Cyber security in the workplace: essential practices for letting agents 

Landlord focus article Issue 48

In the digital era, cyber security is an integral and critical part of protecting sensitive information and maintaining trust across our client base. As agents we are entrusted with managing sensitive information, including personal identification details, financial data, and property access codes. A breach in cyber security can lead to severe repercussions, such as identity theft, financial loss, and reputational damage. As cyber threats evolve, letting agents must prioritise cyber security to protect their clients and their business.

In addition to protecting sensitive data, robust cyber security practices will help with legal and regulatory requirements. Data protection laws, such as the General Data Protection Regulation (GDPR), mandate strict guidelines for handling and securing personal data. Non-compliance can result in hefty fines and legal consequences, making cyber security

not only a protective measure but also a legal necessity.

Common cyber threats faced by letting agents

Letting agents face a variety of cyber threats, including:

• Phishing/spear phishing attacks: malicious emails are designed to trick agents into providing sensitive information or clicking on harmful links. Phishing attacks are increasingly sophisticated, often mimicking legitimate communications to deceive recipients. Did you know 91 – 96% of all security breaches start with an email?
• Ransomware: a type of malware that encrypts data, rendering it inaccessible until a ransom is paid. The threat of releasing it on the dark web is growing. Ransomware attacks can cripple your business operations, leading to significant financial losses, data recovery challenges and damage to your reputation.
• Data breaches and hacking: unauthorised access to sensitive information stored in digital systems. Data breaches can occur through various means, including hacking, social engineering, or insider threats. Attacks may not occur immediately after a breach, but the attackers will investigate your systems, find out how the business works, find out where your data is stored, monitor current transactions, such as a big order or deposit, and intercept them.
• Social engineering: manipulative tactics used to deceive agents into divulging confidential information. Social engineering attacks exploit human psychology, making them difficult to detect and prevent.
• Malware: malicious software designed to damage, disrupt, or gain unauthorised access to computer systems. Malware can enter systems through infected email attachments, malicious websites or unsecured networks.

Best practices for cyber security

To mitigate these risks, letting agents should consider implementing the following best practices:

• Regular training: automated security systems will not block 100% of any attacks. The biggest risk in your business can be your staff. Research shows that 40 – 70% of people without proper training will click on a spear phishing email targeted at an organisation. Train employees about the latest cyber threats and how to recognise them. Regular training sessions should cover identifying phishing emails, safe internet browsing practices, and the importance of reporting suspicious activities.
• Strong password policies: enforce the use of complex passwords and change them regularly. Passwords should include a mix of letters, numbers, and special characters to enhance security.
• Multi-factor authentication (MFA): add an extra layer of security by requiring multiple forms of verification. MFA can include a combination of something the user knows, such as entering the username and password. Something the user has, a security token such as a text message or notification on your mobile phone, and something the user is providing, such as a fingerprint scan or face recognition.
• Data encryption: encrypt sensitive data both in transit and at rest, to protect it from unauthorised access. Encryption ensures that even if data is intercepted or accessed without authorisation, it remains unreadable.
• Regular updates: keep software and systems up to date with the latest security patches. Regular updates address vulnerabilities that could be exploited by cyber attackers.
• Firewall and antivirus software: use firewalls to block unauthorised access to networks and antivirus software to detect and remove malicious software. Regularly update these tools to ensure they provide optimal protection.

Implementing cyber security procedures

Developing and enforcing comprehensive cyber security procedures is vital for your business, and ensuring they are adhered to, can greatly reduce risk. Procedures could include: 

• Access controls: define who has access to sensitive information and under what circumstances:
• Acceptable use policies: covering what you can and cannot do with company equipment.
• Password policy: ensure they are twelve characters long and complex.
• Bring your own device policy: making sure only company devices can access company data.
• Electronic funds transfer policy: detail ways in which financial transactions are authorised, including the verification of bank account information through two distinct communication methods and multi-user authorisation for large transactions.
• Business/user related policy: the policies should not only cover information technology, but also the approved methods of communicating with clients and clarifying information. For example, when taking on new clients, you must verify their identity by at least two means other than an email. Employees should be told how to respond to WhatsApp messages, for instance, if it is not a company-approved communication channel.
• Incident response plan: establish a clear plan for responding to cyber security incidents, including notification procedures and mitigation strategies. An effective incident response plan minimises the impact of cyber attacks and ensures a swift recovery.
• Vendor management: ensure third-party vendors comply with cyber security standards. If someone you deal with gets breached, then that puts you at risk.
• Data backup: implement regular data backup procedures to prevent data loss in the event of a cyber attack. Store backups in secure, off-site locations and test them periodically to ensure they can be restored effectively.
• Security audits: conduct regular security audits to identify vulnerabilities and assess the effectiveness of existing security measures. Audits help agencies stay ahead of emerging threats and continuously improve their cyber security position.

Cyber insurance

In the event of a cyber security incident, cyber insurance plays a critical role in facilitating recovery and covering the associated defence and compensation expenses. A questionnaire is typically used to assess your company’s operations, turnover, and existing measures. How you answer these questions influences the premium you will be charged and providing accurate information is essential to ensuring that your claim is honoured. Steps you can take to increase your success with a claim and reduce your insurance costs include:

• security training for your staff
• an end-point detection and response system to protect from malware
• regular patching configured on
• all machines
• having a spam filter in place
• MFA on all cloud-based software logins

Cyber security is a critical concern for letting agents, we must protect sensitive client information and maintain trust. By understanding common cyber threats and implementing best practices, letting agents can significantly reduce their risk of cyber incidents.

The National Cyber Security Council and the Scottish Government have information for both small and large businesses, including checks and toolkits to help you assess your risk. Shackleton Technologies recently took the time to talk to agents on the subject of cyber security at SAL’s conference (Scottish Letting Day) and at our online member meetings. For more information you can contact them at enquires@shacktech.co.uk or visit bit.ly/Shacktek //

Words: Amanda Wiewiorka