Small business security guide for property professionals

P R E S E N T E D BY

Protecting your business

REA implements these measures within our

own organisation to protect our customers

and our business in line with recognised

cyber security standards.

This guide was developed using the

Australian Cyber Security Centre (ACSC)

advice. It will act as a readily available, easy

to understand reference for protecting your

business online.

The ACSC provides cyber security advice,

assistance and operational responses to

prevent, detect and remediate cyber threats

to Australia.

If you want to improve cyber security in

your business further, you can find more

information and advice on the ACSC

website at: www.cyber.gov.au.

REA has developed this guide for property professionals to help

protect you from the most common cyber security risks. Our

aim is to provide a checklist of simple and easy to follow actions.

As Australia’s largest property resource, we understand the power of the internet. It offers many benefits but with those benefits also comes increasing security risks.

REA Group is committed to helping you protect your business and stay smart

online. To assist you with this, we have published this simple guide highlighting how

you can protect yourself against online threats. The guide covers everything from

understanding the importance of privacy, to undertaking actions to protect your

network and security devices.

Customised to ensure it has the most impact for property professionals in Australia,

this guide relates specifically to practices you undertake, and common risks

impacting our industry.

We want all Australian property professionals to know that implementing

strong cyber security is fundamental to doing good business, building trust with

consumers across the country and beyond.

Introduction by Craig TempletonChief Information Security Officer, REA Group

Protecting your front door

What? A log on page is often the first step to

accessing systems that hold sensitive or

important information. Be two steps ahead

of threats to your business by enabling two-

factor authentication (sometimes called

multi-factor authentication or MFA) where it is

available.

This means that instead of using just a

username and password to log in to an

account (typically regarded as one-factor), two

factor authentication requires authentication

using two factors — such as something you

know (like a password) and something you

have (like a one-time code sent to mobile

phone) — to gain access.

Create secure passphrases for all online accounts, and always enable two-factor

authentication or verification for additional protection when it is available.

Use a password manager to help protect and organise passwords. TO

P T

IP

Why? Multi-factor authentication provides extra

protection rather than relying solely on a

password. This additional verification step

can help to significantly reduce the risk of

someone unauthorised accessing personal

information or company information.

How?Solutions are available for both mobile and

web applications and should be used in

combination with something you know (such

as a password). This means in the event a

password becomes known, an extra layer of

protection prevents access to your systems.

All websites are different and may enforce log

on rules differently. In cases where two-factor

authentication is not offered, the following

can be used as a guide to ensuring strong

password or passphrase standards.

Try not to use passphrases that might be

expected or easy to guess. For example, we

wouldn’t recommend ‘Richmond 3121’ as a

secure passphrase.

These are examples of a passphrase:

• mirror meet lesson clock

• day above pipe purple

• free central myself clean

Keep your credentials safeYour information is valuable, keep it private

What?Make sure that you keep passwords and any sensitive business or customer data stored

electronically safe.

Why?Your business information is a valuable commodity. Employees should only have access

to the information they need to do their job. By limiting that access on a need-to-know

basis, you reduce the risk of confidential information leaving your business.

Secure passwords and administrative systems will help keep you and your business safe

online.

How?

Avoid software that gives day to day users the same access privileges as administrators.

Administrators need greater access levels so they can undertake activities that may

impact several users or business processes.

Don’t share credentials (for example, usernames and passwords) within your business.

Each employee should also have individual access credentials for each business system

(not shared credentials).

Each employee should understand the

importance of information security. Encourage

discussion and awareness of privacy

requirements via team meetings, posters etc.

Always remove old user accounts when

employees leave the business and regularly

review current access.

T O P T I P

AwarenessWhat to keep an eye out for

Why?It’s important to be aware of what is happening

in the online world and stay up-to-date with

the latest scams, spam and internet threats.

The more aware people are about online

security, the more capable they are of applying

that knowledge to protect their business.

How?Awareness also means knowing the right

questions to ask. If you are the principal/owner

of your agency or head of your business make

sure you have an informed discussion with

your IT provider to ensure your team’s needs

Unsolicited messages or phone calls

requesting personal/financial information, or

seeking payment of invoices into a different

bank account should always be treated with

suspicion at the first instance.

If you provide your details to a suspicious

caller or sender and you have some concerns,

immediately change your passwords and

associated information where possible. You

should also alert service providers such as your

bank and ask them to monitor your accounts

for unusual activity.

will be met. Refer to the questions at the end

of this guide to help you.

Awareness also extends to being on the

lookout for suspicious messages, including:

• Phishing emails or text messages (these

messages try to lure you into providing your

passwords/passphrases, online banking

details, payment of invoices, or other sensitive

information).

• Spam (unsolicited advertising or promotional

messages), and fake telemarketing calls

requesting personal or financial information.

If you have any doubt regarding the legitimacy of a phone call or

email message, contact the organisation to confirm it by using

a phone number, address or form sourced from its legitimate

website or contact details you have on file. TO

P T

IP Click hereNeed more Information?

Stay up-to-date with current scams

Network and devicesecurity

What? It is essential to have regularly updated antivirus software and to set your systems to

automatically update software.

Why? Updates provide new and improved versions of software which help keep you

safe online.

How?Ensure automatic antivirus software updates are turned on.

Mobile phones and tablets also provide access to your sensitive business

information. Make sure you use a PIN in case of loss or theft and limit business

information stored on them.

Treat any network that is not controlled by your business as insecure, particularly

public Wi-Fi. Avoid performing financial transactions on these networks.

Be aware of plugging unknown USB drives into your devices as these drives may

contain viruses. You can also improve the safety of the business by using separate

devices at home for personal activities.

Criminals have more recently turned to online extortion as a way of obtaining money

from businesses. Extortion techniques include tricking employees into infecting

computers with software that encrypts files so the criminals can demand payment

for the decryption key. This is known as ransomware.

Keep your operating system software up to date

and back up your data to devices or locations

isolated from your corporate network.

Turn on ‘auto-update’ to ensure y ou receive the

latest security updates.

T O P T I P

Click here

Need more Information?

If you are impacted by ransomware there is

help available

BackupsInsure your data: back it up

What?A backup is a digital copy of your company’s most important

information and business data.

Business data includes accounting files, invoicing and quoting

systems, letters and emails, information and resources, and even

your website files.

Why?Regularly backing up your data or setting devices to automatically

back up can help you quickly recover from a physical disruption

(for example, fire or flood), hard disk failure or cyber incidents

(such as becoming infected by ransomware).

How?Back up your data to a removable storage device such as a hard

drive or a cloud backup service. It is not recommended to back

up data to your computer as it may become compromised too.

Take your backup offsite or store it securely, like other important

documents. Test your backup system regularly to ensure that it

restores all information correctly.

Need more info?Microsoft provides ‘Backup and Restore’ functionality with some

versions of the Windows operating system - Microsoft Support

website.

Apple provides a few backup methods to users – one is based in the

cloud while the others can choose a different location (such as a USB

drive). On the Apple Support website you can find:

• How to restore iPhone and iPad data

• How to backup or restore your Mac

T O P T I P

ChecklistKey questions to ask to ensure your website and IT systems

are secure

Do you have two-factor authentication and strong passphrases

implemented in your business systems, such as your CRM?

Do you have a technical process to manage changes made to your

website (for example: a staging environment for changes prior to

publication of your content)? 

How do you monitor security events and are alerts monitored?

What are the processes in place to detect suspicious events and

alerts on your business infrastructure, and what happens if they are

related to a security incident?

How are security incidents managed? Once a security incident has

been discovered, what is the process to manage, resolve and learn

from the incident?

If you use an external hosting provider, do you know where your

information is located?

Who owns the intellectual property on your site and how can

you gain access to it? Will you have any issues in the event of an

incident or trying to recover your information?

Is security currently embedded into your website, and is this

security protecting your most important data and information?

Best practice secure web design should be applied through the

definition, development and deployment of your website.

Has your website been independently verified?

Do you have a process to effectively back up your site and recover

lost information? If so, does it meet your business availability

requirements?

Who are the people that control the content and access to your

website? Do you know exactly who can access non-public facing

sections of your site? Limit access to individuals who need to

perform administration or content deployment.

Do you and your staff use unique credentials to access your

information? How do you prevent unauthorised users from

accessing your content?

How do administrators access your site? Do you have rules and

regulations about where and when the site can be updated?

The eSafety commissioner also has tailored content for parents, teens, children and seniors

The Australian Cyber Security Centre is updated regularly with alerts and awareness content

Need to contact us about Security? Head to our Security Help Centre

Click here

Click here

Click here

Click here

Would you like to know more?

Want to be secure at home too?

Subscribe to Scam Watch alerts