Brokers who don’t actively manage their company’s information security practices could be on the hook for a lot of money – in the case of one West Coast brokerage, $1.5 million – and, like many of their peers, find their reputation ruined. The media likes to dramatize the story whenever a brokerage has a security breach. One recent TV story, while trashing a broker’s reputation, seems to have been going for a literary prize:
“The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter but bits and pieces of people’s lives.”
Now that’s drama! But it’s drama that your brokerage can avoid – here’s how:
Train your agents on how to manage the physical security of client information in their mobile and home office environments – and also train them on many of the other best practices that follow in this article to reduce brokerage liability:
Manage the physical security of sensitive information
Keep sensitive information physically secure – that goes for paper, hard drives and flash drives, computers and mobile devices. Keep it all in a locked cabinet – ideally in a locked room – when unattended, and be especially careful with it when you are mobile. Use a cross-cut shredder to dispose of items you no longer need.
Most publicized security breaches in our industry happen because of a physical security breach rather than a computer security issue.
Use secure software to manage sensitive information
Use professional-grade document and transaction management tools – not Dropbox! Make sure good information security practices are a part of your contracts for websites and software; this is a requirement in some states.
Create and protect strong passwords
Use passwords with letters, numbers, and punctuation – at least eight characters long – and use unique passwords for different applications. Ideally, change your passwords every 120-180 days. Also, never write passwords down (unless you lock up the paper very securely), change your passwords now and again, and don’t share your passwords.
If you use a password management program or “remember password” features, be aware they aren’t ideal: if someone gets physical access to your device and/or learns your one master password, they’ll have access to all of your passwords. To protect your accounts, don’t forget to log out when you’re done using a computer, website, or other resource.
Configure computers for security and keep them updated
If you use a PC, test your settings and security patches using Windows Update, the Microsoft Baseline tool and Secunia PSI. If you have a Mac, there are no equivalents beyond the App Store updater – but Apple does have some configuration guides. Don’t slack off on installing security patches!
Configure mobile devices for security and keep them updated
At the very least, require a difficult to guess password to use the device, use the encryption features, and set Bluetooth to “hidden mode” or disabled when not in use. Be very careful to limit installation of third party “apps” to those created by reputable companies.
Install antivirus software
No antivirus software can protect you from all viruses, but it’s a good idea to install it as a reasonable precaution. On the PC, leading vendors are Microsoft, AVG, Avast!, ESET, McAfee, and Norton. On the Mac: Avast! or ESET. On Android: AVG, Trend Micro, and Kaspersky. On Symbian or Windows Mobile devices: Kaspersky. Sadly, there isn’t a reputable antivirus solution available for Apple iOS mobile devices yet.
Encryption makes information that anyone can read into something that is unreadable unless one has the right “key.” This way, the information doesn’t fall into the wrong hands. Encrypted information may be stored on a hard drive or flash drives, attached to an email, or sent over the internet. Every type of computer, email program, file transfer program, and wireless router has its own method for implementing encryption – see this article about encryption for real estate professionals and/or “Google” for more information on your specific situation.
Establish policies and procedures
Policies define what behavior regarding the protection of sensitive information is expected and what behavior is not allowed. They eliminate the “ignorance” excuse — “I didn’t know that I had to shred files before getting rid of them!” — and negligence is well defined. Many draft policies are available online. Policy management must include at least employee and contractor education, monitoring, enforcement and regular re-evaluation and revision.
Set up a secure office network
The office should have a firewall, configured to only allow essential incoming and outgoing network traffic and to protect internal computers from those of visiting agents – and all of those from portable computers brought in by clients. Ideally the firewall should also allow for secure remote network access for key staff, have an intrusion prevention system, and also provide web filtering to help prevent visits to malicious websites. If wireless networking is provided, the access point should have a strong administrator password and use WPA2 encryption.
Create a Written Information Security Program (WISP)
Create a document formalizing how you are minimizing the risks:
- Identify who at your company is responsible for information security
- Identify reasonably foreseeable risks. Are you only collecting and keeping information you need? How will you prevent terminated employees from accessing sensitive information? Are you contracting for information security with technology vendors?
- Develop policies for the location and both physical and electronic security of records
- How are you monitoring compliance with the best practices you’ve outlined?
The following PDF is a fine example WISP provided by the state of Massachusetts.
Have a security audit performed
The only way to know if all reasonable steps are being taken is to have a professional security audit performed. Ideally third parties you work with (web site creators and hosts, document and transaction management system providers, statistics providers, broker back office system providers, etc.) have their own audits performed regularly at their own expense, and if they don’t, this is something to consider adding to your contracts. It’s understood that many small brokerages can’t afford to have someone like me provide an audit – but hopefully some of the steps outlined in this article will help them minimize the risks on their own.
Prepare for an incident
No matter what steps you take, it’s possible that an information security incident will occur. Be prepared with the appropriate law enforcement, financial institution, and local computer forensics expert phone numbers. Consider the messaging your company will use if an incident will occur. A sample is included in this PDF document at the end of the “Plan Ahead” section. Keep all this information somewhere printed out – you may not be able to access it on your computer when you need it!
There is no such thing as eliminating all risk. Still, putting these policies and procedures in place at your company may prevent embarrassment, compromise, and financial loss. You do not want to be the broker with the TV cameras outside and a reporter waxing poetic about what you’ve let happen to your clients.