Proptech Mastery: Risky Business – Data Security in Real Estate

According to the ACCC, scams and data fraud cost Australian businesses $630 million in the last year. Real estate transactions are also increasingly being targeted by criminals.

Every day, we make quick decisions around data security to make our lives ‘easy’, but risk exposing our clients and businesses to damage and loss. If you have ever shared a password and login with team members, emailed your banking details for a deposit, or have been annoyed at requests to update a password, this is a webinar you must watch.

Join the Proptech Association Australia as we discuss the very real risks faced by every real estate agency and property management team against phishing scams. We’ll explore how big the problem is, what you need to do to reduce the risks, and what some of our major proptechs are doing to protect their clients.

We feature four experienced data experts who will share their knowledge and insights around data security including:

  • Sashini Walpola – Ashurst
  • Owen Moony – Box+Dice
  • Jed Horner – AustCyber
  • Shane Goodwin – InspectRE

Kylie Davis:

If you’re just joining us on the call, it’s Kylie Davis from the Proptech Association here and it is great to see so many joining the call for our first Proptech Mastery Session on the Risky Business of Data Security in Real Estate. And I’m here today on Gadigal land and before I begin in the spirit of reconciliation, Proptech Association Australia recognises the traditional custodians of country throughout Australia, and their connection to land, sea, and community. And we will pay our respects to their elders past, and present, and emerging, and extend that respect to all Aboriginal and Torres Strait Islander people joining us here today.

Kylie Davis:

I’d like to thank the Proptech Association sponsors, Stone & Chalk, The Real Estate Institute of WA, Macquarie Bank, Ashurst Lawyers, PEXA, WebIT, and Forbury, who have been so fundamental to the establishment of the association, and made all of these events, and new initiatives possible. I’m very excited that this is our first Proptech Mastery Session concept that was initiated by our Proptech Association members Box+Dice and InspectRE. These Proptech Mastery Sessions have been designed to discuss issues that support the strong adoption of proptech to identify mistakes to avoid and to provide tips and hints on way that we can achieve better outcomes.

Kylie Davis:

And now according to the ACCC, scams and data fraud cost Australian businesses 630 million in the past year. Real estate transactions are increasingly being targeted by criminals. And since we sent the email around alerting people to the event today, I’ve had agents contacting me telling me personal stories about the high legal cost of trying to prosecute if someone steals your data. Every day, we’re making quick decisions around data security to make our lives easy, but we risk when we do that exposing our clients and our businesses to damage and loss.

Kylie Davis:

So, if you’ve ever shared a password, a login with a team member, emailed your banking details for a deposit, or have been annoyed at the constant requests to update your password and let’s face it, who hasn’t? Then we are all engaging in behaviour that has some huge risks from fraud, phishing, and even identity theft. But we all do it, don’t we? And so, how much of a risk are we at? And today we’re going to be exploring how big that problem is, what we need to do to reduce the risks, and what some of our major proptechs are doing to protect their clients.

Kylie Davis:

I’m delighted that we’re featuring four really experienced data experts who will share their knowledge and insights around data security, and they are Sashini Walpola from Ashurst Lawyers, Owen Moony from Box+Dice, Jed Horner from AustCyber, and Shane Goodwin from Inspect Real Estate. Now, our first guest is Jed Horner, Head of Government Relations and Advocacy at Stone & Chalk, AustCyber, which is working to raise awareness and grow and scale Australian cybersecurity. We then have Owen Moony, technical lead at Box+Dice, Australia’s first cloud based CRM, and the winner of the Proptech of the Year Awards for an established Proptech. Next we have Shane Goodwin, IT and Security Manager at Inspect Real Estate, known best for its highly customizable inquiry management and booking system. And they’ve recently made some big waves in rental applications with two apply, and have a full trust solution for rentals and sales in beta. And last but certainly not least, we have Sashini Walpola, Senior Associate in the digital economy transactions at legal firm Ashurst.

Kylie Davis:

So, welcome, everybody. Thank you so much for joining us. It’s great to have you on our first Proptech Mastery Session. Jed, let’s start with you. How big a problem is fraud and data security in Australia, especially in the real estate space?

Jed Horner:

Kylie, thanks so much for having me here. I’m a massive fan of the Proptech Association and everyone here who’s joining us today. So, thank you. I also did want to say very briefly that I’m very jealous of where some of you are dialling into. As a lot of you can see, given the state of us here, I’ve been in a lockdown with a lot of you in Sydney. So, bear with me as we make it through today. Look, Kylie, that’s a really good question. I actually think people often fixate on the value of some of the data breaches that arise from cyber-attacks.

Jed Horner:

I also did want to speak briefly about the volume. So probably one of the most authoritative sources we have on this centrally in Australia is the reporting that the AFP and the Australian Cybersecurity Centre which is running out of Home Affairs federally have on cyber crimes. They actually have a broader definition of what’s a cyber crime. So they put everything into one basket, but they categorise it. And what we do know based on data is actually if you look at the onset of COVID last year, we saw an April, an uptick in cyber-attacks. That’s not a coincidence. It’s very deliberate. But what we also see was reporting and raw data and we had about 59, almost 60,000 cyber incidents in the last financial year reported by ACSC and the AFP. So, that gives you some idea of the volume of attacks that businesses have subjected to. But we also know that there were upticks in particular categories.

Jed Horner:

Cyber criminals have become very sophisticated about not just targeting financial services. If we look at the most recent data, we can, for example, see companies that operate both in healthcare, and on the margins experienced a huge rise and attacks. And that jumped from I think, about 90 to 160 incident reports, including big players. So, I think, to answer your question, the volume of attacks actually hasn’t shifted hugely. We have tens of thousands of those every year in Australia, and they reported pretty transparently. And then we break them down by category. What has shifted, I think, is the way that cyber actors, threat actors, people overseas, and people in Australia who want data are acting and who they are targeting, which I think is critical when you look at a sector like property.

Jed Horner:

We’re seeing people chase vectors of information. So, cloud providers that are an example of that operating horizontally across the economy, and also obviously shared services providers where there’s interfaces with a whole range of people. So the numbers are not actually shifting radically, if you look at ACSC reports, and even the most recent ones, but the value of those attacks are increasing in terms of what people can extract from that information, and what damage they can do when they are attacking companies. And I know others on the panel will probably have views on this.

Kylie Davis:

So, is the risk all coming from Russian, Nigerian, Chinese, and insert country here from scammers, or government forces, or are there closer to home risks?

Jed Horner:

So, online fraud is a huge reporting category in their data I just cited, so that’s absolutely still a risk. It’s at the micro level. And most people can probably relate to this, but it is the scammers from overseas. And some of those involve allures and promises of love. That’s absolutely a play for Australians. But I think actually, for everyone else on the call, the biggest thing is the thing you called out, that state actors, and there have been statements about this in recent times by foreign minister, Payne and indeed our US counterparts targeting sectors of the economy. So, there are some states, I won’t name them, you can imagine who they are, who actually will pursue whole sections of the economy on five year lease, so medtech, all those areas, actually, at the moment are in those cycles. People on this call will know that and people who are joining us.

Jed Horner:

And so, I think that there is a split, there’s those individual cyber actors who are opportunistic, and taking advantage of individuals. And then there are organised state forces and Russia and China has been named as such, who are looking at sectors of the Australian economy, as well as internationally other economic actors. And that is more around IP than it is about personal data for other reasons.

Kylie Davis:

And so, are we at a bigger risk of scammers trying to steal our data in real estate? Or are we at a bigger risk or of employee trying to download a whole pile of records and walk out the door and set up across the road? Where the risks there, too?

Jed Horner:

Do we want to throw that to the rest of the panel? I’m just mindful they will have an answer to that bang on with this topic. I do think insider risk just to briefly respond are huge. I think they’ve been historically under appreciated. So, that is the disgruntled employee, the person who is opportunistic, and the person who as we discussed, might be leaving on a Monday and working exceptionally hard on a Friday and a time in a way you’ve never seen them work before, which poses risks. And of course, where the value of the data is increased. So, depending on the size of your company, and who you’re dealing with, the risk increases exponentially, too.

Jed Horner:

I think we do talk about external actors. You just spoke about countries that are trying to do things to Australian companies. Absolutely. I think the other thing we need to be mindful of is opportunistic people who both will do it for money, or for other purposes, too. And so, I’m sure the other panellists will have crisper insights. But that’s been something we’ve actually neglected across all industries, I would argue, and now industry is taking it seriously, because we’ve seen what damage one person can do.

Kylie Davis:

What sort of data that real estate agents have is sexy, or of interest to scammers from overseas?

Jed Horner:

Again, I’m going to throw this open to the panel because they would know in quite nauseating detail about that, but I think personally identifiable information is one. So, if you think about why people steal personal data, it’s not just for the sake of having it. Data is a tower on its own. But it also is ammunition for phishing attacks and things you would do later on. So, it is useful for social engineering. And that’s a new term people on the call may or may not know about, but that’s knowing that I’m going to call Sashini or Owen or others on the call or Shane and I would know more about them as a malicious actor than I would when I started without that information at my fingertips. I think that’s one motivator.

Jed Horner:

If you think about real estate agents, let’s be real. Some of the vetting real estate agents do which is fantastic is actually more thorough than a lot of employers will do. Controversial comment, I know but you will know the data you wade through. And so, I think that’s interesting because if you think about my comment before about a vector, if you were attacking someone or an entity, you would go for the person who held the most amount of information and look at what happened to the United States with the Office of Personnel Management. People didn’t try, this was a hack of a few years ago, a huge data breach. What those state actors did was actually go for a big database that held records on all US government employees rather than go for each government agency, which would have involved so much more effort. So, think about it through that lens. As a real estate agent, as frankly, anyone working in the property value chain, you deal in different types of data. And depending on the types of data you deal in, it’s absolutely more appealing to a cyber criminal for whole range of reasons.

Kylie Davis:

So, I guess, as a real estate agent and Mr. And Mrs. Jones are in the process of selling their house, and you know how much that property is now sold for and what the transfers are going to be and all that sort of stuff. So, if anyone can get into the middle of that chain, and then pretend to be someone from your office to change bank details, or divert funds, or even scam Mr. or Mrs. Jones into the spending money on stuff that is never going to deliver a product that can be part of the risk as well.

Jed Horner:

Absolutely. And I think to make it more blunt, and to get people to understand that risk, as you say, of Mr. And Mrs. Jones, or Mr. And Mr. Jones, who knows, are applying for rental property or any other transaction in the space. Yes, you would know their income details. You would ask for verification of that. You might have flags there around someone’s who’s receiving a social welfare payment to care for a sick or vulnerable relative. So, you actually have as an actor, you have a full profile of someone’s financial vulnerabilities and their situation in life, which not just for cyber actors, but for intelligence agencies, and everything else is actually the holy grail. It would take you so much effort to find that information out through other channels. If you do it through one fell swoop, you can obtain that. So they’re sitting on, as you say, Kylie, very valuable information. But I have to say also, I know real estate agents and everyone take this incredibly seriously. So, we know the risks. But the risks are the same whether you’re in real estate, or indeed your work for government, those risks are constant, actually, they just differ depending on the context.

Kylie Davis:

Yeah. And so, we saw recently, didn’t we, Jed, that the property valuation space had a big data breach. Tell us a little bit about that, and what the outcome of that was.

Jed Horner:

There’ve been a few of those incidents globally. So, I don’t want to pick out anyone have them feel that they’ve been singled out. But people are aware in the Australian context of the issue to happen with LandMark White a number of years ago now where there was an inside actor, and there were allegations that a breach took place. I know that went through the judicial system, so I’m not going to comment on that. But the effect that had was to encourage people working in the valuation space, particularly are working in a space adjacent to banks, and we all know where the regulation is tighter, the risk is higher, and the liability as well.

Jed Horner:

I’m sure Sashini can shed some light on this as well. But what happened with that, it’s actually a really positive story for Australia is it prompted behaviour change from people working in the valuation chain. So banks and others who are carrying a can in terms of liability in that space as well started to talk about security standards, cybersecurity standards, information security standards to be more specific like ISO, and to mandate that through the supply chain, and then we saw an uplift there.

Jed Horner:

So, we saw a shift from, no, I’m putting my hand up to say I’m doing the right thing. I am taking measures to protect information. Here’s what I’m doing 1, 2, 3. To now I have a management system, I’ve got someone accountable in my business, it drove a behaviour change. But as you say, it took an event to prompt that, and but to be frank, and to be fair to the property industry that’s the same across the economy. We see those focusing events driving us as humans to change the way we act. So, when we see a risk materialise, become real, become messy, we tend to act, but to give the property industry credit, people rallied around and people took actual practical measures. I think in a way we probably haven’t seen across other industries, but I’m sure other panellists, again, will have a view on that being deeply embedded in it.

Kylie Davis:

What’s government got planned on how this stuff needs to be addressed?

Jed Horner:

A whole range of thing is the short answer. Some on the call are like me might think it’s a good thing, and it’s an interesting thing at the same time, if I can use that word. Government’s got a cascading series of measures proposed. The first is amendments to the Critical Infrastructure Act. Now, that might sound like completely strange to a lot of people on this call, critical infrastructure. That’s the whole point. They actually are proposing to extend the definition of what is critical infrastructure. So, not just water and power as the rest of us would understand it. But they’re talking about areas like data processing.

Jed Horner:

Big questions there. What does that mean? Because isn’t every platform business a data processor? And indeed other sectors, too, so like healthcare and the like. So, that’s a legislative measure. That will have implications for every sector of the economy that’s impacted because there’ll be new requirements, and that bill is just before a parliamentary committee now making its way through.

Jed Horner:

On the voluntary front, the Department of Home Affairs and the Minister Karen Andrews has released a discussion paper. It closed last Friday on measures to improve our cyber posture, for lack of a better word. So, these are things like cyber standards. They’re measures like health checks for small businesses. Very simple online checks as baseline. They’re all measures the government’s proposing to be frank with you. And we’ve launched a submission on this, which people might be able to follow. It’ll go online in the next two days from AustCyber, but we are raising some questions as to how do these things intersect. Because the other thing we’re equally focused on is yes, it’s great to raise cyber posture, and we need to do that. We need to give businesses the tools and resources and the frameworks, but there are really a lot of frameworks and standards out there that exist. Companies are actually pretty proactive, or at least some of them are. And so, the other flip side to that is just making sure we balance all of these threats, and all of these risks, and all the vulnerabilities that are entangled in them, as well as the cost of doing business. Because we’ve got to do that balancing act. We can build Fort Knox, or we have to trade globally, people want to expand into markets. So, we need to be careful to balance those.

Kylie Davis:

Awesome. So, what I’m hearing from you is that the data that we’ve got access to as agents is more valuable than we probably realised. That it is under constant attack and that people are trying to get at it. But there’s also a very clear risk closer to home that we need to watch for. And, in fact, we can’t ignore it because there’s increasing legislation coming down the pipe that we’re going to be obligated to follow as business owners to make sure that we’re compliant.

Jed Horner:

Completely. And Kylie, just to underscore this to everyone on the call. I know businesses are different sizes. And I’m sure others on the call will have views on this. But the thing to watch is their commercial contracts, too. So, where you’re working in a value chain, don’t think of these things as to government in Canberra is doing things that will impact a big player or a particular actor in a space. Think of it proactively through when that happens, what will this mean for my business? If I’m a proptech business working in this space, if I’m in the property value chain, what will I have to do differently, potentially, in relation to things like security controls, risk management that I undertake to do business differently? And I think that’s the point I want to underscore is that it’s always better to get out ahead and upfront, than I think, as most people know, is to have the cost of business imposed on you or you’re playing catch up, which we all know as a former small business director I know that’s not ideal.

Kylie Davis:

Cool. Owen Moony from Box+Dice, I want to bring you in here. Let’s just dive into some of the technicalities, and some of those definitions that we were talking to Jed about. What are some of the definitions that we see? What is phishing? Why is that a thing?

Owen Moony:

Phishing is where you’re trying to trick somebody into doing something that they didn’t mean to do. Phishing is where somebody is trying to trick you into doing something that you don’t want to do like going to a login page and entering your details where the login page is not the login page that you expected it to be. Where spoofing is another sort of attack from email where email is very old technology. It’s 50 years old, it didn’t have security baked into it when they originally built it. We have tried to fix it with DMARC and [inaudible 00:18:14] recently, but it’s still pretty insecure means of communication, especially for identifying who is actually sending you the email and making sure it is them. And that’s where spoofing comes in. Somebody can pretend. It’s very easy for somebody to send you an email from me with my email address, and it looks like it comes from me. You can’t tell. It’s really hard to distinguish, so that’s spoofing and phishing.

Kylie Davis:

And so, what are the behaviours that agents are engaging in, and property managers, the whole industry? What are we doing that’s putting us at risk?

Owen Moony:

We can fix passwords and make them stronger in our systems.

Kylie Davis:

We all know password 1234 is not a valid password.

Owen Moony:

That’s right. But the actual email is actually the biggest risk these days. There’s a lot of phishing attacks that are happening at the moment. It’s really increasing the numbers that are taking place. And so, yeah, you really just need to be careful when you get an email because it’s very easy. It’s really easy to be tricked by a phishing spoofing email and clicking on a link you shouldn’t click on.

Kylie Davis:

So, what should we be doing instead? If email is so dangerous, how should we be handling it instead?

Owen Moony:

Well, you just need to be very careful of emails that you think are suspicious, and don’t click on links and open attachments in them, and maybe even call the sender and verify that they sent the email if you suspect that this doesn’t seem like them. There’s spelling mistakes here, it just looks wrong, the grammar is wrong, something’s not [crosstalk 00:19:39]-

Kylie Davis:

Don’t call the phone number in the email. Go back to your database and look them up separately.

Owen Moony:

So that’s one thing to do. The other thing to do is set up multi-factor authentication to your application so that it if anyone… For anyone in your organisation does get tricked, it makes a lot harder for the intruder to gain access to your systems.

Kylie Davis:

Right. Now, I am going to put my Stand up and confess, whenever I get a notification that says I need to set up multi-factor identification, a little part of me dies inside, and I think do I really have to? That’s going to be so hard. Is it really that hard? Why is it more secure?

Owen Moony:

It’s more secure because you enter your username and password, which don’t change that often. But then there’s a multi-factor authentication will present you with a third step, username, password, and then a code. And that code is changing regularly. It can come to you via text and SMS, and authenticator app. And if they can truly get your username, password, and that code, by the time they try and use it, that code has changed because it changes every minute, so it’s no good to them. So, it really helps security, but it is a hassle. Get used to it. Now, I have multi-factor authentication on for pretty much every application, especially writing code it’s very important because one of the infectors for intruders is getting access to developer’s machines and then injecting source code that goes into the application that gets distributed. And they’ve got a backdoor into an application. So, it’s very important for developers to use multi-factor authentication, and I’m quite used to it.

Owen Moony:

What can help is single sign on. So, what you can do is you can set up, your organisation can select single sign on, which means that your users will login to an application, will login once with username, password, and multi-factor authentication, and then they’ve got access to their email, their CRM, their chat, whatever they need to do. So, they’re not presented with a username, password, multi-factor authentication five times in a day, that they get upset with and annoyed with. So, you can mitigate that a little bit by making it easy with SSO.

Kylie Davis:

What I’m hearing from you is that suck it up princess, and once you’ve done it a few more times you’ll get used to it, right?

Owen Moony:

Pretty much. You get used to it.

Kylie Davis:

Okay, okay. Now, we talked before about this risk closer to home of people… And when we announced that we were doing this webinar, I had a handful of agents come to me and say, “Look, you can never stop this stuff because there are some terrible people out there who pretend that they love you and want to come and work for you. And then just get into your business, download your data, and walk out the door and sit up across the road.” So, what options are there to try and prevent that or be alerted.

Owen Moony:

That’s really hard. That’s a tricky one. Systems like Box+Dice have access control over who can export data because we’ve had this problem before. And we can set limits on how much you can download or not download at all. Somebody, a dedicated user can just screenshot, screen scrape, copy and paste the screen, and go through all the pages. And so, it’s really hard to prevent somebody. The other thing you can do, and Box+Dice does this as well is set up auto alerts. So, if somebody does start exporting, you can get an SMS or an email saying, “Hey, this user has started to export a lot of records.” And if you know that they’re on their last day of employment with you, yeah, you can walk over to them, not during COVID, but you can shut them out of the system, and stop them exporting the data.

Kylie Davis:

Cool. So, what I’m hearing from you Owen is that we need to have good hygiene or good practises and processes in our business, which is login once at the beginning of the day with quite really strong two factor authentication, have single sign on so that people aren’t being disrupted all day being asked to resign onto stuff, and have good processes in your business as a principle to limit the amount of data people have without stopping them doing their job on a day to day basis. But to get alerts if things are going a bit awry inside your system.

Owen Moony:

Yeah, that’s a really good summary.

Kylie Davis:

Cool. Okay. Shane, I want to move over to you now because Inspect Real Estate recently uncovered a bit of a major phishing event that was going on inside real estate. Can you tell us a bit more about that and what was involved and what was lost?

Shane Goodwin:

That’s correct. Thank you so much for having me, by the way, it’s a pleasure to be here. So, basically, we helped uncover it. We didn’t uncover it ourselves. We came across a lot of reports of people being contacted by a gentleman calling himself Dr. Cola. It was a nice easy email. They spoke beautiful English. It was very difficult one to tell that it wasn’t legitimate. Basically, they had broken into account somewhere and had scraped data somewhere. We’re not 100% sure where, but what they were doing is they were looking for the inquiries. So, the major portals, REA domain, people sending their inquiries, and submit their personal details.

Shane Goodwin:

So, it goes on that they collect that data and as soon as they know that they’re after something, especially in the real estate industry at the moment where the rental market is under pressure, it’s hard to find a house. So, these people are seeing that a landlord contact them and say, “Hey, don’t worry about the rest of this. I can get you in and let’s get you set up.” So, he was this Dr. Cola, which is more than likely a team of people operating were able to convince them into to signing up for a lease, offering them amazing deals, and all that good stuff that you’re looking for when you’re looking for a property, and then taking their money and doing the run.

Kylie Davis:

So Dr. Cola was pretending to be the landlord, going direct to someone who had inquired about a property?

Shane Goodwin:

Yes, yes.

Kylie Davis:

Oh, okay.

Shane Goodwin:

I start talking about this and starting to get lost in it, there’s so much information. Yes. So, pretending to be landlord and literally signing them up to a fake lease. They were so technical, they even had a fake booking.com site at the time that made it look just like you were logging into booking.com, which when you’re sitting here at the comfort of your couch, and you’re listening to a security presentation, you sit back and you say, “Why would I sign for a lease on booking.com?” But unfortunately, some people do fall for that. And a lot of money does walk out the door. So, it was a big deal. There was a lot of people getting hurt there.

Kylie Davis:

So, how much activity are you seeing inside platforms like Inspect Real Estate? Do you guys have a… Are you able to see things like these happening or when people are under threat?

Shane Goodwin:

Actually, we can see it. It’s hard to pull through logs every single day. I don’t think anybody could actually afford to have a team of people running through logs like that just looking for break-ins. There are systems out there that can help protect your system. But those are usually very expensive and very large. What we do is we have a very good reporting mechanism that we instil into our distributors and into our clients where we have a central point where if they see something that they noticed is a little bit funny, they send it into us, and a couple of us can review it here at a central point, and reach out, and act accordingly. We see a lot. In fact, the last two weeks, we’ve been dealing with a second phishing attempt that’s been occurring. That’s been a direct attack. We have been having to work on that router closely. It’s been quiet this week, but we’re starting to get to the point where we see it almost monthly. It is really quite [crosstalk 00:26:39]-

Kylie Davis:

I mean, because these are teams of people who are literally turning up to work, and their job is scamming people out of money. They’re clocking on.

Shane Goodwin:

Yeah, 100%.

Kylie Davis:

This is their job.

Shane Goodwin:

It’s actually very confrontational dealing with these scammers. I don’t know if anyone has ever spoken to a scammer. I know I have, and there’s teams of them. They’ve got call centres. They’ve got everything. And at the moment, they’re very well-funded. So, what people don’t realise is if they do fall for a scam, that money goes straight into funding their organisation, and they’re able to hire developers, and they’re able to hire call centre people, and rent infrastructure, things like that. Especially now with the cloud systems that are available, you can rent a server in any country for under $5. And it’s so easy to launch an attack from there. It’s out of control.

Kylie Davis:

So, what’s the single biggest mistake that you see agents and property managers doing that make them vulnerable?

Shane Goodwin:

Sure. So, we don’t try to place blame on anybody. That’s not what we’re here to do. We’re trying to educate people. But basically, what we see is they don’t read the email.

Kylie Davis:

Because you’re busy, and you just quickly scan it, and you think, “Oh, yeah, just get that out the way,” which is dangerous in this.

Shane Goodwin:

It is, it’s very dangerous. People tend to treat it like it’s a second thing. That they’re doing their main job, which is in the rental market it’s renting properties, making sure the inspections are done. And then they send an email and they think about that as something second to do. It’s in the background. And when you do get your emails, I’ll just deal with this, yes or no, that’s the biggest mistake we see. Mostly these attacks that we’re seeing nowadays, computer systems are getting very good at being 100% secure. There’s always a vulnerability here or there, but we still see the problem.

Shane Goodwin:

So, what these attackers are doing is that they’re doing spear attacks on people themselves, so that they’re actually… They’re social engineering the other people and fooling them into doing it. And the way they do that is they just catch you off guard. It’s just when you sat down for five minutes to take a break, and you’re about to read your emails. That’s where they try to get you.

Kylie Davis:

Yeah, yeah. And so, how do we protect against that, just be constantly alert it sounds?

Shane Goodwin:

There’s a bunch of things you can do as an organisation or even a small agency. Let’s say there’s any three of you operating in an agency. Number one is awareness all the way. Talk about it, communicate it, have a central point that you can bring all the information into. And then at the same time, keep a good list of all of your clients. That’s the very best thing you can do. And I know that sounds like it wouldn’t help you in any way. But the second something goes wrong, you can quickly email them and let them know. These attacks would be totally useless if everybody knew what was going on. So, if you find it, you can get the report, you quickly let them know. Everybody knows what they’re doing in their team. And obviously you do it as quickly as possible. That’s probably the best thing you can do. Obviously, you-

Kylie Davis:

So, what you’re saying is you share the information that someone’s trying to phish and this is what they’re doing or how they’re trying to do it. Because it’s a little bit shameful, isn’t it, that if you get attacked or if you get sucked into it, that I don’t want anyone to know or you see it and you do pick it up and you think, “Ha, you didn’t get me,” and you just delete it or get rid of it. But actually, we need to build a database of all of these scams that are out there, other people don’t get caught by them.

Shane Goodwin:

That’s right. Yes, yeah, communication is key. The other thing is to know is where to report these things, and that people are developing a database, and the government’s working very hard against that. And it’s fantastic to see. I’ve spoken to ASD several times when these things are raised or the cyber.gov.au. And they’ve pulled the AFP into it, it’s been fantastic response. The other one is scamwatch.com.au. That’s another great one to be reporting stuff into. And to also monitor these websites, report back, they tell you information, you can sign up for their emails and receive lots of information that is all very good. You’ve just got to take the time to do it. Unfortunately, there’s no point in ignoring it until it hits you. I can assure you, I’ve worked for companies, including IRE that have been hit many times, and you don’t understand the severity of anything until you get hit. It’s indescribable.

Kylie Davis:

It feels like a lot of work having to report or to read up. But what I found really helpful when I’ve seen an email that I’ve thought that’s just is it off? I don’t know. I’m not quite sure about this. If you just Google it, just type in there is there a Telstra scam going around at the moment? And you’ll suddenly get an answer. Google knows everything. It can be enormously helpful, and then report that email on to whoever to scam, your job, or your bank, or whatever.

Shane Goodwin:

100%. The other one to do is most companies will have a central point. For us it’s security@inspectrealestate. Some people will have abuse, things like that. Report it to them as well. If you’re not sure about an email, talk to the person and make sure that the address is correct and everything, but talk to your team and ask, “Did you send this email?” There’s no harm in it. It’s a good practise.

Kylie Davis:

Fantastic. Thank you. Sashini, you’ve got an awful lot of experience in the digital economy. Legally, what are the obligations of agents and principals to protect their data?

Sashini Walpola:

Thanks Kylie, and thanks for having me here today. I’m sorry, probably left the most boring person to last. So, I guess in terms of protecting data, from a privacy law perspective there aren’t any real mandated security obligations or standards that you have to comply with. But if you are an organisation that is regulated under the Privacy Act, there are some of the broad obligations that you need to adhere to.

Sashini Walpola:

I guess one of them is for those who know about the Privacy Act, there are these privacy principles, and one of them is that you need to take reasonable steps to protect personal information from misuse, interference, and loss, and unauthorised access, modification, and disclosure. Now, you’re probably wondering, what does reasonable steps mean? Fair question, there’s no real definite answer to that. It really depends on the circumstances, including the nature of your organisation, so the size, the complexity of your operations, the amount, and the sensitivity of the personal information that your organisation does hold, and the practical implications of implementing those security measures.

Sashini Walpola:

So, I guess, from a practical perspective, in terms of reasonable steps, it’s really good to implement strategies around training and processes. And as the other members of the panels have spoke about today, having really clear and for that IT security and access restriction. So, for example, can you restrict people accessing personal information only if they need to do it access it to do their job? Maybe in terms of IT security, can you possibly prevent people in your organisation from sending certain types of personal information via email in an unsecured format? So, I guess those are some of the practical things that you could do? So, that’s one of the key broad obligations on organisations.

Kylie Davis:

So, recently, in the news, I saw a piece where basically somebody bought an apartment, they had to send the deposit, email got caught. And basically, they sent the deposit a couple 100 grand to the wrong person. Is a real estate agent asking a client to put their deposit into trust account number, blah, blah, blah, over the email. Is that okay? And obviously, it’s quite easily redirected. What should you be doing instead? Where are you legally with that, and what should you be doing instead?

Sashini Walpola:

Yeah, so I guess it’s really ensuring that you’re sending that information to the right person, perhaps even implementing controls that for instance, if you’re sending an email out, but it doesn’t auto fill the sender. Making sure that, yeah, if you can possibly send it in an encrypted file, or a file that requires a password in order to open the document. Those are some of the more practical things that you could do at an email level to prevent further misuse or disclosure.

Kylie Davis:

And so, if you were being a bit lazy and you did flick it out over just a general email and then something does go wrong with it. Are you in the firing line for being responsible for that money going missing?

Sashini Walpola:

I guess it would depend on… Yeah, that’s a very complex question. Yeah, I think you probably have to analyse whether you as an organisation did implement appropriate controls and training for your staff to prevent that issue from [crosstalk 00:35:24]-

Kylie Davis:

It sounds to me like you would be pretty vulnerable, you wouldn’t have a very strong leg to stand on knowing that that wasn’t a great way to do it, and you persisted in that behaviour, that would be risky. What are the penalties if you breach people’s privacy? Can you give us some examples?

Sashini Walpola:

Yeah, I guess there’s a couple of things to be aware of with when you’re handling personal information. So, apart from those broad obligations that I just mentioned, there’s also a scheme under the Privacy Act called the Mandatory Data Breach Notification Scheme. So, if you are subject to the Privacy Act, there’s a whole range of notification obligations that you must comply with in terms of notifying not only the Privacy Commissioner, but also people who are affected by the breach. So, if you don’t comply with… If you repeatedly don’t comply with your legal obligations then organisations can actually face quite hefty penalties under the Privacy Act up to $2.1 million. And not to be the bearer of bad news, but the penalty regime under the Privacy Act is actually increasing the government.

Sashini Walpola:

The government has announced that there is an increase to fines, which can be quite significant up to I think it’s the greater of up to $10 million, and over 10% of your annual turnover. So, there’s quite significant fines that are in the works. There’s also the government is proposing… So, this is all part of there’s a reform of the Privacy Act that’s on the line here. Another power that’s being talked about is the implementation of an infringement notice power. So, if you’re just doing, if there are one off breaches, you could be pinged with an infringement notice of up to $63,000.

Kylie Davis:

Wow.

Sashini Walpola:

Yeah, so there’s quite a broad array of penalties that are possible. I think it’s also just important to note that under the privacy legislation, not only can the Privacy Commissioner come after you with these fines and infringement notices, but individuals can actually make a complaint to the Privacy Commissioner. And that then triggers a whole raft of investigation and obligations on the commissioner. And at the end of those processes, what can happen is the commissioner can then direct you to, for example, pay compensation to the individuals that were affected by the breach. Yeah, it can come at you from all angles, not only from the commissioner, but there’s also rights for individuals to make complaints. As part of the privacy reforms that I just mentioned, there’s also a proposal for there should be a direct right of action, which means that individuals can bring actions against your organisation directly without having to go through the Privacy Commissioner and seek compensation for basically you not complying with your obligations under the Privacy Act. They’re called interferences with privacy under the legislation. So, yeah, you can get pinged from both sides.

Kylie Davis:

It can be a real shit show, I imagine, that you’re in the middle of. So, what I’m hearing from you Sashini is that he can’t ignore this stuff because there’s about three different ways that legally redress can come at you if you haven’t been following good practise. I can imagine that if you had to go out to your entire client database and say, “We’re sorry we had a data breach. All that information that you shared with us around the ownership of your most valuable asset has gone out into the cyber world.” That’s not going to be great for your brand, or your positioning, either as an agent. That is going to be slightly terrifying.

Sashini Walpola:

Yeah, so there’s obviously reputational impacts can also be significant from that. Just one thing to note, Kylie. If there is a breach under the privacy legislation, there are ways that you can… There are different options of how you can notify people and different subsets of people that you are required to notify. I’m just conscious of time. But I’m happy to talk about those different groups if people want to hear about them. But yeah, just to let you all know that if you do have a data breach, there are options as to who you should be notifying in the event of a data breach.

Kylie Davis:

How do you set yourself up? You have to have written standards and policies in place to manage this?

Sashini Walpola:

Yeah, there’s a couple of things, and I think it’s echoed by what Jed, and Owen, and Shane have all said today. I think it’s really important to have a data breach response plan, which essentially has clear obligations for in your organisation of and clear reporting lines should a data breach arise. And what’s really important to note is one of the obligations under the mandatory data breach scheme is that you need to, if someone in your organisation has a reasonable suspicion, so that’s not even that they’ve determined that there’s a data breach, there’s just a reasonable suspicion that there is this data breach that has occurred.

Sashini Walpola:

You are required by law to conduct an assessment and complete that assessment within a 30 day period to determine whether there has been a data breach. You can say that trigger, it’s a hair trigger there in the sense that when someone in your organisation has this reasonable suspicion. So, it’s important to have clear processes in your organisation that if someone… It doesn’t have to be the principal or the CEO, it’s if anyone in your organisation does have that suspicion that they have… That they know who they should be notifying to kick things into motion in order to kick off the assessment process.

Sashini Walpola:

I guess some other things to be aware of is it’s all well and good to have really good IT controls and good internal documents and processes. But I think it’s important to also train your people and train the people in the organisation so that they know what those controls are and what they need to do if there is a breach, because obviously, people are the ones that operationalize all these amazing policies and procedure documents that you have. Yep, those are, I guess, some of the key things that people should be aware of.

Sashini Walpola:

And just one more thing is if you are having any contracts with third party service providers, so for example, if you have a third party provider that hosts your information in the cloud, for example, you want to make sure that you have appropriate contractual arrangements with those third party providers to not only allocate risk should something happen with their system that impacts your organisation as well. But also make sure that you’ve got a clear trigger point for them to notify you if something has happened on their system that may affect your organisation as well. And that’s really the reason why I’m saying that is because of that mandatory data breach scheme that I mentioned previously, there’s a whole raft of obligations that’s triggered. Yeah, so you really need to make sure that you’re keeping on top of any potential data breach.

Kylie Davis:

So, Shane, I noticed that you were nodding your head there to a couple of that. And one of the questions that I wanted to throw open to the panel was, why is this our problem in real estate? Isn’t it up to the CRMs? Aren’t you guys because you’re part of the cloud, aren’t you responsible for looking for the security of our data? Going back to what Sashini was saying, what kind of two way obligations are there?

Shane Goodwin:

That’s a trick question. Kylie, that’s a trick question. The official response for every IT manager or security expert out there is security is everybody’s responsibility. So, unfortunately, that’s a tough pill to swallow. If you’re not taking it seriously, then we can secure our systems all day, every day until people couldn’t log in. The problem is the attackers will still work out a way to get to people, unfortunately.

Kylie Davis:

What are the obligations… I’m going to throw this open. But what are the obligations of proptechs in this space? There are some proptechs out there now that are doing their end of the settlement or inviting you into the room, the negotiation happens there, the data happens there, that’s all locked down and secure. So, we’re not using email anymore. But as part of the whole proptech ecosystem, what should be happening to make that secure? Around, I guess, we’re talking about APIs and handing info off backwards and forwards.

Jed Horner:

So, I want to hand over to Shane. Sorry to dive in, Shane, because you’ll have better more polished answers than I would. But actually, I want people to zoom back out a bit. And actually reflecting on what Sashini was saying, half of this actually boils down to proper risk management that is documented, and appointing people who are accountable in your organisation. I’m not saying that as some sort of sub person on the sidelines. As a director, I do this. So, our IT security is a subset of border risk management, the reputational stuff that we spoke about.

Jed Horner:

So, the simple things you can do, actually, and you can do this as a small business, but nominate someone who is your lead in this area, who might be technologically literate, technically literate in the cyberspace or not, but is at least willing to coordinate and learn, and to build in all those things that Sashini and I think Shane was talking to as well, and Owen touched on around redundancy. How are you keeping a ledger of your clients at the moment or a contracts register? All that critical information that if things did go down, you wouldn’t lose everything, and you can actually bounce back. It’s not a zero base like some companies have experienced.

Jed Horner:

So, I’d just say at a high level, do some risk management. There’s good standards out there that come from Australia and ANZ like ISO 31000. There’s documents now who walk you through how to do that. And then there’s artefacts to Sashini’s point where you can actually prove that you’ve done that in-house, and you’re revising it constantly, and appoint someone to lead on it. And then we can talk about all the technical controls because I do sometimes find that people don’t necessarily understand the data they’re dealing with. And then we go down the technical path. And I think it’s a mistake, because we start talking about all sorts of fixes that aren’t fit for purpose.

Kylie Davis:

Yeah, got it. Okay, that’s great advice. And what we might do when we send out to everyone who’s registered on the call a link to the video, we’ll also send out a link to that, what was that, I 300? What was the standard there, Jed?

Jed Horner:

ISO 31000. Look and Shane and Owen will have views on this, too. So, what we might do is we’ll give you some resources offline between us that point to all of those things.

Kylie Davis:

Okay. That’s awesome. Look, I’m very conscious of the time although we did start a little bit late. Are the other things that the big techs are doing that are helping lock this down further or make it more secure, Google, Microsoft?

Shane Goodwin:

Yeah, look, I’ll chime in.

Kylie Davis:

You dive in, Shane.

Shane Goodwin:

There’s definitely a lot that they’re doing. They’re constantly updating all their software, things like that. But a single sign on we’re seeing, they’re migrating, we see them migrating from things like text messages for the two factor authentication across to applications, things like that. But there’s also a lot of other stuff that’s going on, IP address checking, magic links, all that sort of stuff that everyone talks about, but no one really understands. But there is a lot going on, putting in a lot of controls, basically.

Kylie Davis:

Look, ladies and gentlemen, I think we could probably talk about this all day, but we are probably going to have to wrap it up there. I wanted to thank you to our panellists, Sashini Walpola, Owen Moony, Shane Goodwin, and Dr. Jed Horner for your time and insights today. It’s been a fascinating discussion. What I’ve taken out of it is that if you see an email from the Commonwealth Bank that actually comes from sexylegs@hotmail.com, you do immediately have an obligation to let everyone in your team know that you’re under attack, and also report that through, and to have great structure. Nominate someone inside your business to own this stuff, and have it written down, and then also know what everybody’s duties and obligations are when you’re coming under attack.

Kylie Davis:

I guess, too, you also need to be pulling it into your employee contract so that if you do have people who are trying to steal stuff off you then it’s very clear as to how you handle it when you get a whiff of that kind of behaviour. I’d really like to thank the Proptech Association committee. If attending today has made me curious about the Proptech Association, please go to proptechassociation.com.au. If you’re a proptech, you’re very welcome to join. Or if you’re just curious about proptech and developments in the proptech space, sign up to our newsletter that’s completely free. I wanted to thank everyone so much to all our panellists for your time and thank you again. I’m off to change all of my passwords. In the meantime, keep on propteching. This is Kylie Davis, signing off.