Reducing the risk of data breaches in property agencies

Improve your cyber security to reduce risks

Property agencies collect and sometimes retain large amounts of personal information from customers. With major cyber incidents and data breaches affecting people across Australia, it’s more important than ever that property agencies proactively work to improve cyber security to reduce risks. It’s critically important that you understand your obligations which include storing personal information securely and making sure that it is destroyed or de-identified as soon as possible.

There are steps you can take to improve your cyber security and minimise the damage a potential cyber incident may cause to your customers and your reputation.

1. Urgently conduct an end-to-end review of your data security practices and systems. You may consider engaging an expert to identify cyber vulnerabilities and ways of reducing risks. This investment will pay off in the future.
2. Review your business processes to ensure you collect only required personal information.
3. Store personal information for the minimum time required and implement procedures for its safe disposal at the earliest appropriate time.
4. Assess the security of any third-party systems that your agency uses. Remember, their security practices will affect your business.
5. Evaluate the security of your data storage systems and upgrade them if necessary. All customer, client, tenant, and employee data should be stored with maximum security.
6. Mandate strong and complex passwords for all user accounts.
7. Ensure privacy obligations and cyber security is part of the annual training plan for all employees in your agency.
8. Familiarise yourself with Australian privacy law and ensure your business practices comply. This includes knowing your reporting obligations if personal information you hold is compromised.
9. Take the opportunity to inform your customers, clients, tenants, and employees that you’re doing this important work because it’s an urgent priority.

Engage your employees to help you

1. Work with your teams to secure their mobile devices (phones and tablets). These devices are essential tools of trade, but they can also be a risk.
   • Enable instant locking so the device isn’t unlocked and accessible by others at any time.
   • Mandate passcodes at the maximum length for the device and operating system.
   • Engage multi-factor authentication for logins wherever it is available.
   • Ensure automatic operating systems updates are enabled on both personal and work-issued devices. This will install the latest security updates to protect from known vulnerabilities.
   • Give access to the minimum number of shared mailboxes on mobile devices.
   • Limit the number of people who have access to shared mailboxes and purge the information regularly.
2. Data breaches can occur when a folio, compendium, or hard copy document is lost or stolen.
   • Make sure that hard copy materials with physical signatures are stored in a locked location.
3. Develop a culture of reporting. Encourage your people to speak up if an incident may have occurred. Work with them to resolve the issue and make improvements.

Be prepared for the worst case

While it’s important to be prepared for the time a cyber incident does occur, prevention is even better. When a cyber incident occurs, it requires an immediate, urgent, and unified response. In the same way that organisations run building evacuation drills, the best way to be prepared is to practise.

Identify people within your business who will be able to facilitate the urgent response and assign roles and tasks to team members. Be sure to integrate your drills into your business continuity planning. You may also be able to leverage resources available from your head office teams.

What to do if you experience a cyber attack or data breach

If your agency experiences a cyber incident or data breach, help is available.

• Consider your obligations under the Notifiable Data Breaches scheme.
• Engage the team at the Australian Cyber Security Centre.
• Contact ReportCyber. Any malware or ransomware reports submitted are reviewed by the Australian Cyber Security Centre and if action is required police will be notified.
• If personal information may have been compromised, contact ID Support NSW.