<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Matt Kozloski

By: Matt Kozloski on February 14th, 2018

Print/Save as PDF

Real Estate Cybersecurity: An In-Depth Conversation

Cybersecurity | Executive Consulting | Workforce Enablement

As business operations are increasingly conducted online, businesses in all industries are becoming more susceptible to cybersecurity breaches. I was recently invited to discuss cybersecurity concerns and best practices for real estate agents on Real Estate Radio, a show broadcast on CBS Radio 94.9FM here in Connecticut and hosted by One and Company Real Estate’s Byron Lazine and financial planner Pat Kenny. Our discussion wound up being quite universal and applicable to almost any industry.

Here are some of the highlights of my interview with Byron and Pat. Below, you’ll find the full transcript and audio of the conversation.

Cyber concerns specific to real estate

94.9 News Now Real Estate Radio image

Due to the out-of-the-office nature of the real estate industry, real estate agents have a variety of entry points hackers can exploit. With different client devices, mobile devices and offices with multiple locations, how are agents connecting them? How are they keeping them secure?

Most realtors are roaming a wide area with a laptop that contains photos of homes, alarm codes, financial information, and other data hackers would love to get a hold of. In addition, when it comes to someone placing an offer on a house and there are competitive bids, having access to the other party’s data would be a huge advantage.

Real estate agents depend on their reputation

Real estate and all service businesses are reliant on their reputation because in the end that’s what they’re selling. Can you imagine how damaging it would be to a real estate agent’s career if word got out that hackers obtained client data from them?

On the radio show, Pat—who works in the similarly reputation-dependent financial planning field—offered the example of a former co-worker who left her laptop on top of a vending machine for a brief moment, only to find it gone. She never lived it down. This example also illustrates how most hacks aren’t “brute force” attacks in which hackers remotely take over systems. Hackers will utilize every tactic they can—which can involve in –person theft and deception!

Cyber liability insurance is not enough

Cyber liability insurance is something I would recommend for every business. Sometimes, folks believe it’s cheaper and easier to buy cyber liability insurance than to fix the problem by investing in security measures, but that’s not a shrewd approach. For one thing, cyber liability premiums are more affordable if you have strong defenses. More importantly, prevention is key. You’ll be very glad you have cyber liability policy if you need it, but it’s much better never to need it in the first place. For instance, many real estate agents use consumer-grade Windows computers, and there's a good chance those hard drives are not encrypted, so if that machine is stolen, your information is totally compromised. Why have a cyber liability policy and a computer that’s a sitting duck? Furthermore, cyber liability policies are complicated and often don’t cover a wide variety of situations…including inadequate or misrepresented cyber defenses.

Want one simple takeaway? Use a password manager

Byron, Pat and I dived deep into the world of password managers. These inexpensive tools generally require little set up because they learn your passwords as you use them.

Byron: Here's an odd question. Where do you keep all your passwords?

Matt: That's a good question. I use a password manager called RoboForm. There are a whole bunch of them that are out there; another is LastPass. With a password manager, you have secure data storage that's not an Excel spreadsheet or Google Doc.

Byron: I'm using a Google Doc spreadsheet for the majority of my passwords.

Matt: Yeah, you don't want to do that. It’s just too easy to steal. RoboForm, for example is nice because it will sync PC, iPhone, iPad, everything you know so you’ve got passwords everywhere and encrypts data behind the scenes. The big thing with the password manager is that it’s really good to get to a point where your passwords are really complicated and you don't even know what they are. I don't even know what my passwords are anymore. I really don't. I let RoboForm for example, generate the password, store it, so then when I go to login to a site, I pull it up in the app.

Passwords are so 2017…passphrases are the future

We’ve all been beaten into including caps, lower case, special characters, numbers, etc. when we go to set up passwords. It turns out, there’s actually a more effective way to do it. A passphrase—almost like a short sentence you’re sure to remember—is harder to break than even the most complex one-word password. Length is the single most important factor in creating a secure password.

Why is all this necessary? Hacker sophistication...

Like many people, Byron and Pat were aware that hackers are getting more sophisticated, but surprised to learn what the latest techniques they’re using are. Hackers have gotten incredibly good at targeted emails that appear to be from C-level executives with messages like, “Oh, I forgot this invoice. Can you send a wire transfer?” Hackers monitor calendars and email so they have a feel for the executive’s voice, writing style, and whether they are in or out of the office that day. Simply knowing this type of attack is a possibility is the first step to recognizing it when it happens.

Listen

You can listen to our full conversation on CBS Radio 94.9FM News Now or read the full transcript below.

 

Byron: This is the last Real Estate Radio of 2017 as we walk into 18. So pumped about 2018, Pat, it's just ridiculous.

Pat: It's going to be quite a good year.

Byron: I'm blown away by how much opportunity there is for all of us. This is Byron Lazine, One and Company at William Raveis Real Estate. Of course, you guys know Pat Kenny, local financial advisor. To wrap up the year, we’ve got a pretty impressive guest.

Matt: No pressure.

Byron: Matt, welcome to the show.

Matt: Thank you.

Byron: We've got Matt Kozloski. Matt is from the Kelser Corporation, which is a technology consulting firm based in Glastonbury. They provide IT and services like cybersecurity, some really high-level stuff, but Matt is going to break it down in its simplest form so dummies like me and Pat can understand it. Chris is no dummy so he'll be able to understand, even if Matt gets a little technical. Matt's, how are you doing, my friend?

Matt: I'm great. Thank you.

Byron: Thanks for joining us today. Tell us a little bit about what you guys got cooking as we head into 2018. Give us the broad scope of what you do, who you guys are all about, and then I'm going to ask you some questions about as we head into the new year should be paying attention to.

Matt: Sure, so Kelser really is in business to help different companies consume technology in a way that is meaningful to their organization. There's a lot of tech out there, a lot of cool things, but if it doesn't help an organization and really help people make money at the end of the day… that's what we're all about, just helping people use technology to help their businesses and organizations grow.

Byron: And breaking down—OK, you don't need everything, there's a lot of stuff that you can download, right?

Matt: Yeah, I mean especially in this space, different client devices, different mobile devices…that’s just the physical aspect of it, but then all the way through services like cybersecurity, if you have an office with multiple locations, how are you connecting them? How are you keeping them secure? How are you keeping people available at all times?

Byron: I’m a believer that cybersecurity…I feel like if you’re equipped in that venue you’re going to have a job for the next 30 years.

Matt: Yes, that’s definitely not going away. You have a laptop, I’m assuming, like most realtors they’ve got a laptop they go around with.

Byron: Yeah.

Matt: You’ve got pictures of people’s home on there, maybe alarm codes. So, what happens if your laptop gets stolen? What do people do?

Byron: Well, they would need – I have the MacBook, they would need my finger print to open the sucker up, but I’m sure they can hack into that.

Matt: Oh, you never know.

Byron: Are you Apple or no?

Matt: Both, we support both.

Byron: What do you personally use?

Matt: I like Apple devices for mobile so like iPad, iPhone. For a few reasons, I feel like they’re probably the more secure devices you can get. But in terms of user ability, I still like the PC because just in terms of the app mix I end up having to use and whatnot, it seems to work better for me.

Byron: So, do you have an iPhone then?

Matt: I do.

Byron: All right, good. You’re in the club.

Pat: He knows the handshake.

Byron: Yeah, so to your point, what would I do—I have my great friends at Sava Insurance in Waterford have given me – well, they haven’t given it to me, I paid for it – I paid for cyber...

Matt: Cyber liability?

Byron: Cyber liability.

Matt: So, that’s a really interesting area to go into. You could have a whole show on what cyber liability means and what's actually covered under a cyber liability policy because you might actually be really surprised.

Byron: That I'm not getting?

Matt: That like what you think would be covered might not be covered because not everything is considered cyber liability, like, it might just be general loss or something like that.

Byron: It makes me feel good to have it.

Matt: Yes, it does.

Byron: Makes me feel like I'm doing the right thing.

Matt: Some folks will see like it’s cheaper and easier for me to buy insurance than to fix the problem by investing in it…one of the great things about Apple devices, especially modern ones, is they encrypt almost everything by default essentially, so like your hard drive, the data on there is scrambled, so if someone stole that or stole the computer they couldn't easily just take data off of it. But a lot of laptops, especially if realtors are going out and just buying consumer-grade Windows PCs and things like that, there's a good chance those hard drives are not encrypted so if that machine is stolen…

Byron: You going to Best Buy and getting the $500 Asus, is that what it’s called?

Matt: Yeah, I mean they can be encrypted, it's not really a technical challenge, it's just like out of the box.

Pat: By default, it's just not...

Matt: Yeah, it's not turned on.

Pat: Who do you in your mind think is…so I as a realtor, I travel for work, everything lives off of a laptop. The corporate level security is pretty high in the organization of our size, but if you don't have cyber liability or have taken the steps to secure, that’s just ludicrous.

Matt: Yeah, pretty much anyone that has any kind of information about people, about properties, about things that they're carrying around with them that you wouldn’t want out. Because some of it is reputation too, especially if you have like a relatively small office like you don't want to be the person that was hacked and then knowing who's the person that was hacked…

Byron: You're getting nobody's business at that point.

Pat: Like the admin I had a year-and-a-half ago that went into the hallway, forgot something, put her laptop on top of the Coke machine and walked away and had it stolen – that's not a reputation people are really going to walk past.

Byron: So okay, so you don't want that reputation. You’re saying cybersecurity…how much does that cost though, right? If I'm a small business and I'm thinking I want to be, you know, I've got the liability covered, but it maybe does or doesn't cover everything, how much do I invest in something like that?

Matt: It really depends on the type of information that you have and what's meaningful to you because everyone has a budget. It would be ridiculous to…you know, Kelser we're not about telling people you should spend more money in cyber protection than what your business is bringing in. You wouldn't be in business anymore. It’s about what makes sense, so solid anti-virus, just at a minimum. Again, encryption, making sure your device comes with encryption to begin with, and just using it correctly so knowing what phishing attacks might look like, not responding to weird emails, things like that.

Byron: Here's an odd question. Where do you keep all your passwords?

Matt: That's a good question.

Byron: Maybe you won't even tell us, but…

Matt: No, I don't mind. I believe in password managers so there's a lot that's out there that are pretty good. So, RoboForm isn't a bad one, just one that I used over the years.

Byron: I need to write this down.

Matt: There's a couple of good things about password managers.

Byron: Let me stop you Matt. I want to go down that rabbit hole because all of mine live on a Google spreadsheet.

Matt: No, that's not a good idea.

Pat: He’s shaking his head vigorously, no.

Byron: This segment right here could be the most important segments to your technology use in 2018, because Matt's going to tell us how to protect all those passwords. And I guess this will help you remember all those passwords.

Matt: Sort of. I mean one of the ideas with a password manager is you have kind of a secure data storage, that's not an Excel spreadsheet or Google Doc.

Byron: I'm using a Google doc spreadsheet for the majority of my passwords.

Matt: Yeah, you don't want to do that.

Pat: The electronic version of a Post-it note.

Matt: It's only one step above the Post-it note.

Byron: I need to get off of my Google spreadsheet immediately. Tell me why I need to avoid the Google spreadsheet.

Matt: It’s just too easy to steal. If someone did hack your machine or hack your Google account now they have all your passwords. So, there's a couple of things going on there. First, a password manager like RoboForm or LastPass – there are a whole bunch of them that are out there.

Byron: Slow down here, LastPass? What's your favorite?

Matt: Just because I've used it for a long time, it’s RoboForm.

Byron: RoboForm.

Matt: Yeah, and that one for example is nice because it will sync PC, iPhone, iPad, everything you know so you’ve got passwords everywhere and encrypts data behind the scenes. The big thing with the password manager, is it's really good to get to a point where your password is really complicated and you don't even know what they are. I don't even know what my passwords are anymore. I really don't. I let RoboForm for example, generate the password, store it, so then when I go to login to a site, I pull it up in the app.

Byron: RoboForm is creating the password for you?

Matt: Yes, exactly. So, each website for me has a really long, unique password. I don't even know what it is. I couldn't even type it.

Byron: Okay, every time I get into my G Suite, my Google mail, my password is already in there. I just open my computer and I'm in my…are you putting your password in every time or...?

Matt: Not necessarily, that behavior of it kind of remembering your identity and that you've logged in there before, that was something that you would have clicked on that says, “Hey, remember me. I trust it.”

Byron: Yeah, so I said I trust this computer and the little thing pops up on the right and it says do you want to save this password for this. I say, yes—is that bad, good?

Matt: Do you trust the device?

Byron: I trust the device.

Matt: So, at some point…

Byron: Meaning, should I trust the device?

Matt: Yeah, I mean, it's your device. At some point you can't make life so inconvenient and miserable for yourself that you're constantly typing passwords in.

Byron: Matt, your personal laptop, do you do what I just described?

Matt: Yes.

Byron: You do?

Matt: Yes, I do.

Pat: Small relief knowing that.

Byron: Makes me feel good about myself.

Pat: Yeah, I feel better now.

Matt: Because I trust the device. It's not really out of my hands. Here's the other thing that people should really consider when it comes to passwords too. If you have Apple, you probably experienced this now, the multi-factor authentication. So, with an Apple device, let's say you logged in on a brand-new iPad or iPhone or even after an upgrade sometimes, and on your other Apple device it says, “Hey, we recognize an unknown login from such and such,” gives you the city, and then you have to type in a code from the other device.

Byron: Yes.

Matt: So that's multi-factor authentication, and what that does is it adds like another layer of protection, if you will, for logging into your account. So basically, if someone got your Google password—let’s say you had multi-factor or two-factor turned on with Google—even if someone got your password, they might not be able to log in still because they wouldn't have that second factor like a device or an app with the code to then…

Byron: So, you’re going to get a text message when they try to login...

Matt: Yes, that's exactly it. Enter this code to log in an unrecognized device. There's two really good things about that. First, if you get that notification and you're not expecting it, it probably means that someone has your password because they got far enough to be prompted for that. And then the second thing obviously is without that second factor, without that text message or Google Authenticator or whatever system you're using for it, they couldn't get in. So, for folks that are using Gmail, you can turn on two-factor. Apple accounts have it. I'm pretty sure it's on by default now with them.

Byron: So, you use RoboForm to store your passwords?

Matt: Yes, I do.

Byron: How do you get into the RoboForm, you have to remember that one password?

Matt: There is one password you have to remember, kind of a master password, and that master password with RoboForm and most of the other ones, is used to encrypt all of your data too so that, in a way, becomes a key to the key to keep everything secure. The RoboForm company, for example, can't decrypt my password.

Byron: Do you keep that in your head? Do you write it on?

Matt: That one I keep in my head. No, I don't write it down anywhere, keep that one in my head. I'll probably change it once every 4 months too and then once you change it, it will kind of re-encrypt everything.

Byron: You do not write it on a piece of paper.

Matt: No, here's the thing, passwords and kind of where they're going. So, you know, before—even still it's pretty common—we're like oh, complex passwords are good, you need a symbol, a capital, a digit, a lowercase, an uppercase, a blood sample. What they actually found though now is it's actually more effective for people to use a longer pass phrase like almost a short sentence that you would remember, and that's longer because length is key to how long it would take someone to crack your password. It's infinitely more complicated the more number of characters there are in your password. So, a shorter password, even if it has like an uppercase, a symbol, a lower case and a blood sample in some ways may not be more secure than a long one, especially if you have to write it on a Post-it note to remember it.

Pat: So, a sentence that you're easily going to remember.

Matt: That's kind of what some of the kind of modern thinking is about pass phrases more than just passwords.

Pat: So, every character just creates another correct guess that somebody has to make.

Matt: And it's like exponential if you think about how many characters there are on the keyboard, right, just one extra digit is adding that a huge layer of like mathematical complexity to kind of guessing what the next…

Byron: My 2018 password is going to be I am the biggest star on ninety-four nine news now and stimulating talk exclamation, exclamation, exclamation.

Matt: With at least two capitals.

Byron: So, I'm in real estate, I'm going to change up my password, I’m going to RoboForm 100%, I'm going to do that as soon as I leave here, I think. How long is that going to take me by the way to set up?

Matt: It's a process because what's going to happen is the more you use it the more you're going to find, “oh, should this password be in there or I should change it?”

Byron: If I have more on that Google sheet can I upload a CSV file?

Matt: You know, I'm not really sure about that. What I would do was when I would add a new site to it, I would just change my password at the same time too, just kind of know you're starting fresh.

Byron: The real pain is going to be that – now everything, my phone, my MacBook, my iPad, everything is going to going to have to get relogged into.

Matt: Are you 100% Apple?

Byron: I am.

Matt: So, Apple also has the keychain that’s built into everything. So, keychain is a really similar thing and that syncs between all of your Apple devices too so that might be equally as beneficial as RoboForm would be.

Byron: RoboForm and Keychain, I am going to be almost impossible to break into?

Matt: Well…because there's always the phishing attack, you know, that gets people to email or something that tricks you into maybe even giving up your master password.

Byron: Giving it up, how would you get into that?

Matt: Like, imagine if you got – let's say you did sign up for RoboForm for example...

Byron: Here’s one in real estate we get all the time, “I would like to make an offer on this house. Here's the PDF with all of my financials and my offer. I don't need to see it, I live in Bangkok” or some weird obscure place, “and here's the offer, tell me where to wire the money, my wiring instruction is at” blah, blah – the whole thing. That's one we always get. So how would I give up my master password if I click that PDF? Which I never do, but I’m just...

Matt: Let's say you did click that PDF and then some screen came up that looks similar to your RoboForm screen, you know what I mean, it was misleading, it looks similar and just out of habit now you put your password in.

Pat: I’ve seen like “You got an email from fake Google, hey, we need to verify your password again just to be sure, you click the thing… it looks kind of legit, it's got the right colors and you go, “My password is this.” And it's like, “Ah, sucker, thanks,” and they're gone.

Matt: Remember, the people on the other end make an entire business out of tricking you so they're putting a ton of effort into it.

Byron: And then it could be anywhere.

Matt: So, at Kelser, one of the things I will do for small businesses too is cybersecurity awareness training. So, they're small online courses, usually we have people do it once a month, believe it or not.

Byron: Have you ever been tricked, Matt?

Matt: Have I ever been tricked? I would assume, probably. I would like to think not, but there's a good chance, probably.

Pat: Probably not since the AOL Instant Messenger password days when he had an AIM password maybe, which is dead.

Matt: With Myspace – huge bummer, and Friendster. These are all classics. I love this stuff.

Byron: Okay, so you’ve potentially been tricked before. I feel like though – what's the worst that could happen? I've had my credit card hacked before and they give you the money back.

Matt: Credit card, yeah, in a way. Where we see the biggest risk actually is for medical practices because medical records are worth a lot of money on kind of the dark web for a variety of reasons.

Byron: Records are worth a lot of money?

Matt: For a variety of reasons, basically you can manufacture identities based off of the information in a medical record, so that’s why they’re so valuable. Here's why too, they can't be changed so you've got a credit card hacked, they steal it, you get your money refunded, you get a new card. Like medical information, and really any real personal information like social security number and the things along those lines, it’s pretty difficult to change it, like you can't change your own identity at some point.

Pat: Unless you buy one on the dark web. Buy new fingerprints – I've been hacked; I've got to go buy a new one.

Byron: That's interesting. I did not know that about medical records…alright, I've got a lot of work to do. You just created a ton of work for me to do in the last couple days in the year.

Byron: I want to tie it back a little bit to real estate here and we’re talking about where to spend the money. So, we've already covered, if you listened to the first two segments, that you need a password manager, and this goes for everybody not just people in the real estate industry, you have your 47 different passwords…would you say that for somebody who just uses Facebook, Instagram, obviously they have their online bank, that type of everyday stuff, they should use a password manager?

Matt: I would think so, yeah.

Byron: So, password manager, check, some of those are LastPass, RoboForm and I’m going to be signing up for RoboForm right after this. Matt gets no money for that, by the way.

Matt: I don't.

Byron: Unless you have – do you have an affiliate link? I'll use your affiliate link.

Matt: No, I wish.

Byron: So, Matt’s getting nothing from that. As a real estate agent, because there's a lot of agents that listen to the show as well, as an agent what else should I be doing to really, really make sure I’m covered. We talked about it earlier – I have liability and cyber liability insurance may or may not cover everything. I'll be calling my friends over at Sava Insurance to find out what it does cover, what else should I be doing. And these are some of the things that we do have, we do have alarm codes for some of our clients. We do certainly have lockbox codes being stored in certain places.

Pat: Obviously contact information.

Byron: We have all types of contact information. At times we have wiring information. We definitely have bank account information. We have a lot of stuff that, man, think about it, Jesus.

Matt: I would actually ask you, like, when it comes to someone placing an offer on a house and there's competitive bids, wouldn't it be in someone’s interest, like a buyer’s interest, to hack your account and see...

Byron: Certainly negotiating information. That would be one sick buyer. Holy mackerel.

Matt: When there is enough money on the line.

Byron: No, I'm saying sick like talent-wise sick, not sick in the head.

Matt: Well, I don't know, what is they just did like a phishing thing and tricked you into something? They know who you are...

Pat: So, what's your homework list for realtors or for realtors specifically – mobile people that want to secure themselves, what are your 5 things to “go do this tomorrow”? So obviously password manager we have.

Matt: Yeah, password managers, make sure you have your updates turned on, like your Windows updates, not just operating system but you have Adobe Flash and Java, like, make sure your stuff is up to date because that's how people can in some ways hack your machine without you doing too much.

Byron: So, you're saying there's a reason to have new software and up-to-date software.

Matt: Yeah, there's that. Because, I mean, companies like Microsoft and Apple, if your software is old you can't expect them, say you have Office 2003, Microsoft is not supporting it anymore, they're not pulling security updates out for it and you can't really expect them to.

Pat: Yeah, and then the baddies have enough time to go figure out what the exploits are at that point.

Byron: Right, so update your game.

Matt: Be really aware of what Wi-Fi networks you're connecting to also. So, be really careful where you're going and if it's an encrypted connection or not and things along those lines. I get that realtors in very real time need to email information, pictures, all kinds of things, just be really careful what Wi-Fi networks you use.

Byron: Okay, let's go down that rabbit hole quickly. I have always had the Verizon hotspot for when I'm like in the house that’s vacant and it doesn't have Wi-Fi in it and I want to have Wi-Fi, I recently cancelled that within the last week and I was going to run it off my phone. Now, everywhere you always see the Xfinity pop up which is like…

Matt: Comcast.

Byron: It’s basically your mobile hotspot.

Matt: What Comcast did, basically what Comcast is for people who have cable modems at home, the home Gateway device, one part of it, kind of on the front end of it is them providing some level of kind of public guest access the other Comcast subscribers. But that is before your network – it's relatively secured compared to an internal network there. The ones that I worry about the most are kind of the random ones. If you hold up your Wi-Fi list right now, I'm sure you find one or two unprotected networks that you could latch onto.

Byron: Well, whenever I go to a coffee shop.

Matt: Exactly, and it just has it there. The other thing too is you don't know – people always assume best intent. What if you're in that coffee shop and I'm there, I’m the hacker, I set up coffee shop Wi-Fi…

Byron: This guy probably is a hacker. You know how to hack?

Matt: Yeah, I just set up coffee shop Wi-Fi, I am sitting in the back and people are like “Oh wow, coffee shop Wi-Fi, this is excellent.” I even have a splash page you know so you have to agree to terms of service to make it look legit, but then I'm like sniffing and watching everything you do after that.

Pat: Coffee shop guest.

Matt: Yeah, coffee shop guest, so it's all about tricking people.

Byron: So, if I'm in the coffee shop, now I agree to your hack that you’ve set up, what happens to me next? You can look in my camera, is that what you're doing?

Matt: Realistically, I don't want to panic people because it depends on what you're doing.

Byron: Panic them, let's get them super nervous.

Matt: So, in that situation, the red flag giveaway is – have you ever visited a website and Safari or Chrome or whatever browser you're using, Internet Explorer...have you ever gotten the page where it says this is an insecure connection?

Byron: Yes.

Matt: Don't ever accept that because that means that someone is faking or there's a possibility that someone's faking the encryption technology behind the scenes…

Pat: So, don't just power through and move on.

Matt: Exactly. They can intercept your traffic when that's happening.

Byron: So, they intercept your traffic and do what with that?

Pat: They see your passwords.

Matt: And that's all they need. And usually all they need is like your email password. Let's say they got your Google passwords, now they have all your passwords in your case.

Byron: In my case, not in an hour, so if you're a hacker I'd say you better get on it right now. Say you don't have your passwords on Google and if someone hacked your email, why do people want to hack your email? Is it because they want to send out from your email to 2,000 people in your contact list the phishing form?

Matt: It could be, that...

Byron: That's a technique, right?

Matt: That was maybe an older version. They've gotten way more sophisticated now especially on targeted emails from the owners of a business who are like C –level people like executives that are like, “Oh, I forgot this invoice. Can you send a wire transfer?” The hackers are probably monitoring people’s calendars, sending items and stuff like that so they have a feel for the tone of their voice, the writing style, where they are, in and out of the office. So, let's say someone's traveling and they've been watching what you've been doing for a little while and they said, “Oh man, I forgot...”

Byron: Is this a human or a robot watching?

Matt: They’re usually humans. Just by watching it they know what your appointments are, they email someone else in the office, “Oh man, I'm out of the office. I forgot to set up this wire for whatever,” and then before you know it someone's wiring money to this weird location because they were just tricked into doing it. Pretty scary.

Byron: All right, so there is something that everybody listening right now needs to worry about. What else?

Matt: How about just general endpoint protection? We’ll say so in that top list of things. Anti –virus software is pretty good but there's some other techniques at Kelser that we use that aren't really that expensive.

Byron: I don't believe I even use any virus software with the Mac.

Matt: I hear that a lot too.

Byron: Maybe I am and I don't realize it. I don't pay for anything.

Matt: Yeah, I know a lot of Mac users, even some businesses that we work with have kind of a sense that the Apple is so secure, I don't need anti –virus on it. I don't know if I totally believe that. It's definitely less prevalent to see that different types of malware on Macs, but it doesn't mean it's totally impossible. So, there is some good defense out there. Like one of the ones we use that's pretty popular is Cisco's Umbrella software. So that does a couple of things in terms of not just monitoring things on your machine, but it really monitors the network traffic like where you’re going to, what's coming to you, things like that and it will block it. So, let's say you click on one of those phishing emails and it brings you to the hacker site, Umbrella in that case would kick in and be like, “Woah, this is a known bad side, we're not going to let you go here.” It's all about layers of protection.

Byron: So, what’s – and I'm sure there's different cost, what's the average on the Cisco?

Matt: So that one, I think the list price, even if you just got it off the web, I think it's like $38. Cheap insurance, right?

Byron: No, it's cheap, but it’s $50 bills flying out of my ass every time I want something – every month, $50.

Matt: No, no once a year, not a month.

Byron: Oh, once a year.

Matt: That’s why it’s not a big deal.

Pat: We’ll take two at that point.

Byron: Yeah, let’s do it. Sign me up. Okay, so there’s that we can do, what else?

Matt: How about full offices? We kind of talked about mobile devices and things like that, but in offices it’s pretty important to have a legitimate firewall that can actually inspect traffic and knows different behaviors of – like, malicious activities and things along those lines so different, especially larger customers that we work with, even in the real estate space, they have multiple offices connected together, it's really important to secure that traffic internally too.

Byron: When we get back, I'm going to ask Matt if he thinks the big one is going to come in this country, meaning a major hack to the government. We're going to get his two cents on that.

Byron: I feel like I could go on about this forever. This has been one of the more educational shows we've done on Real Estate Radio as we prepare for 2018. I'm definitely thinking differently about my cybersecurity. We've got Matt from the Kelser Corporation which is a tech consulting firm in Glastonbury. IT, cybersecurity. I want to ask you a serious question, and I don’t want to scare the crap out of people, but it's something I think about from time to time. Do you believe there will be a day where some foreign country really hacks into something and really screws some stuff up for us, whether that's, you know, locally here we have a nuclear power plant in Waterford, Connecticut that if the plant is in operation and you shut certain things down, they're not going to be able to cool the reactor which is a “problemo”. We build submarines, which employs a lot of people, should they be thinking about spending more money on cybersecurity because they could, you know, going back to the nuclear plant example, somebody hacks into that, I won't name any of these countries, but they could really screw some stuff up.

Matt: Yeah, I would kind of start that discussion by saying like how do you know it hasn't already happened? How do we know that something hasn't happened? We either don't know about it or no one knows about it and there's stuff lurking in our systems. Keep that in mind.

Byron: That’s scary.

Pat: That's solidly terrifying.

Matt: Look how long it takes for corporations like Equifax, you know, in that case, not to report to the public but even internally to know what happened…

Byron: They didn't even know.

Matt: They didn't even know for a while.

Byron: But if someone hacked in and said, okay, “I'm going to shut down this power plant,” then you have hours, you're going to know, they're going to know, the workers are going to know, “Oh my gosh, we have a problem, we can't get into,” you know…

Matt: In my mind, the scarier attacks would be ones that would be slightly subtler than something pointed directly at the Lowstone for example. Go back to that October storm that we had where a lot of people in Connecticut lost power for like a week. That just caused so much of mass panic.

Byron: Losing power was terrifying.

Matt: …Just mass panic, inconvenience, unrest, a large population of people were very unhappy for a period of time.

Byron: It shut down the power grid for two months.

Matt: You got it. Or do something where they manipulate the power grid in such a way that it's broken and maybe it takes a couple months to fix it and bring everyone back online and time it’s during an election or a very political time…

Byron: In your lifetime is that something you fear?

Matt: I don't know if I would say I fear it. I think I accept that it's a risk that we just have to manage and deal with. Cybersecurity is not about completely eliminating risk and walking around fearless, I guess, it's more about managing it to a level that you can deal with, like, "I know this is happening." In Connecticut I've recently had the opportunity to interview Arthur House, he's running the cybersecurity strategy for the state of Connecticut and it's really interesting because we're leading not only in the country but in some ways in the world too, so he's on a trip right now consulting with some other countries and helping them with their cyber strategy. So, in Connecticut at the state level, especially when it comes to government and providing services like the power grid and just things like that, it is actually being taken seriously here.

Pat: You just said you can’t plan for every inevitability so is it part of your personal mantra and that of the Kelser Corporation, “Okay, cool, we're going to do everything we can to protect but in case of X, have a contingency plan…”

Matt: That’s right.

Pat: So, is that something that you would say...like for me personally I had my laptop, my laptop got stolen, I've taken all the steps I could, now it's gone. Is there a plan the average user should have in place – again, realtors, people like me that telecommute a lot – is there a backup plan? Oh, great, something has happened, now what?

Matt: So, it's important to have a backup plan. In some ways it doesn't matter so much, like, it matters what that plan is – but a lot of people just don't even have a plan.

Pat: Yeah, so the laptop’s gone, they panic.

Matt: So, we’ll get the call, whether it's an individual or a business, we got hit with ransomware, what do we do? Obviously, at Kelser we’ll help them through that, that's not a problem, but companies that had even some kind of a plan up front as to what to do, kind of how to handle it, how to organize people – especially if your email was compromised. People communicate with e –mail a ton right now, like if that communication…

Pat: Unfortunately.

Matt: …channel was gone. If that communication channel was gone it can be difficult even just to get people coordinated…

Byron: Just to run a business.

Pat: Yeah, how do you notify people in remote offices?

Byron: If the power grid went out for two months, going back to that, I mean the economy would shut down to some degree.

Matt: You got it and I think some countries in some situations they wouldn't even have to actually pull it off, they would just have to threaten it.

Byron: Like I've got you, checkmate, yeah, we're going to do this whole incident against you.

Matt: If you don't have the visibility to call their bluff, you just don't know and that unknowing is exactly what terrorism relies on to scare people. It's all about fear.

Byron: I’m thoroughly scared right now.

Matt: Welcome to 2018!

Pat: So, we have password managers, we’ve get some basic stuff down, a contingency plan looks like it’s on that list now, telecommuting offices, Byron’s team telecommutes a lot, most of our firm does as well. Anything specific for those people? Are VPN…

Matt: So, there's two parts to the VPN and VPNs became unpopular and now suddenly they're very popular again. The thing to remember with a VPN is basically it's encrypting your connections so that the Internet provider or you know, if you're on a weird Wi –Fi network or something like that, the likelihood that they can see your traffic is low. Here’s the catch though, if you just sign up with a VPN on the Internet, who's on the other end? Someone's on the other end! So, when people say, “Well, I have a VPN, I'm secure now.” Well, you've secured your traffic from AT&T, but if someone you don't trust is on the other end decrypting all your traffic and they’re your point of connection to the Internet, you've got to really careful…

Pat: You shouldn’t buy VPN from Kim Jong Un.

Matt: I would definitely not recommend that. What you could do, especially if you have an office and people that are on the road, is you invest in a decent next generation firewall or something like that because it would have VPN capability so that your mobile people could VPN to your office and then use all the security that you put into your office and have the security in a way through that encrypted connection or that tunnel kind of through the internet.

Byron: Can I ask a weird nerd question on firewall?

Matt: Yeah.

Byron: Physical or software or both?

Matt: You need both, but like a real physical firewall – I mean it's actually software at the end of the day running on that, but yeah…

Byron: So, you should have a box that’s specific for that.

Pat: You really, really need like a decent box to do that. File sharing – Dropbox, Google Drive? Do you guys use them? Hate them?

Matt: So, it's complicated like everything right, because it all comes down to how people are with the data, how they're sharing it. As a system administrator, it definitely can increase your burden of awareness because data now are spread everywhere. On the other hand, though, that could be what makes your business work, like, sharing data, sharing information might actually be important, so it's hard to say don't do it because it could be even a competitive advantage to your business process or something.

Byron: But it makes security more difficult.

Matt: It does, it does. So, it just again comes down to like managing risk. It doesn't have to be a black and white thing, it's like, “I understand the risk of using Dropbox. I understand the risk of using One Drive. I understand the risk of this. But knowing that I did A, B and C to mitigate that and now I feel good about where I'm at”.

Pat: Yeah, but one of the things like the Dropbox shared drive, cloud based thing that we did, it eliminated emailing documents. So, you share a link that you can control to a degree, it will expire, you can retract it as opposed to attaching a PDF or an Excel. So that whether true or otherwise made us feel more secure.

Matt: Yeah.

Pat: Because you have a lot more control. Once it's sent the PDF is out in the universe so if you can control the link, that's something that we've done.

Matt: We'll do that too actually. If we send documents, the way that, we use Office 365 for example at Kelser, we actually implement it for a lot of people.

Byron: William Raveis uses Office 365.

Matt: Okay, one of the features you can do that's exactly like that…

Byron: OneDrive

Matt: Yep, use OneDrive to share files. Our corporate policy says people can generate links to share documents but you cannot generate a link that doesn't expire. That's the policy in our system so all links – I think they expire after 7 days or something by default but you can't set a shared file to not expire at all.

Byron: All right, we've got to go Matt. We're going to have you back on. This is unbelievable. I mean it really was eye –opening to me. And I think for a lot of people out there listening this was very informational – just to protect their passwords and simple things. I'm going to take a lot out of this I mean.

Pat: Good actionable, like, 3 things I can go do tomorrow or like right now and feel better.

Byron: I have a feeling Matt's going to get some more money as well so this is probably a useful hour for him. Before we sign off, Matt, where can people still find you?

Matt: Yeah, the easiest way is just kelsercorp.com, you can see all the different services that we offer. We actually, for businesses, offer a free cybersecurity study that we're come in and do. It's pretty comprehensive actually, if an office has a good number of people and they just want to understand where they're at and where they should be we’ll come in and...

Pat: Any specific industry that is like call right now immediately…

Matt: Everyone's at risk, so it's hard to say.

Pat: If you have the internet at your house or your business…

Byron: If you are using the internet, call or go to the website. What's the website again?

Matt: Kelsercorp.com

New Call-to-action

About Matt Kozloski

Matt is an IT industry veteran and well-versed in professional services. He is the former leader of the CT VMUG. VCDX # 194, CISSP # 526947.