Should property professionals worry about cybercrime?

Just over a year after the General Data Protection Regulation (GDPR) came into force, news hit the press in July 2019 – British Airways faces record £183m fine for data breach. The penalty was the biggest to be made public under the new rules. Yet the BA penalty actually amounts to ‘only’ 1.5 per cent of its worldwide turnover in 2017, significantly less than the possible maximum of four per cent.

As the UK’s largest international airline and one of the world’s leading global premium carriers, it is tempting to think that household names like British Airways are typical of the type of organisation most often targeted by cyber-criminals. However, this is simply not the case; while cyber-attacks on well-known companies like British Airways tend to make the headlines, it is actually smaller businesses that are more likely to fall victim. A recent Hiscox study revealed that UK small businesses are targeted with 65,000 attempted cyber-attacks per day.

While most attempts fail, a small business in the UK is successfully hacked every 19 seconds, costing the average small business £25,700 in basic ‘clear up’ costs every year.

What happened at British Airways?

In the recent high profile case, users of British Airways’ website were diverted to a fraudulent site. Through this site, details of about 500,000 customers were harvested by the attackers.

Commenting on the attack, Information Commissioner Elizabeth Denham said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.

“That’s why the law is clear – when you are entrusted with personal data, you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

In the case of British Airways, the watchdog said a variety of information was “compromised” by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.

How could cyber-crime affect a letting agent?

For letting agents, ‘security’ usually means locks, bolts and burglar alarms. But it is equally important to ensure that your business is as secure as the properties for which you are responsible.

So, are you or your letting agent business at risk from cyber-crime?

  • Do you hold sensitive customer details, such as names and addresses or banking information?
  • Are you reliant on computer systems to conduct your business?
  • Do you have a website?
  • Are you subject to a payment card industry (PCI) merchant service agreement?

The chances are you answered “yes” to most, if not all, of the above. If so, your business could be vulnerable to a data breach or loss of vital business services that could have a major impact on your reputation and, ultimately, your profits. In addition, while British Airways ‘got away’ with a fine of only 1.5 per cent of its turnover, under the GDPR rules you can be fined up to four per cent of your sales if customer data is mishandled.

The Information Commissioner did not mince her words when, following the BA breach, she emphasised the law surrounding personal data and the requirement to protect customers’ fundamental privacy rights or face the consequences.

Letting agents are a target for cyber-criminals

The fact that letting agents are a prime target for cyber-criminals is not surprising when you consider the wealth of personal information that is exchanged between an agent, landlord and tenant. This information is likely to be stored digitally, payments are usually made online and contracts increasingly signed electronically.

Financial fraud in the private rented sector

Financial fraud is particularly rife in the private rented sector. Online transfer of money between landlords / agents and tenants increases the risk of phishing scams – when fake emails claiming to be from legitimate websites encourage users to click on a link and log in, thereby enabling the scammer to fraudulently access the account. Another common scam involves hackers posing as landlords and asking tenants to pay rent to another account number.

Identity theft in the private rented sector

Identity, it could be argued, is a person’s most valuable asset. So, with letting agents holding so much personal data online, it is not surprising that agents are a perfect target for fraudsters looking to carry out identity theft. Once a person’s identity has been stolen, they may find it difficult to get loans, credit cards or a mortgage. Personal information can be used to forge documents such as passports and driving licences, landing the victim in hot water and potentially resulting in legal action against the agent.

Cyber threats within the organisation

Cyber security is not all about encrypting data, securing servers and worrying about hackers.  Often times the danger arises out of human error or comes from within the organisation.

Take someone leaving your letting agency. Your financial team will work out how much pay is due and file a P45 with HM Revenue & Customs. Colleagues will sign a card and maybe have some drinks. The line manager will write a reference and collect key cards. But the ‘cyber security exit checklist’ should come into play as well. IT staff need to make sure they delete the leaver’s login from the firm’s computer network and change any passwords that would give them access to sensitive business and customer data.

Email hijacking in the private rented sector

Small scams can net large sums of money for cyber-criminals, with relatively little effort. The Solicitors Regulation Authority (SRA) has highlighted email hijacking as one of the main scams targeting property firms as well as lawyers.

In a common scenario, hackers intercept open text emails between property firms and clients and scan them for bank details and passwords. The hackers then try to access other people’s bank accounts by diverting emails to ask for updated account details.

In a busy office, someone could easily overlook cyber security rules and inadvertently pop the passwords or account numbers back to the fraudster who is posing as the lawyer.

This example exposes another often-overlooked cyber security flaw – encrypting emails. It’s not much good if the office network is bolted down tightly, but emails are still open for anyone to read.

The result of letting a former colleague or scammer have access to sensitive data can be catastrophic – a hack means a security audit will need to be carried out; it exposes a business to a high risk of prosecution for breaching data protection rules; it will involve the need to pay out compensation to business contacts or clients and, perhaps most crucially, it causes sometimes irreversible damage to the firm’s reputation.

The types of cyber-crime most commonly affecting small businesses, such as letting agents, are phishing emails and malware attacks. Our infographic, Five cyber risks for estate and letting agents highlights some of the risks you are likely to face in the private rented sector, and offers tips for preventing fraud.

Cyber-crime case study

This case study tells the story of what happened to a relatively small office and was the result of an easy mistake made by a member of staff:

  1. An employee received an e-mail to say that she had been caught speeding.  She was given the option of clicking one button to pay the fine or another to review the photograph of the offence.  She clicked one of the buttons!
  2. Shortly afterwards she received an e-mail stating that the letting agent’s systems had been infected with a cryptolocker virus (a malware threat that infects the computer and then searches for files to encrypt. This includes anything on the hard drive and all connected media — for example, USB memory sticks or any shared network drives), and that all files on the servers were locked.
  3. The e-mail demanded c.£500 in Bitcoins for the decryption key, including ‘helpful instructions’ on how to buy and transfer the Bitcoins.
  4. Hiscox approved the payment of the ransom.  Unfortunately only 90 per cent of the files were recovered and the remainder had to be unlocked by IT contractors.  The policy covered the cost of the contractors as well as the business interruption loss – the office  was unable to trade for a couple of days and was not back up to full speed for a couple of weeks.  Total claim value was £60k (£55k B.I. £5k IT costs).

Comprehensive cyber insurance will protect you if a hacker tries to hold your business to ransom by covering the ransom you have paid and helping you manage the situation.

How can letting agents protect themselves from cyber-crime?

As a letting agent holding sensitive customer details, it is vital that you protect yourself and your customers. There are a number of steps you can take; it is important that all employees follow these steps.

  1. Password-protect your files, and avoid storing tenant’s information on a laptop or device which is often taken outside the home and could get lost
  2. Never release personal information over the phone, through the post or electronically until you have verified the receiver as somebody authorised by the tenant
  3. Only employees who need to use sensitive information should have access to it
  4. Ensure you have the latest anti-virus software installed on your computer, and that all plug-ins are up to date
  5. Don’t open suspicious-looking emails or links. Go to websites manually rather than clicking links in emails
  6. Before transferring money online, check bank account details in person or over the phone rather than relying on emails
  7. Online or on paper, make sure you securely dispose of previous tenant records or data which is no longer required
  8. Take out a dedicated cyber liability insurance policy, specifically designed to help reimburse you for costs incurred by this type of crime

How professional indemnity cover helps

Comprehensive professional indemnity insurance for letting and estate agents has the option to include cyber insurance which will pay out in the event of a cyber-attack.

Comprehensive cover offers practical support if for example a business interruption occurs due to ransomware. Cyber insurance also provides crisis containment to mitigate against reputational damage and legal and financial assistance for issues arising from a data breach.

In addition, the insurer will pay the fees of:

  • A PR firm to assist in re-establishing the agent’s business reputation
  • A forensic consultant to establish the identity of the hacker
  • A security consultant to review the agent’s electronic security

Prevention is the best strategy

According to Hiscox, when questioned only 52 per cent of UK small businesses stated that they have a clear cyber security strategy in place to manage the impact of an attack. This, says Hiscox, can significantly hamper their ability to detect, manage and prevent security breaches, as well as making the overall impact of an attack much more severe.

While communication is critical both during and after a cyber-attack, Hiscox found that only 56 percent of the small businesses surveyed could say with confidence that they fully disclose details of a cyber-attack to the relevant internal and external stakeholders. This is of significant concern since, following the introduction of GDPR in 2018, all organisations are required to report a data breach to the ICO within 72 hours and notify any affected customers without delay.

Hiscox suggest a ‘Prevent, Detect and Mitigate’ approach to cyber security best practice:

Cyber Security Best Practice: Prevent, Detect and Mitigate:

• Involve and educate all levels of the organisation about cyber threats
• Have a formal budgeting process and ensure cyber is a part of all decision making
• Institute cyber training during the on boarding process and in an on-going manner

• Include intrusion detection and on-going monitoring on all critical networks
• Track violations (both successful and thwarted) and generate alerts using both automated monitoring and a manual log
• Record all incident response efforts and all relevant events

• Create a plan for all incidents, from detection and containment to notification and assessment, with specific roles and responsibilities defined
• Review response plans regularly for emerging threats and new best practices
• Insure against financial risks with cyber insurance

Cyber Insurance protects your business if it experiences a data breach or is the subject of an attack by a malicious hacker that affects your computer systems. It will also cover unauthorised access to your website, intranet, computer system, network, telephone equipment or data you hold electronically.

Letting agents can purchase cyber cover as an add-on to their Professional Indemnity insurance. Find out more about Hamilton Fraser’s CMP PI cyber cover here. Hamilton Fraser’s PI policy is underwritten by Hiscox, a market leader in providing professional indemnity protection.

Find out more about cyber threats to letting and estate agents

More advice about securing a business network, backing up data, dealing with malware and securing mail is available from the government’s National Cyber Security Centre.

Premiums start from £12.60* a month

*Based on £100,000 worth of cover. Plus insurance premium tax (IPT) currently at 12%.