The Very Real Threat of Mortgage Fraud

How to Protect Yourself, Your Business, and Your Clients from this Growing Threat

If we look at this past year’s cybersecurity statistics, we see compelling evidence that mortgage fraud deriving from cybersecurity incidents is an attractive landscape for cyber criminals.  Verizon’s 2018 Data Breach Investigative Report (DBIR2018), tells us that 76 percent of last year’s attacks were financially motivated.   This is not a surprise – hacking data is a for-profit business and a full 50 percent of last year’s successful breaches were carried out by organized criminal groups.  According to Computer Economics’ IT Spending and Staffing Benchmarks 2018/2019, IT spending as a percentage of revenue has grown from an average of 2.3 percent across all industries to 2.7 percent  This same report tells us that 75 percent of organizations are planning continued increases to their security spending, which no doubt accounts for a large portion of this uptick.

The bad news is that small companies (those defined as having an annual IT Operating Budget of less than $5 million) are becoming more of a target. Fifty-eight percent of last year’s attacks targeted small businesses (DBIR2018), and the reason why is easy to understand:  Small businesses do not have the same controls in place as their bigger counterparts, making them easier targets.  Small businesses may offer less in terms of a theoretical “big haul” for a hacker who wants to hit the jackpot, but the rate of success is much higher.  The combination of the attractive financial transactions and the relative ease with which these transactions can be stolen means that real estate transactions are, and will continue to be, an attractive target for cyber criminals.

What should REALTORS® be doing to protect themselves and their clients on the tech side of things?

The first step in protecting yourself involves understanding the criminals.  According to Verizon’s DBIR2018, 73 percent of attacks are initiated by outsiders.  When thinking about hackers, many people have an image of a highly-skilled data scientist who writes complex code to exploit vulnerabilities that are difficult to address.  This is a big misconception – the vast majority of cyber criminals do not possess the deep mathematical and coding skills required to break modern encryption algorithms or discover a new vulnerability within a major platform that is not already well known.  Rather, the lion’s share of cybercriminals is exploiting well-known vulnerabilities that organizations have failed to remediate, often via the application of simple configurations or patches.  These hackers are simply downloading free scripts that are readily available on the “dark web” and using them to find and exploit vulnerabilities.  In today’s world, anyone armed with a rudimentary understanding of networks, a second-hand laptop, and an Internet connection can set themselves up to launch damaging attacks against organizations in 30 minutes.  Because of all of this – except in cases where an organization is being specifically targeted – the single best thing an organization can do to avoid a data breach is to be harder to hack into than other organizations.

UNDERSTANDING THE THREAT

Next, understand the threats.  Big organizations have highly evolved Risk Management processes that continually identify, assess, prioritize, and manage appropriate mitigation of risks.  This is a good practice for organizations of all sizes, but often small businesses do not have the resources to do this.  A lighter-weight approach is often in order, and one such approach involves reviewing publicly-available threat landscape assessment reports that are written by major cybersecurity players like Verizon.  In reading these reports, insight can be gained into the most prevalent types of threats to organizations.  Some great examples include the annual Verizon Data Breach Investigations Report, Symantec’s Monthly Threat Report, and the monthly Global Threat Intelligence Report (GTIC).  As echoed in these reports, some of the biggest threats to REALTORS® in today’s environment are Physical Data Theft, Ransomware, and Phishing.

PERFORM A SELF-ASSESSMENT 

Finally, REALTORS® should perform a self-assessment.  A review of the current IT operating budget, as a percentage of annual revenue, is an interesting high-level barometer for assessing security posture.  Organizations that do not reinvest enough of their revenue into IT operating budgets routinely fall short on providing adequate cybersecurity controls.  Investments should be pragmatic and impactful, without causing unnecessary business inefficiencies.  One of the tools that helps IT organizations make good investments in IT security controls are called cybersecurity frameworks.  This space has evolved rapidly in the past few years, and today there are a few different good framework options.  Each framework comes with its own set of pros and cons, and some frameworks take less effort to implement than others.  Some of the common frameworks most organizations have heard of include the National Institute of Science and Technology Cybersecurity Framework (NIST CSF), Control Objectives for Information Technology version 5 (COBIT 5), HiTrust, and the International Standards Organization (ISO) 27001/27032.  Each of these frameworks are common in larger organizations, but are likely too complex for most REALTORS® to adopt in whole.  A smaller, light-weight framework called the CIS Top 20 is a great framework for smaller organizations that is quite easy to implement.  I recommend that organizations that adopt the lighter CIS Top 20 also take a look through the bigger frameworks, looking for any specific items within them that might make sense to layer on top of the CIS Top 20.  The first step in adopting a framework like the CIS Top 20 involves an assessment against the controls advocated for in the framework itself, so adoption of it or any other framework invariably results improved self-awareness.

EMBRACE SECURITY AS A JOURNEY

Remember that security is a journey, and not a destination.  There is no such thing as “being secure”, because the threat landscape is constantly evolving.  In the time it took me to write this article, dozens of new threats have been identified, and these exploitation of some of the threats will be made available on the dark web for hackers to download and use against organizations in the very near future.  The big threats of today – Phishing, Physical Data Theft, and Ransomware – can all be mitigated in whole or in part by the implementation of a framework like the CIS Top 20.  However, organizations must continually apply the controls they’ve adopted in order to maintain a proper security posture.

WHAT ARE BEST PRACTICES FOR REALTORS®?

Conduct Annual Security Training – Well-meaning internal employees represent an easy method of access for savvy hackers.  Conduct annual security training that informs employees about major risks and what they should be doing (and not doing!) to help protect your organization and customers.

Adopt a Framework of Controls – No need to reinvent the wheel.  Collaborative groups of cybersecurity professionals have put together several great security frameworks that can help organizations achieve their desired security posture.  Pick a framework that matches your organization’s capabilities and apply the framework as part of daily operations.

Address the Trifecta of People, Process, and Technology – Controls that fail to address the trifecta of people, process, and technology are incomplete and typically do not result in the desired outcomes.  Take an example of a simple desktop anti-virus product.  When deployed as a pure technology solution it will block malware, but additional people and process questions need to be answered.  For example, how is the product updated?  What happens if a computer that has not been updated, and may be infected, accesses your network?  How are malware detections between individual end-points correlated so that malware does not spread uncontrolled across all the devices on your network?  Who receives notifications of an outbreak and what actions should they take?

Invest Appropriately – Understand the threat landscape and your organizations’ appetite for risk.  Make investments that are impactful, as defined by reducing a risk to within your organizations’ risk appetite.  Track the impact of those investments.

Know the Threat Landscape – Stay up to date with the threat landscape via reading reports and newsletters or hire an outside security advisor that knows your environment and provides monthly recommendations in reaction to the changing threat landscape.

Embrace Security as a Journey – The investments made today do not forever mitigate all future risks.

Jason is a principal consultant with Point B.  He has over 20 years’ experience helping organizations realize business value from the strategic use of technology.  He has proven success in numerous roles in IT security, privacy, compliance, risk management, cloud adoption, architecture and design, strategy, and process development and implementation.  He has worked in the high-tech, entertainment, legal services, financial services, manufacturing, government, and healthcare (plan/payer, provider, and medical device manufacturing) industries.  Prior to joining Point B, Jason was an executive with a Colorado-based healthcare insurance company, serving as Chief Information Officer and HIPAA Security Officer.