Cybersecurity for
the Real Estate Firm

The data revolution is reshaping whole industries, and the real estate sector is no exception. Real estate firms of all kinds store the personal, financial and transactional details of investors and clients in databases and networks that are increasingly complex and interconnected. 

Additionally, the development of prop-tech and the proliferation of smart buildings means property management is opening upon a new digital horizon, which comes with its own threat landscape. 

It’s definitely not too early to take cybersecurity seriously.

Let's talk

The Threat Landscape

The real estate sector as a whole – including brokers/agents, title agents, property managers, appraisers, developers, and multi-service real estate firms, among others – is an appealing target for cybercriminals: An industry where, similar to financials, large transactions occur on a regular basis, and highly sensitive personal and financial data is shared between parties. On the other hand, as a rule in the real estate sector, cybersecurity awareness and preparedness is not as mature as in the financial industry in general. Understanding the threats your organization faces is the first step in developing cybersecurity maturity. 

Data Breach

The real estate sector is awash in valuable data. Besides the potential damage to brand and reputation, breached data can cause financial damage and create legal complications. IBM's Cost of a Data Breach Report 2020 estimates the average cost of a data breach at $3.86 million, or $150 per record that contains PII (personally identifiable information). Make sure your organization takes industry-standard steps to protect against data breaches - and is able to demonstrate this in the event of a breach.

Ransomware

Ransomware attacks have been on the rise for years, with attacks paralysing businesses, organisations and even cities all over the world. According to the 2020 Verizon Data Breach Report, 27% of malware incidents involved Ransomware. Ransomware can be delivered through various vectors including emails and web applications. A successful ransomware attack can quickly take down an organization's entire network and bring operations to a grinding halt.

Business Email Compromise

The real estate industry is among the Top 10 targeted industries for BEC attacks according to Microsoft's 2020 Digital Defense Report. Business email compromise ("BEC") occurs when an attacker gains access to a trusted email account - for example, the email account of a manager or business partner. The attacker utilizes this account to communicate with unsuspecting employees within the target organization - often to have them unwittingly wire money to the attacker's account. It is no wonder that the real estate sector, where large sums are transferred between parties on a regular basis, is a prime target for such attacks.

assess your risk
Effective risk analysis ensures security efforts focus on what matters.

As part of the global financial ecosystem, Real Estate firms face security risks similar to other organizations. Yet their specific mission and structure often means that threats and vulnerabilities require an approach customized to the sectors people, assets and systems.

The first step in understanding your risk is knowledge of your corporate environment. It is critical to create and maintain a comprehensive and up-to-date asset list so you know exactly what you need to protect. Keeping track of assets also ensures that no endpoints or other assets exist on the corporate networks without your knowledge. This is especially relevant if your organization utilizes the cloud, where assets can be spun up relatively easily, and not always in coordination with the security team. 

This category is usually broken down into three subgroups: 1. Amateur hackers, also referred to as script-kiddies, who generally utilize low-skill attacks against the lowest-hanging fruit. 2. Organized criminal groups which have the human and capital  resources to target higher-value targets. 3. Nation-state actors, also generally referred to as Advanced Persistent Threats (APTs), with the infrastructure and personnel to plan and execute months- or years-long offensive campaigns, often utilizing custom-built hacking tools and zero-day vulnerabilities.

According to the 2020 Verizon Data Breach Report, internal actors accounted for approximately 30% of total successful data breaches. Insiders include disgruntled employees, as well as ex-employees whose access to company resources has not been terminated in a timely manner.

When you bring in a vendor and give them access to company networks, systems or data, you are also onboarding their cyber risk. The Solarwinds mega-attack is the latest and gravest example of this risk vector. With the proliferation of cloud-based services, a company can easily have tens of third-part service suppliers. Third-party risk assessment and evaluation can help mitigate this basically unavoidable risk. 

The Essentials

Building the Foundations

For small to medium size businesses, there is a lot to do, but budget, manpower and time are usually in short supply. Building out a dedicated security team, or hiring a full-time Chief Information Security Officer (CISO), is usually not an option – nor is it necessary. Our entry-level Essentials plan is designed to provide your organization with the basic building blocks of a comprehensive security program.

virtual ciso

Start developing a relationship now with a seasoned security expert, who will get to know your company and its unique security requirements. Through regular meetings, your dedicated vCISO will understand your threat landscape, allowing them to advise on both strategic and tactical security matters, as well as manage longer-term projects.

security program development

An organization has different security needs at different stages of growth. We’ll help ensure that your security posture improves in line with your overall organizational maturity, through the development of a structured and documented security program which aligns with major international standards such as ISO 27001.

security Awareness Training

Within the security industry it is well known that the weakest link in a company’s security is usually its employees. We’ll help you train employees to recognize phishing and other social engineering tactics through interactive learning and simulated phishing emails, based on real-world malicious phishing campaigns.

Beyond the Basics

Next Steps: Security Ops

Once a security program is set in motion, and security awareness begins to be integrated into organizational culture, the next step is building out a “Security Operation Center (“SOC”). A SOC consists of a team of dedicated security engineers and analysts who, equipped with an advanced security intelligence platform (next-gen SIEM) and other tools, provide real-time monitoring and analysis. The foundation of a SOC is visibility.

Security Operations I

Vulnerability Assessment

Vulnerability assessments are performed by penetration testers (ethical hackers) utilizing the latest tools and techniques of real-world malicious actors, allowing you to see how your organization looks from a hacker’s perspective, and providing you with a full post-testing report including recommended remediations.

Vulnerability Assessments

Security Operations II

Continuous Monitoring

24/7 continuous security monitoring provides an integrated 360-degree perspective of critical assets in your corporate network and infrastructure, enabling detection, investigation and remediation of anomalous and other potentially malicious activity.

Continous Security monitoring

Security Operations III

Endpoint Detection & Response

Securing employee endpoints – desktops, laptops and mobile – is especially critical when the workforce is dispersed and no longer sitting together in an office. Many classic security measures, such as securing the office network perimeter, become less irrelevant. The employee endpoints is the new security frontier, and visibility and proper controls are crucial.

Endpoint management

Incident Response

Security incidents are bound to occur, even at the best-defended organizations. No defensive measure can reduce an organization’s cyber risk to zero, and even the ubiquitous “onion-model” of security – a foundational model based on the idea of layering several diverse security measures one on top of the other – cannot guarantee a company will not experience an incident. We’ll be by your side to assist in the various stages of incident response – coordinating the forensic investigation, and steering toward getting you back to business as quickly as possible. We’ll also help you make sure lessons are learned and integrated. 

Responding to incidents in a responsible and systematic manner will leave your company stronger.

Security Self-Serve

There's a lot you can do to strengthen your organization's security. Find some ideas below.

Multi-factor authentication is one of the simplest but most effective ways to increase your organizational cybersecurity. It is hard to overstate the security benefit which comes with requiring a secondary step, such as an SMS message or authenticator app (Duo, Google) response. Make sure to enable multi-factor authentication on every system your employees utilize. While it is true that MFA is often initially perceived by employees as a nuisance, a potential attacker experiences this slight inconvenience as an extremely significant hurdle.

Make sure a licensed antivirus product is installed on every computer. Why is it important for the product to be licensed? Generally speaking, there are two kinds of antivirus. The classic antivirus programs most of us are familiar with utilize signature-based malware detection. A “signature” in this context is a unique string of characters, generated by a cryptographic function performed on a malware’s source code. Because new malware is regularly found in the wild, signature-based antivirus applications need to be updated with new signatures on a regular basis – hence the importance of ensuring your license is up to date.

One of the shortcomings of signature-based antivirus is that if even one character of malware source code is altered, the signature changes as well. And new malware that has not yet been identified and hashed for a signature is likewise undetectable by classic antivirus. This is significant – according to the 2020 Mandiant M-Trends report,  41% of the malware families seen this year were never seen before.

A newer form of antivirus, often referred to as “next-gen” antivirus, attempts to address this shortcoming by analyzing the behavior of a suspected malware, instead of relying on recognizing it by its source code. Among various advanced capabilities, next-gen antivirus attempts to detect anomalous or otherwise suspicious behavior on a user’s system in order to isolate potentially dangerous malware-based activity. Next-gen antivirus generally requires more management, tuning and monitoring to be effective, as opposed to classic antivirus which usually works right out of the box. 

The first step in thinking strategically about your organization’s cybersecurity is knowing exactly what you need to protect. Proper asset inventory is critical. This is especially true in the age of the cloud, where assets can more easily be spun up by someone on the team and forgotten about, increasing the organization’s attack surface. Once an asset inventory is created, regular reviews should be scheduled, to ensure the list is up to date.

Keeping your systems updated with the latest security patches is an essential component in your cyber defense. Many, many attacks take advantage of well-known vulnerabilities or weaknesses which have already been fixed by the developerd – but because an organization’s systems are not updated with the latest patches, their systems are exposed to these attacks. Patch management within a corporate setting is a complex endeavor, but also an essential one. 

 

Make sure to have a password poicy which includes a minimal password length of at the very least 8 characters. You can find general password policy advice from Microsoft here

Business continuity planning is a large topic which can get quite advanced. But the basic principle is building the resilience needed to get back to business as quickly as possible in the event business-critical systems are unavailable – either due to a cybersecurity incident, or any other unpredictable event. 

The foundation of building resilience consists of making sure all business critical systems are regularly backed-up. It is essential that these backups are stored at an off-site location that does not share a network with any other organization infrastructure. An example of why: In the event of a successful ransomware attack it is critical that backups are not exposed to the attack.

A policy should be in place determining which systems should be backed up and at what frequency. And no less importantly, at least once a year the organization should simulate a fail-over to the backup systems to ensure the backups actually work in a real-world scenario.

Make sure you have a policy in place regarding the processing of outgoing payments. Such a policy should include mandatory review and validation steps,  commensurate with the payment amount, before any significant sum is sent out.

Schedule a consult

Let us help fill the gaps in your corporate security posture.
Or call us to speak to an expert now:

+1 212 643 1850

  • 1 212 643 1850
  • 1330 Avenue of the Americas New York NY 10019
  • King George 20
    Jerusalem 94262

get started

featureD

Company

STAY IN TOUCH