Most agents recognise the importance of protecting their clients’ money; they employ segregated accounts and specialist insurance policies to make sure they’re safeguarded – but what about their personal information?
The last few weeks have highlighted how important cyber security is to businesses large and small, and how devastating the impacts can be when things go wrong.
Now that the dust has settled (somewhat) it looks as though the recent ‘WannaCry’ ransomware attacks may have been less co-ordinated than they first appeared, preying instead on vulnerabilities which existing throughout a range of enterprises and organisations – particularly those running Microsoft legacy platforms such as Windows Xp, Server 2003 or Windows 8.
Any letting agents who think they may be vulnerable are advised to deploy software patches which Microsoft has made available. To find out the latest advice agents are advised to visit the National Cyber Security Centre website.
OK, but I’m only a letting agent. Why would scammers target me?
Firstly, according to some reports, 54 per cent of UK small business report having been subject to an attempted ransomware attack.
Secondly, letting agencies are personal data rich environments.
To make matters worse, the information you need from applicants by way of checking their suitability for a rental is exactly the data craved by scammers.
In no particular order, you capture the following 10 insanely valuable pieces of personal information:
- Email addresses
- Telephone numbers
- Addresses, including the last three years of addresses
- Passport details
- Photo ID – often a copy of a driving licence, including its number
- Bank account numbers and sort codes
- Credit card numbers
- Full names
- Dates of birth
- National Insurance Numbers
This is enough to take out finance, open bank accounts – even clone identities and some criminals will go to great lengths to get their hands on it.
So am I a target?
Letting agents hold a full personal information ‘biography’ for hundreds of individuals at any given time so undoubtedly they are a viable target. Furthermore the people in question tend to move frequently, giving more opportunity for scams to go undetected.
There is no getting away from the appetite for this type for data and its ready availability from agents, the questions are:
- How do agents make themselves a less likely target?
- What should they do if they are attacked?
- What are the consequences?
What should I do?
Prevent, prevent, prevent.
- Check that your infrastructure and devices all have the latest necessary security updates and patches. Don’t forget any devices employees provide themselves but are linked to your networks.
- Check that firewalls and anti-virus software is in place and up to date.
- Remove old and unused user accounts; consider restricting access to only what is necessary.
- Back-up everything. You have more options when faced with a ransomware attack if you can still access your files. Business continuity may depend on this, so do it regularly and do not leave your backups connected to vulnerable systems.
- Train staff to recognise potential attacks. By virtue of the job they do letting agents will receive lots of electronic files, references, photos, scans of documents but they should be aware of the dangers of opening suspect attachments.
- If you provide wifi for customer use, be aware of the risks and segment your network to ensure that you are not providing opportunistic thieves access to your data.
In the event that you are the victim of an attack, recovery is vital.
Industry advice is not to pay the ransom; there is after all no guarantee that you will get access to your data or that they wont strike again.
If you have security installed, it may be possible to remove the malicious software relatively easily. However, you may need to seek trustworthy assistance. Valuable guidance and advice can be obtained through www.getsafeonline.org
Once free of the ransomware the importance of timely backups becomes clear, and should enable you to continue trading with relatively little difficulty. However, you could be deemed legally liable.
What liability? I’m not the criminal!
True, but the Data Protection Act takes a dim view of data controllers who fail to take appropriate technical and security measures to keep personal data secure against loss or destruction.
Any such loss should be reported to the Information Commissioner’s Office (ICO).
If you have been unable to restore locked files following an attack, which was possible due to a failure to secure against cybercrime – for instance not updating or installing appropriate security – you could be held responsible.
If you are able to fully restore from backups, it would be determined that no permanent loss had occurred, but it may still open up the possibility of an investigation into the occurrence – which would not be good for anyone’s business.
The moral of the story seems to be prevention is absolutely key, keep safe, back-up and you’ll be able to carry on.