By Cath Dickinson 

It’s an unfortunate fact that far too many real estate agencies take a “she’ll be right” attitude when it comes to cyber security. Smaller agencies, in particular, tend to believe “no one’s going to bother to hack us because we’re too small”. But it’s not true.

Small businesses like real estate agencies are easy targets. Hackers often don’t bother with the bigger end of town where there are dedicated cyber security resources in place. Why would they when they can more easily attack a smaller business with weaker defenses? While larger businesses are potentially more lucrative targets, they’re better protected. Smaller businesses tend to be more exposed.

It’s no wonder that most businesses keep quiet about cyber security breaches. Why would they report a hack when they have so much to lose? But with the introduction of the Notifiable Data Breaches scheme, businesses now have no choice but to report cyber breaches.

Understanding the scope of the problem

The Notifiable Data Breaches scheme requires businesses captured by the Privacy Act 1988 (Cth) to inform people when their personal information has been compromised due to a data breach and serious harm is likely to result. The long-anticipated scheme aligns Australia with other countries, which have had notification requirements in place for years.

For Dan Weis, Penetration Tester and Security Specialist at leading technology and security solutions company Kiandra IT, the new laws are long overdue.

“The security industry has been pushing for mandatory notification for a long time and we’re one of the last countries in the world to implement this type of legislation,” Mr Weis said. “The new laws won’t change the cyber security landscape in the short-term, and attacks will
continue to increase in sophistication. But what they will do is provide a degree of visibility that we’ve never had before.

“We have reports from major security vendors on the number and severity of Australian data breaches each year, but it’s only a small percentage of the actual breaches that occur. The reality is that most businesses don’t report breaches because they’re scared of reputational fallout. A good example of this is when Uber suffered a massive data breach in 2016 and then paid hackers to keep it quiet.”

Visibility will lead to awareness

With increased visibility will come a shift in mindset about the need to address cyber security.

“Because there’s been no mandatory reporting, people aren’t aware of the full extent of what’s happening,” Lyn Nicholson, General Counsel at Holding Redlich, said.

“This has contributed to the ‘it’s never going to happen to me’ attitude that’s so pervasive. But, in reality, there are two types of businesses: Those that know they’ve been breached and those that don’t know it yet.

“With the obligation to notify breaches comes a higher potential for reputational risk, which will effectively force businesses – including real estate agencies – to focus on cyber security. Complacency has to be a thing of the past,” the data and privacy specialist said.

With the new mandatory data breach notification laws effectively forcing businesses to focus their attention on cyber security, Ms Nicholson said the importance of being prepared will take on a new significance.

“Agencies should undertake an information mapping exercise, so they are familiar with the extent of their potential exposure,” Ms Nicholson said. “This will help identify potential risk scenarios and inform any investment in measures and processes to reduce risk.

“Education is also an essential piece of the puzzle. Survey after survey reveals that one of the biggest causes of data breaches are lost or stolen unencrypted mobile devices. Agencies need to understand how their staff are dealing with data and what potential there is for it to be compromised. Problems arise from unintended consequences, so staff education is key.

“Agencies should also have a documented incident response plan in place and have a crisis team ready to roll in the event of a breach.”

Ms Nicholson said the more prepared an agency is for a cyber security breach, the better they can respond.

“Businesses need to critically examine their existing information security framework, work out how to improve it and then take action.

“Some will undoubtedly say: ‘I don’t have the budget for it’. But my response is: ‘Do you have the budget not to do it?’ The time and money a business invests preparing for the possibility of a cyber attack will repay itself many times over in the event an incident actually occurs and the fallout needs to be managed.”

	Notifiable Data Breach scheme What is the Notifiable Data Breach scheme? The scheme requires organisations covered by the Privacy Act 1988 (Cth) to notify individuals likely to be at risk of serious harm by a data breach. The notice must include a description of the data breach, the kinds of information concerned and recommendations about the steps individuals should take in response to the data breach. The Australian Information Commissioner must also be notified. Which data breaches require notification? The Notifiable Data Breaches scheme requires notification of ‘eligible data breaches’. These are breaches that are likely to result in serious harm to any of the individuals to whom the accessed information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples include when: • a device containing customers’ personal information is lost or stolen • a database containing customers’ personal information is hacked • customers’ personal information is mistakenly provided to the wrong person. Why is the scheme important? The scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way organisations respond to serious data breaches. This will, in turn, support consumer confidence that personal information is being respected and protected. When does the scheme take effect? The scheme commenced on 22 February 2018 and only applies to eligible data breaches that occur on or after that date. To find out more about the Notifiable Data Breaches scheme and access resources, go to www.oaic.gov.au

	Reducing your risk Dan Weis, Penetration Tester and Security Specialist at Kiandra IT, details the top five cyber security risks of real estate agencies and how to effectively respond to them. 1. Users Even the most heavily fortified environments can be penetrated by a well-crafted phishing email. Agencies should invest in awareness training to educate staff about common types of attacks to ensure they understand the latest threats. 2. Passwords Strong password usage should be implemented by agencies, with regular password changes enforced and filters applied to prevent easily guessed passwords. Internet facing systems (such as VPN’s, Outlook Web Access and other web portals) should have multi-factor authentication. 3. IT All too often, IT teams provide too much open access, fail to apply the necessary security controls, misconfigure systems and don’t implement intrusion prevention and detection measures. Agencies should ask their IT team what security controls they have in place to protect the business. 4. Penetration testing Penetration tests assess and report on risks, threats and vulnerabilities and the overall security profile of a business, and detail what remedial steps need to be taken. Regular testing is one of the best ways to mitigate against security breaches. 5. Incident response Agencies must assume their business will be breached at some point and need to have a documented incident response plan in place to ensure they can detect, recover and communicate with clients should a breach occur.

	Insurance matters Irrespective of the new laws, given the pace and complexity of the cyber space and pervasive nature of technology, cyber liability insurance is a necessary safeguard for businesses to transact securely with their clients. Cyber liability insurance provides essential cover for business interruption, as well as support with data recovery and the management of any resulting reputational crisis. From a client perspective, the cost of monitoring the impact of a data breach can be significant. Cyber cover can include support with notification and monitoring costs, as well as managing legal costs resulting from any litigation. One of the broader benefits of cyber liability insurance is also the peace of mind it brings. Agency owners can rest easy that appropriate safeguards are in place to help the business keep moving forward, while at the same time ensuring they have adequate security strategies in place to resolve any issues and appropriately mitigate any concerns regarding data security. But the strength of cyber liability insurance also lies in the breadth and quality of its pre and post-incident response service. The typical real estate agent doesn’t have anyone to turn to if their computer screen suddenly freezes and a ransom message appears. This is where a quality cyber liability insurance policy can assist. Made up of IT security and forensics, legal, credit monitoring, public relations and communications professionals, an incident response team will help from the moment a business becomes aware of an incident through to its resolution, helping to mitigate potential loss and exposure.