The real estate industry recently experienced a wake-up call due to a cyberattack that crippled critical MLS services. This is part of a growing trend. In 2022, almost 500 million ransomware attacks were detected by organizations worldwide, per Statista1. These cyberattacks provide ransomware authors with the ability to collect credentials or install malicious software that has devastating consequences to our businesses and the communities we serve.
These incidents underscore the urgent need for comprehensive security measures in our industry. The convenience of interconnected data and software integrations comes with the responsibility to safeguard the entire ecosystem. It is imperative that we take a proactive stance to fortify our platforms against potential threats.
Below are four critical information security considerations that should be at the forefront of every MLS owner’s and operator’s strategy to maintain a sturdy foundation. We also articulate policies and processes we use at CoreLogic® to help protect mission-critical software services for our clients.
1. Make a Conscientious Commitment to Security
The technology ecosystem supporting the real estate industry is dynamic and entrepreneurial. Multiple technology vendors, along with homegrown systems, are integrated with each other to provide unique capabilities for agents. This makes for a complex ecosystem with data shares, API integrations, SSO dashboards and multiple applications. The more diverse the ecosystem, the more vulnerabilities are present. Impact to one node of the ecosystems puts others at risk. For this reason, information security is a key criterion in any comprehensive technology strategy. MLS owners and operators need to make a conscientious decision to prioritize the security of their platforms, applications and data, including homegrown systems. This requires a collective acknowledgement of the risks associated with inadequate security measures.
At CoreLogic, we hold our real estate solutions to the same rigorous security standards as the more heavily regulated financial services, mortgage, and insurance sectors. We employ a dedicated organization for information security that reports through our Chief Information Officer and has the accountability and authority to address security issues with the highest priority. Regular third-party audits by agencies specializing in information security offer another level of scrutiny.
By embracing a security-first mindset, industry leaders can set the tone for the entire ecosystem, fostering a culture of vigilance and preparedness.
2. Make Your Information Security Policy Comprehensive
The bedrock of information security is a multi-layered strategy with critical assets protected via securing data, applications and networks.
Data security includes ensuring end-to-end encryption of critical information and defining user access and authentication standards to ensure data integrity. Application security layers include robust coding practices, upgrading to the latest security patches, and regular scanning and testing of software for vulnerabilities to assure availability. A robust plan for regular database backups and disaster recovery protocols is essential for a quick recovery. The data backup should not be limited to just listing information, but it should also include critical information that facilitates agent workflow including customer lists, user preferences and contacts.
Recovery from a ransomware attack is possible with access to backed-up data that has little risk of having also been compromised. A more frequent backup schedule and a longer retention policy gives the most flexibility during recovery. Keep in mind that malware can hide in backups and detonate later. Therefore, having access to a version prior to the presence of the malware is essential. Network security and strong user authentication and access policies help ensure data confidentiality, thereby preventing unwanted access. This must go far beyond simple firewalls and username/password authentication.
At CoreLogic, we use well-established information security control frameworks, such as ISO, NIST, etc., as the basis of our robust information security program. Properly configured and monitored malware detection and prevention products are an essential attribute to our strategy. We have implemented solutions that will detect and block malware based on behavior rather than a signature to limit the blast radius of any attack and minimize recovery time. Tabletop exercises and well-planned/prescriptive recovery procedures help us to prepare in the event of an incident, thus reducing the expected time to recovery. We conduct regular penetration testing on our systems using third party software. We also employ “white hat hacker services,” also known as ethical hackers, to regularly test our systems. Identified vulnerabilities are assessed for risk and remediation.
3. Address the Most Vulnerable Security Asset With Training, Testing and Accountability
Most cyberattacks or information security breaches are caused by phishing or other similar attacks that trick personnel into giving away credentials or systems access. Humans are unfortunately the highest vulnerability in any information security strategy2. In 2022, phishing was the most common cyberattack with 3.4 billion daily spam emails sent daily. MLS personnel and their members should train continuously and be reminded to take information security seriously.
At CoreLogic, all employees and contractors go through regular mandatory training on the latest information security scams and vulnerabilities. Beyond training, our information security team conducts regular mock “phishing drills” to ensure employees remain vigilant against phishing.
4. Make the Industry Stronger and More Secure — Together
While the recent cyberattack has garnered widespread attention, it is highly likely this is not the last time an incident will impact our industry. The sophistication of cyberattacks has increased exponentially in the past few years. While each situation is different, it is important that we all — MLSs, vendors and other technology providers — strive to share our insights on the latest threats and best practices. We can protect our interconnected ecosystem by learning from others.
The journey from index cards to weekly printed books and now to interconnected platforms and systems, has been transformative. It is time to evolve the way we manage information as well as in how we safeguard it. The real estate industry has made incredible progress, and now we must navigate a data-driven and high-availability landscape. Together, we have an opportunity to drive the industry forward with robust, secure and available MLS platforms. Engage with industry peers, share insights and stay updated on the latest threats and best practices. By fostering a collective commitment to security, the industry can create a safer environment for all stakeholders.
Click here to learn more about CoreLogic’s security and compliance solutions.
Return to our Cybersecurity Awareness Month site.
Sources:
- https://www.statista.com/statistics/494947/ransomware-attacks-per-year-worldwide/
- https://www.techopedia.com/cybersecuritystatistics#:~:text=The%20FBI’s%20Internet%20Crime%20Report,phishing%20attacks%20exceeded%20%2410.3%20billion.