Matt Cohen, Clareity Consulting’s Chief Technologist, presented an excellent Real Estate Security seminar for IRES subscribers last week. Below is a great synopsis of his presentation. He suggested you pick a few points and slowly work on security to avoid becoming overwhelmed.
Every year there are information security breaches that have a real cost to real estate professionals both in terms of their reputation and wallet. One incident cost a west coast broker over one and a half million dollars. So, it’s important that agents understand at least some of the essentials of information security. Following are ten useful tips:
- Understand what you are protecting – collect and keep only what you need. Your clients’ personal and financial information deserves protection – state IDs, social security numbers, financial and banking information, especially the copy of the personal check found in most files, are most sensitive. Most states have laws requiring client notification if that information may have been accessed by an unauthorized person. Most states have laws requiring businesses to securely dispose of information that is no longer needed – though agents must follow state real estate commission record retention rules. Information on breach notification and record disposal laws can be found here: http://tinyurl.com/br4wo7o (Acrobat / PDF). If you work with international clients then international laws may apply as well.
- Manage the physical security of sensitive information. Keep sensitive information physically secure – that goes for both paper and electronic media. Keep it all in a locked cabinet – ideally in a locked room – when unattended, and be especially careful with it when you are mobile. Use a cross-cut shredder to dispose of items you no longer need. Use a laptop cable for your laptop, a security case for your desktop computer, and take special care to protect the physical security of mobile devices. Printers and fax machines should be secured – not just to protect printouts and incoming faxes, but also their hard drives that can still contain previously printed sensitive information. If you perform computer backups on tape or hard drive, take care to physically secure those backups. Most publicized security breaches in our industry happen because of a physical security breach rather than a computer security issue.
- Dispose of computers, mobile devices, and other electronic media securely. If you don’t want to physically remove and destroy the hard drive, your best bet is to wipe the hard drive entirely. On Windows or Linux, you can use Darik’s Boot and Nuke (http://www.dban.org/) and Secure Erase (http://tinyurl.com/2xoqqw). To use these tools you (or a techie friend) have to know how to burn a bootable CD and boot your computer from it. On a Mac, writing over the hard drive is easier. Start the computer with your Mac OS X install disc in the drive and while holding the “c” key. Then choose Disk Utility from the Installer menu and choose erase and the “7-Pass Erase” option. For information on mobile devices and other cases, see this article.
- Use secure software to manage sensitive information. Don’t use software with a bad security track record to store and transmit sensitive information (i.e. Dropbox). There are professional-grade document and transaction management tools available for that purpose – use them! If you are contracting for a website, mobile solution, or other software, make sure good information security practices are a part of your contract – this is a requirement in some states. I’ve written an article all about mobile app contracts – but always consult your attorney.
- Create and protect strong passwords. Use passwords with letters, numbers, and punctuation – at least eight characters long – and use unique passwords for different applications. Ideally, change your passwords every 120-180 days. Also, never write passwords down (unless you lock up the paper very securely), change your passwords now and again, and don’t share your passwords. If you use a password management program or “remember password” features, be aware they aren’t ideal: if someone gets physical access to your device and/or learns your one master password, they’ll have access to all of your passwords. To protect your accounts, don’t forget to log out when you’re done using a computer, website, or other resource.
- Configure computers for security and keep them updated. If you use a PC, test your settings and security patches using the Microsoft Baseline tool (http://tinyurl.com/cwjek6g) and Secunia PSI (http://secunia.com). If you have a Mac, there are not similarly useful tools – but Apple does have some configuration guides: http://tinyurl.com/apy4pes. On your PC, make sure “Windows Update” runs every month. On the Mac, make sure that “Software Update” (in “System Preferences” from the Apple menu) is set to check for updates regularly. Don’t delay installing the recommended updates!
- Configure mobile devices for security and keep them updated. There are many best practices for mobile security but at the very least be sure to require a difficult to guess password to use the device, use the encryption features, set Bluetooth to “hidden mode” or disabled when not in use, and be very careful to limit installation of third party “apps” to those created by reputable companies. Many tools are available to help you secure your mobile device in a variety of ways, including providing antivirus, firewall-like features, features that let you remotely lock and wipe data from the device, take a picture of the person using your device and send it to you, and display information on the screen to help someone return a lost device.
- Install antivirus software. No antivirus software can protect you from all viruses, but it’s a good idea to install it as a reasonable precaution. On the PC, leading vendors are Microsoft, AVG, Avast!, ESET, McAfee, and Norton. On the Mac: Avast! or ESET. On Android: AVG, Trend Micro, and Kaspersky. On Symbian or Windows Mobile devices: Kaspersky. Sadly, there isn’t a reputable antivirus solution available for Apple iOS mobile devices yet.
- Use encryption. Encryption is a process for transforming information that anyone can read into something that is unreadable unless one has the right “key” so the information doesn’t fall into the wrong hands. This information may be stored on a hard drives or flash drives, attached to an email, or in transit over the internet. Every type of computer, email program, file transfer program, and wireless router has its own method for implementing encryption – see this article I’ve written about encryption for real estate professionals and/or “Google” for more information on your specific situation.
- Surf safely. Use caution when surfing the Internet or reading email – downloading malicious files or even just opening some websites or emails can compromise your computer. Verbally confirm unexpected attachments. Try to use websites that offer encryption (“https://”) to prevent snoopers. Be thoughtful before clicking through links – especially if you get a message designed to goad you to action – like “Look at this terrible thing they are saying about you! [link]“. And if it’s a message that looks like it’s from your bank or other site with your personal or financial information, just go to the website directly rather than clicking through the link. Surfing safely is especially tricky – and these tips are just a starting point.
Remember, these ten tips can help, but there’s no such thing as perfect security. Keep encrypted backups of your most important files, storing at least one backup off-site (in case of fire) – and once in a while test your backups to make sure you have all your files and can recover and use them if you ever need to.
If you want to learn more about information security, please visit The Real Estate Information Security Center: http://www.callclareity.com/security/
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (www.callclareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.