Whitepaper: Cybersecurity And The Real Estate Industry: Protecting Your Interests Against Cybercrime
Over the past twenty years, business transactions worldwide have grown into an ever- evolving set of internet-based technologies that are designed to make business run more efficiently, and to facilitate swifter communications and closure and fulfillment of those transactions. Unsurprisingly, the rise of these technologies has also fomented a new culture of criminals seeking to take advantage of previously unnoticed vulnerabilities in those technologies. As cybercriminals develop their craft by blending new and old hacking practices, it becomes increasingly difficult for IT Security specialists to stay ahead of them and keep the confidential data and electronic cash flow of their institutions safe.
Financial institutions become a focal point for cybercrime
In its 2015 annual report, the U.S. Department of Treasury's Financial Stability Oversight Committee (FSOC) summarized: " Over the past year, financial sector organizations and other U.S. businesses experienced numerous cyber incidents, including large-scale data breaches that compromised financial information. Malicious cyber activity is likely to continue, and financial sector organizations should be prepared to mitigate the threat posed by cyber attacks that have the potential to destroy critical data and systems and impair operations."
In an interview with Finance Asia, former Federal Reserve Chairman, Ben Bernanke warned that cybercrime is, "one of the security risks that I would place very near the top of the things that the financial sector needs to work on ... it’s something that regulators, governments, and the banks should put a lot of resources into."
Websense is a cybersecurity services vendor owned by Raytheon, and is considered a leading authority in the field. In the first half of 2015, Websense conducted a study of cybersecurity in the financial services industry, summarized in a report entitled '2015 Industry Drill-Down Report: Financial Services.' The most astounding finding of the Websense study is that, on average, companies in the financial services sector suffer 300 percent more cybersecurity incidents than any other industry.
The number of cyberattacks that succeed in breaching the security of financial institutions continues to grow at an alarming pace. The Identity Theft Resource Center maintains an ongoingly updated report of breaches, and their current data show that in the first part of 2016, breach incidents are about 20 percent over the same period in 2015.
How cybercriminals are successfully breaching security
It's easy to imagine complicated hacking plots hatched by syndicates of sophisticated criminals, executed in scenarios worth of a Tom Clancy novel. It's true that many cybercriminals do work in syndicates and are funded by larger criminal organizations, but the means they most commonly use to steal data and money are shockingly simple. Most often, they take advantage of human error and email vulnerabilities.
In 2015, security provider McAfee conducted a quiz among members of the general public, to assess whether or not an average person could correctly identify a phishing email. Out of more than 19,000 participants from more than 140 countries, only three percent of respondents correct identified all ten example emails as either legitimate or a scam. The average score among all respondents worldwide was 65.4 percent. On average, participants missed at least one of every four phishing emails presented to them.
Surely, trained employees at a security-conscious company would score better, right? The 'IBM 2015 Cyber Security Intelligence Index,' the summary of an annual study describing the frequency, type, and responses to cyberattacks among IBM Managed Security Services' client companies with 1,000-5,000 employees. Each of these companies has about 500 security devices active within its network. The 2015 study found that 55 percent of cyberattacks carried out against the study companies were the direct result of actions by a company insider: Either through malicious or inadvertent actions, with inadvertent actions responsible for 95 percent of these breaches. An additional, highly comprehensive, study by Verizon found that 18 percent of users in a work environment will visit a link included in a phishing email, possibly compromising network security.
One especially notorious example is the 2015 incident in which hackers obtained the login credentials of an employee at the Ecuadoran Banco del Austro (BdA), which they then used to log into a secure BdA terminal and order 12 million dollars sent over the SWIFT network to several bank accounts in Hong Kong, using Wells Fargo as an intermediary. The login was properly authenticated because the hackers had accessed valid credentials by taking advantage of a lapse in security protocol by a BdA employee.
Even simpler and less sophisticated ruses provide big results for cybercriminals on a daily basis. In December 2015, the National Association of Realtors (NAR) alerted its members to scams specifically targeting the parties involved in real estate transactions:
"The hackers often send an email that appears to be from an individual legitimately involved in the transaction, informing the recipient, often the buyer, that there has been a last minute change to the wiring instructions. Following the new instructions, the recipient will wire funds directly to the hacker’s account, which will be cleared out in a matter of minutes." As these scams increased in frequency, the Federal Trade Commission (FTC) issued an additional warning to consumers in March 2016.
Cybercriminals who target security-conscious business sectors like financial services have obviously had to develop their craft beyond the emails saying the recipient is to inherit a fortune from a distant relative they've never heard of, but the same principles apply to these upgraded scams. This more specialized for of phishing is known as 'spear phishing,' because it uses target-specific lures to entice recipient to follow a path that leads to them accidentally giving access to the sender. In some cases, the attackers will study publicly available information on their intended targets: Social media profiles, email ID, placement in the company organization chart. Sometimes, these lure emails appear to be from the employer's Human Resources department, and request that the user log in to correct some kind of error that will result in loss of benefits or delay of payment, or informing the recipient that he has won something for participating in some company program like a survey.
In the past, it has been common practice for businesses to use File Transfer Protocol (FTP) to communicate sensitive information between branches or to third parties involved in their transactions. The truth is FTP networks are not much more secure than email, and are vulnerable to direct hacking. In addition, once hackers succeed in using email to gain access to your network, they can easily gain access to your FTP network data.
Eliminating common vulnerabilities
Scrutinizing the details of cybersecurity vulnerabilities in business is, frankly, a scary proposition. Our national economy and, in fact, the world economy, relies on secure and efficient networking, and without it, businesses fail in all sectors. How, then, do we create a more secure net-world? Stop using email for business transactions, to begin with. There are many ways potential attackers can intrude on the privacy of a business, but by eliminating their easiest access points, email and human error, businesses slam the door in the faces of a majority of would-be hackers. The IBM Managed Security Services report cited above said in its explanation, "Our best defense is to revamp how we’ve been approaching security, and to move from constantly bombarded, isolated defensive positions to a united, intelligence-driven collaborative front against cybercrime."
The beespath solution
Within the real estate and mortgage industries, regulations like the TILA-RESPA Integrated Disclosure Rule (TRID, also known as the Know Before You Owe mortgage rule) and GSE's mandated closing data have created requirements for more information than ever before to be communicated quickly among the involved parties to a transaction. Proposed changes to TRID will involve even more rapid-fire communications, if they go into effect.
The most effective solution to preventing cybersecurity breaches is to isolate critical data by segmenting the communications network used by the involved parties. Much like the high-security ACH and SWIFT networks used by financial institutions to move large amounts of money and store data on the owners of that money, the BeesPath network offers an "enclosed space" for the participants in real estate transactions to exchange data and arrange secure transfer of funds.
Every user accesses the network using verified credentials, and all communications and documents are transmitted within the BeesPath network, using applications with BeesPath security protocols embedded in them. This eliminates human error because it prevents people from circumventing the protocols by using unauthorized or unsecured devices, or by accidentally exposing confidential data through email, chat, or another unsecured medium. It's like creating a soundproof, windowless room where all meetings about the transactions will take place, and that meeting room is inside of a secured facility monitored by a dedicated security team whose sole purpose is to watch over the interests of its clients in their meeting rooms.
Easysoft closingbridge-integrated suite
The Easy Soft suite of closing solutions are embedded and fully compliant with BeesPath ClosingBridge security protocols and offer convenient and efficient tools for every stage of closing a real estate transaction. With Easy Soft, lenders and settlement agents get a simple and streamlined way to produce and securely transmit required documents and forms, along with an encrypted online and mobile portal to access documents and communications from verified devices, and helpful extras like integrated loan auditing through Easy Soft's ComplianceAnalyzer. Confidential information stays confidential, compliance with TRID and GSE requirements is assured, and hackers are left out in the cold.