabilities and how do you test for such vulnerabilities?
What to listen for: The provider should utilize internal testing and third-party evaluations and testing should take place on a regular basis.
Privacy and Service Operations
What to ask: Do you interact with customer data as part of normal operations?
Administrative control features
What to ask: What administrative control features do you have to maximize security?
What to listen for: Ensure the provider allows for permission setting and other user management abilities to control access to accounting, reporting, and other sensitive information. Two-factor authentication (which requires two forms of authentication to gain access to a system), IP whitelisting (which specifies the IP addresses that are allowed access), password strength requirements, and secure email offer additional protection.
What to ask: How is our data managed on the network?
What to listen for: A system with isolated data has a higher degree of security, privacy, and availability. A secure system will use data encryption and secure channels to transmit data. Additionally, managed firewalls prevent spoofing (impersonation of a device or user on a network to steal data, spread malware, or bypass controls) on the network.
Logging, Monitoring, and Response
What to ask: How do you log and respond to security events?
What to listen for: Security logs should be actively monitored and maintained in a centralized space for at least one year. Identified security incidents should be treated with priority until resolved.
No Business is Too Small or Too Large for a Data Breach
At the end of the day, cyber criminals do not discriminate based on the size of a business. Every business must be effectively equipped to minimize the risk of a security breach. This goes beyond leveraging best-in-class software partners and into the very culture of an organization. Educating employees on cyber security risks and encouraging daily practices that emphasize security standards can help minimize risk and pull everyone up in the organization to be preventers and detectors of security incidents.
Interested in learning more about daily practices that can help minimize your business’ risk of a security incident? Click below to access our Daily Security Checklist for Wire Fraud Prevention.