Cyber crime has been making the headlines recently and apart from protecting the integrity of their own operating systems, firms in the property industry need to be particularly careful where they are handling clients’ information.
Estate agents are particularly at risk as they routinely handle personal information, commercially sensitive data and large amounts of clients’ money. So what are the risks, and what can agents do to best protect themselves?
As professionals, there is a duty of care to clients, purchasers and tenants to handle information to the highest standards. Indeed, clients are entitled to expect this from any firm presenting itself as experts. I spoke with Michael Conway, a director of Renaissance, specialists in IT security, for advice on best practice in today’s environment and he said that firms must develop a culture of awareness about the critical importance of information. Firms need to “keep it simple, by identifying the risks and then protecting their data to the best standards”, he told me.
Conway advises that encryption of emails should now be standard practice. When one considers the sensitivity of negotiations, for example, surrounding a bidding process on a high-value Nama portfolio, one can see how important it is that documentation is protected. Conway told me that it is now simple for firms to encrypt all of their emails, and that there is little inconvenience involved in giving decrypting codes to your correspondents. Indeed, he points out that clients and bidders will be impressed to see the importance which you are attaching to cyber security.
Whilst it is probably over the top to encrypt all email from an agent’s office, Conway advises that it is possible to set up your IT system so that it automatically encrypts emails containing certain ‘trigger words’. A great example of this would be the phrase ‘subject to contract’, which agents use in all correspondence when negotiating deals. Once a firm has decided on the appropriate level for encryption, the next step is to ensure that all devices such as PCs and laptops are also encrypted.
Michael Conway told me that the type of ransomware attack that shut down the NHS in the UK is rampant in Ireland, and I suspect that a lot of it goes unreported by companies avoiding embarrassment. In these attacks, a virus blocks a firm’s access to its own data and the firm receives an email offering a code to unlock their own systems. In typical cases affecting smaller business in Ireland, the amount demanded is €500, which doubles if the ransom is not paid in two hours.
The brazenness of the scam is extraordinary as the firm is directed to a website and telephone ‘help desk’ where they are told how to purchase bitcoin to pay the ransom. Some ‘help desks’ even offer a discount to firms willing to post a favourable review on the website.
The protection against this scam is of course to back-up all of your data, every day, ideally off-site, but Michael Conway told me that some smaller firms are not doing this, or discover, too late, that they are not backing-up what they thought they were.
Firms managing shopping centres and collecting rents are routinely transferring millions of euro, which is an obvious risk. The normal safeguard here is that two people have to make the transaction together, using pass codes, but the danger is that complacency can set in and ways around the protocols develop under pressure of work.
Increasingly common in Ireland is the sophisticated CEO/CFO fraud, where the fraudster monitors business activity and then chooses their moment to send an email impersonating a senior director and authorising the transfer of funds to a bank account. Again, protection of your systems and vigilance are key.
The ease of cutting and pasting in electronic documents carries its own risk, and twice in my career I came across valuation reports which had been altered and presented to banks.
Paul Wyse, Managing Director of chartered accountants Smith & Williamson, an expert in forensic accounting, confirmed an increase in the amount of cyber crime in cases he is investigating. He recommends that firms take immediate action in the event of a suspected fraud, both to identify the cause and to help secure the recovery of funds.
The smart move is to invest in taking external advice on the security of your systems. The costs arising from a fraud, both reputational and financial, can be enormous.