Tips for minimizing risk in today’s digitally reliant world By Zach Fuller Market shifts, tenant issues, lawsuits and maintenance expenses are risks we think about and plan for regularly in our investment endeavors. Proper planning and safeguards help you keep the returns you’ve built, both in your business and investment portfolio. However, there is a “ROI killer” that happens quicker, hits harder and is more elusive than perhaps any of the others—a cyberattack. We hear about cyberattacks on Fortune 500 companies almost daily, leading many people to believe that big brands are the primary targets. But, most people do not realize that for every breach mentioned on the news, there are thousands more that go unannounced around the U.S. Victims range from mortgage companies to venture capital groups and, yes, even technology service providers. Small Targets, Big Payoffs The real estate industry is made up primarily of smaller organizations without significant IT budgets and rarely with an in-house cybersecurity team. As a result, these companies are easy targets for cybercriminals. Whether you have a personal portfolio of properties, are a regionally recognized title company, or are a nationwide lender, you are the perfect target for financially motivated cybercrime organizations around the world. You may ask, “Why would they want to come after me?” The answer is simple: You deal with sizable assets, are involved in complex transactions and rely on some level of trust in other parties to run your business. Most of all, technology is a required part of your daily operations. Cyberattacks are financially motivated and often successful in extracting significant amounts of money from the victim. For the individual investor, an attack may be escrow funds unknowingly transferred to an account controlled by a criminal rather than the escrow account. For the title company or lender, attacks can range from theft of large amounts of personal and financial records, to stopping business operations in their tracks until a large fee is paid to the attacker. Reduce Your Risk Knowing that most cybercriminals are financially motivated and looking for the quickest income, you can follow simple practices to make yourself and your company a harder target than others. When the cybercriminal’s potential gain is less than the resources required to achieve it, they move on to easier targets. Here are a few ways to reduce risk: For Companies (title, lenders, PE firms, retirement plan custodians, etc.) Align to a standardized cybersecurity framework such as NIST SP 800-151 or CIS Controls. Build a culture of security, starting with leadership support. Deliver staff awareness training quarterly. KnowBe4 is a great platform for this. Conduct annual risk assessments and penetration tests on critical systems. Ensure you have a complete set of IT and security documentation. These include documents such as an Incident Response Plan, password policy, acceptable use policy, bring your own device (BYOD) policy, etc. Carry cyber insurance. Although a reactive measure, cyber insurance is inexpensive and likely to be used. For individuals Have situational awareness. If a request doesn’t feel right, pick up the phone and make a call to verify. Just because an email appears to come from someone you know, it doesn’t mean it is legitimate. Use two-factor authentication. Use an authenticator application (e.g., Google Authenticator) when possible, instead of a pass code being sent via text message. Set up critical accounts with a separate and private email address rather than your daily business or personal account. Keep all software and firmware updated on your computer and network. Ensure your home and office router default usernames and passwords are changed, both for Wi-Fi and router administration. Use a virtual private network (VPN) service when working from any public Wi-Fi. Use hard passwords with a minimum of 12 characters and no common words (password managers are great for this). Implement lock screens on all devices and remote wipe capability on mobile devices. Back up your files regularly, encrypt the backups (there are many tools available for this online), and then “unplug” until next backup. Ensure your vendors (title companies, etc.) are following accepted security practices to reduce the chance of your own information being compromised in their breach (security questionnaires are available online). Dark Clouds There is a dangerous myth that has caused many cyberattacks among smaller organizations. This is the myth that cloud-based services will keep you secure. From Google G-Suite and Office 365, to Salesforce and Dropbox, we all use cloud-based services to support at least portions of our business operations. Using the “cloud” absolutely makes sense for most small-midsize businesses. It provides tremendous capabilities while reducing the required investment in IT infrastructure. However, even the services with the most sophisticated security measures can be compromised if users don’t configure their accounts properly. For example, recently an investment group experienced significant losses after an executive’s primary email account was hacked. This account was used for everyday communication, so it was publicly known. It was also used to register the company’s domain name, for cryptocurrency accounts and to access the cloud-based storage containing information about all the company’s high-net worth investors. The attackers were able to hijack the domain name, taking company communications offline (email accounts and website), steal cryptocurrency accounts and compromise the security of the investors by accessing their sensitive data. Trust is vital in the investment business. One can only imagine what a company’s investors must feel when the company seems to have disappeared digitally. Suddenly, investors can’t reach their point of contact and the company website is down. To make it worse, the investors get notified that their personal information and even bank account numbers are now in the hands of criminals. Sometimes this notification comes from the criminals themselves as a form of extortion. Situations like these show how critical proactive cybersecurity is for organizations of all sizes in today’s technology-reliant environment. Whether you take proactive measures yourself or hire professionals to protect your company, cybersecurity is a requirement of doing business. There are already enough variables and risks in the
Read More
