With seven major Australian companies falling victim to data breaches in recent weeks, Real Estate Institute of Australia President Hayden Groves has urged agencies to take a good, hard look at their cyber security.
Over the past couple of weeks telecommunications giant Optus and health insurer Medibank have been among the big-name companies subject to serious data breaches, with the Federal Government now considering hefty fines for companies which fail to adequately protect their customer data.
While stating most agencies had good cyber security protocols in place, Mr Groves said recent incidents should serve as a timely reminder for the real estate industry to ensure their digital security and staff training were up to par.
“The real estate industry is very much aware of its obligations when collecting sensitive information,” Mr Groves noted.
“Even small agencies tend to have good cyber security in place because they are well aware that their wellbeing and licences are at risk if they don’t look after an individual’s data.”
However, he said an audit of that cyber security could be prudent, along with staff training on the dangers of opening malicious emails.
“Most cyber security breaches come down to human error,” Mr Groves said.
“It’s often when someone clicks on a malicious email.”
To combat the risk, Mr Groves suggested agencies undertake the following…
Seek guidance from your institute
Mr Groves said each of the state and territory institutes had information about digital security and best practice.
“The institutes are rolling out training regarding recognising malicious and phishing emails,” he said.
“Look to your institute throughout Australia for guidance.”
Speak to a professional
In addition to understanding data collection obligations and industry best practice, Mr Groves also suggested speaking with a cyber security professional.
“I’d encourage members to either use their existing IT specialist or consider engaging one to ensure your security is up to par,” he said.
Undertake an audit
Mr Groves noted agencies could also ensure their agency was employing best practice by undertaking an audit and conducting a test case scenario.
“Perhaps employ somebody to create a mock phishing email to see if any of your staff click on it,” he said.
“This might offer an insight into whether additional education is required.”
Only collect the information you need
Mr Groves also cautioned agencies against collecting more information than they required.
“Agents have been criticised in the past for excess information gathering and we’d ask agents to be cautious around that,” Mr Groves said.
He explained an example of overzealous data collection might involve a property management department attempting to showcase a thorough approach to landlords when screening tenants.
“Sometimes this goes way beyond the minimum requirements and it’s really not necessary,” Mr Groves said.
“It’s reasonable to ensure they are who they say they are and they have capacity to meet the obligations of the lease.
“But beyond that you don’t need to be collecting additional data, because the reality is, the more data you have, the more you are at risk.”
Mr Groves noted the industry’s collection of data was regulated, with agencies required to exercise due care and diligence when collecting and managing personal information.
“The fact is, if you are sloppy with data, you can be prosecuted,” he warned.
For further information on reducing the risk of a data breach, contact your state or territory real estate institute, or view O*NO Legal’s top tips on data collection and protection here.