Window to the Law: Creating a Cybersecurity Program
Brokerages can learn about the steps to follow when implementing a cybersecurity plan to help to protect the firm’s assets from outside threats.
Download the slide presentation (PDF: 189 KB)
Transcript: Window to the Law: Creating a Cybersecurity Program
Ransomware. Cybercriminals. Hackers.
These words strike fear in the hearts of all computer users, yet many small businesses have not implemented adequate cybersecurity methods to protect the business's data from a cyber attack. In this edition of Window to the Law, we will discuss the best practices for implementing a cybersecurity program. I am Finley Maxson, NAR Senior Counsel.
The Wannacry ransomware attack and the Equifax data breach, which exposed the personal data of over a hundred million individuals, were big news in 2017. The real estate industry has faced its own challenges with wire fraud schemes that rely upon hacking into a party's email and has caused millions of dollars of losses. As technology continues to infiltrate our lives, from connected vehicles to blockchain technology in transactions to the growth of cloud computing, technology will bring new risks for businesses. Businesses need to not only keep up with new technology but also with the risks that come with every new development.
A first step for implementing a security program is to create a data security program. NAR's Data Security & Privacy Toolkit as well as an earlier Window to the Law video set forth the principles needed to create a data security program.
Next, the firm will need to evaluate its security protocols. The Federal Trade Commission, or FTC, is the federal agency who brings enforcement actions against businesses for failing to protect consumer data. In order to help a business keep its data secure, the FTC has created Start with Security, which distills the lessons learned from FTC enforcement actions into 10 important practices for data protection. We will briefly review each of these steps.
The first step is Start with Security- this is a key principle, where security considerations guide and inform your data collection practices. The business should only collect relevant personal information and keep this information only for as long as it is needed, with a process in place to destroy unnecessary data.
Next, Control access to data sensibly. When you have sensitive data on your network such as salary or health care information, limit access to only those who need to use the information. Keep control over whom can access all types of information.
Require secure passwords and authentication- most hackers breach networks through bad or weak passwords. Make sure users create strong passwords (long phrases are now recommended) and keep all passwords in a secure location.
Store sensitive personal information securely and protect it during transmission. If you are transferring data, make sure to use proven security methods such as encryption.
Segment your network and monitor who's trying to get in and out. The brokerage should limit access of individuals to only the parts of network that they need to access. For example, salespeople can't access the firm's financial data nor accounts of other salespeople. Segmenting access may help limit the damage from a breach.
Next, Secure remote access- make sure everyone accessing the network remotely has a strong and secure connection, as all it takes is one vulnerable point for a data breach to occur.
Apply sound security practices when developing new products- this step is a list of protocols that a business should employ when developing its own software products, such as apps.
Make sure your service providers implement reasonable security measures- A very important step for small businesses like real estate brokerages who often rely upon vendors to store their data. Make sure your vendors are properly securing the data by testing their compliance and put language in contracts requiring vendors to maintain a certain level of security. You don't want to wait until a breach to find out your vendor hasn't employed good security!
Put procedures in place to keep your security current and address vulnerabilities that may arise- Keep software up-to-date, as security updates are important for protecting your network.
Secure paper, physical media, and devices- The same steps you use to secure your electronic data applies equally to other forms of storage. All information needs to be stored in a secure way, and unneeded information should be discarded when its business purpose has come to an end. Having a good document retention system will help you keep track of all data, including data which is not in an electronic format.
Here is a list of cybersecurity resources.
Thank you for watching this edition of WINDOW TO THE LAW.