Imagine your life without a home or a place to stay. Difficult right? Abraham Maslow, in his hierarchy of needs model, describes shelter as physiological or the most basic need of humankind. Finding the right place to stay can be overwhelming as we scramble through millions of ads, real estate agencies, and advice from our close ones. Luckily for us, the advent of property technology (proptech) companies has allowed us to filter and shortlist options efficiently.
Higher technology penetration makes the traditional real estate business susceptible to the risk of cybersecurity threats. As per a KPMG report, only 50% of global real estate businesses are prepared to defend against a cyber-attack. These numbers are shocking since property firms collect significant amounts of personal data including bank account information, identity/passport numbers, insurance information, and contact information. This is more than enough to launch a phishing attack which on average can cost global firms $3.86 million per attack, as reported by IBM. Lower cybersecurity awareness, high value data, and the increasing value of intellectual property have made real estate a preferred target among hackers.
BEC and Ransomware are common cyber-attacks in the real estate industry
Speaking of favorites, hackers targeting the real estate industry prefer some techniques over others. The most common one is business email compromise (BEC). Hacker sends email to the customer instructing them to transfer money which eventually goes into the fraudulent bank account from where it is withdrawn immediately. This is successful because hackers disguise themselves as employees of the real-estate firm by using techniques that can be easily missed by untrained eyes — changing one character in the email ID, using the company logo or even matching the tone used in similar firm correspondence.
Another way hackers target real estate companies is through their employees by sending them an email with a malicious link. As soon as the employee clicks on the link, a malware is downloaded which encrypts sensitive data making it impossible to read or access. Hackers then charge a ransom to decrypt it. This type of attack is called ransomware. Bitdefender’s Consumer Threat Landscape report highlights that ransomware attacks have grown 485% between 2019 and 2020.
Risk is not just financial but also reputational.
Understanding common attack techniques is not enough; it is also important to understand their business implications. Unsavvy real-estate operators risk losing millions of dollars’ worth of data and jeopardizing their customer confidence and future revenue potential. A recent Forbes report highlights that post a cyber-attack, 46% of organizations suffer brand value damage, and for listed companies, a data breach can lower the share price by 7%.
The consequences are grimmer for proptech firms using cloud powered CRM systems from vendors. This increases the attack surface available for a breach from hackers who can now target vulnerabilities in third-party cloud service providers’ software to cause harm.
That said, there is light at the end of the tunnel. The key question is simple: what can you as a property or proptech company do to prevent, detect, and respond to cyber-attacks? Here are a few things:
- Identity & Access Management (IAM): Organizations collect a large variety of data but not every datapoint is used by all business units. For example, a customer’s home address, which may be collected by the order fulfillment team, isn’t important to the company’s HR team. Every business unit must only have access to the data they require to carry on their side of the business.
- Detection & monitoring solutions: Threats are imminent, but their impact on the organization can be controlled through continuous detection of malicious behavior on firmwide networks and end-point devices. This can be done through tools such as SIEMs, Endpoint Detection and Response (EDR), and networking software. Next-generation AI/ML-powered software will further improve detection efforts to recognize threats early.
- Employee & client awareness: All the above attempts will be in vain if employees and clients have limited cybersecurity awareness. Companies must proactively train their employees and educate their customers on how to identify phishing emails so they can be avoided in the future.
Prevention is far less expensive than responding to a cyber-attack. If you’re wondering when the best time is to integrate cybersecurity measures in your company, it’s now.
For more information and enquiries about cybersecurity insights, contact us at info@owlgaze.com
Authors:
Ralph Chammah, Chief Executive Officer – OwlGaze
Anastasios Papadopoulos, Chief Executive Officer – IMS Digital Ventures