Real Estate Cyber Risk: Are You Prepared?
Security breaches are, unfortunately, a part of our reality now. For industry, they have a high monetary cost, and cause erosion of the public trust. A company's reputation in such instances relies on staying apprised of cyber security protections, readiness, and a quick response to malicious events.
Executives at all levels of real estate organizations are spending more and more time on cybersecurity issues today. As innovation is driven by big data and smart analytics, a greater scope of connectivity between systems and buildings will require comprehensive and ongoing security strategies.
Historically, there are two areas of concern:
(1) Corporate Security and Information Technology: IT
These are the organizational systems and business applications employees use every day, including email, financial applications, HR applications, the internal corporate network, internet services, and more. This category is generally managed by the corporate security team, often within the technology function of the organization.
(2) Asset Operational Technology and Security: OT
Traditionally the main building systems, these now include networked building automation systems, as well as connectivity to the outside at all levels. Also known as the Industrial Internet, the physical buildings are increasingly integrated with sensors and wireless functions. Responsibility in this area may vary depending on how properties are operated; it may fall under the purview of the owner, a third-party service provider, building engineers, or a combination of entities.
These categories are converging, and yet the risk management process requires a certain amount of separation: because of inherent vulnerabilities, building systems should be separate from the corporate networks. In most cases, people—not their systems—are quite often the biggest security risk. Consistent, ongoing security awareness and training is critical, as well as constant monitoring.
The physical infrastructure is in some ways more susceptible to attack, simply because it's not traditionally as well managed by people versed in security as the corporate side. However, motive for an attack is important. Just because something is vulnerable doesn't mean it's prime for compromise; it may not be interesting for someone to compromise a system with little return. A company should focus their security efforts on the bigger targets that would yield greater gains for an intruder, and place better controls over who accesses, implements and maintains those systems.
Digital transformation leads to additional challenges
The digital transformation that's taking place in the real estate industry and the incredible investment in digital products means that the profile of real estate is increasing as never before. Real estate is now creeping into one of the top areas for nefarious infiltration. One reason may be that it's a softer target. Many real estate organizations are not subject to regulations from the SEC and other governing bodies; as an industry, real estate is not regulated the same way as banks and financial institutions, insurance companies, airlines, and utilities. These other industries have had more focus on making sure they are keeping themselves appropriately locked down.
Another reason, of course, is information. On the corporate side, real estate companies provide services that create volumes of data, valuable information in terms of transactions and money. This includes the data from supply chain contractors, third-party services, and tenants' personal data. This data is now on a network, and therein lies the potential exposure. Many companies servicing the industry operate in an entrepreneurial fashion, as contractors to large real estate organizations. Service and speed are important, and people need to work effectively—with all the access that entails. There must be a balance between security and efficiency, so that employees can do their jobs while still staying secure. As the industry standardizes security protocols, more third-party entities will be subject to vendor security reviews.
On the asset side, the goal of a comprehensive user experience is effectively changing the game. Capturing and tracking data about the user experience in a building creates information that's never been electronically available before and is no longer under closed proprietary systems. Consequently, there's an uptick in focus by the investment community about cybersecurity. This is driving behavior within companies to examine their security policies and programs.
Today, 90% of compromises start with business email and some kind of phishing attack, and they have become quite sophisticated. These emails appear to be from someone you know, asking for information or money. They may have a signature block that looks exactly like the one you are expecting. For example, a supplier who has completed a service ‘sends’ an email enclosing an invoice and new bank account or new wire instructions for payment. People develop habits that can be exploited by attacks like these because the procedure is familiar—it’s not anything unusual.
As time goes on, violations will become more creative. The Schneier on Security blog recently posted an article about hacking construction cranes. Cranes now have the capability for remote wireless diagnostics. Can you imagine a crane in the hands of someone intent on doing harm?
Another existing possibility exploits a very common activity: parking. Imagine the location is a high-value downtown Class A office building that contains building systems everyone uses. In many buildings you enter using your toll tag. The property manager is given the toll tag number and vehicle information. As a tenant, it's very convenient because there's no need for a fob or reader. However, the toll tag authority has credit card and other personal information; if a compromise occurs in the parking system, the attacker is a step away from possibly compromising all the personal information.
Resilience is the better part of valor
A majority of large companies have a security plan in place, with a budget and the requisite security officers. One statistic that's disturbing though, is that only about a third of those companies have a good cybersecurity and incident response plan in place—and have it fully tested. As we've all heard, "Companies have to be right 100 percent of the time and the bad guys only need to be right once." Cyber hackers are very nimble, and no company can defend 100 percent of the time.
A response plan—with layers of security and defenses in place—is necessary for prevention and early detection. A response team should include:
(1) A forensics team to determine what happened
(2) Your IT 'SWAT team' ready to deal with remediation quickly
(3) Your disaster recovery business continuity plan if you've lost data
(4) A law firm that understands how to manage cyber events
(5) A data privacy person (or law firm) that can advise on disclosure procedures (state- and country-specific)
(6) Your cyber insurance provider (if you don't have this, discuss with your insurance broker)
(7) An external communications firm for public-facing correspondence (to work with your internal corporate communications group)
(8) Responsible business executive
We must do more on both the corporate and the building side to protect ourselves from cyber attacks. In the event one occurs, we must be prepared to respond quickly and appropriately. The word that comes to mind for that is 'resilience'. Organizational resilience is key for cyber survival, along with the institutional will to do those things.
Cybersecurity is an important topic and will be covered in-depth at Pre-Con: Cybersecurity Forum and in a dedicated track in the education program. Realcomm | IBcon 2019 will be held at the Nashville Music City Center on June 13 & 14 (Golf and RE Tech Tours June 11 | Pre–Con Events: June 12). Register today!
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
This year’s conference theme focuses on how everyone in an organization needs to fully understand how the next chapter of the digital revolution will affect their role as well as the organization as a whole. It is time to REcalibrate, identify the challenges, embrace innovative ideas and discover new opportunities in the way we design, build, lease, operate, transact and use Commercial and Corporate Real Estate.
UPCOMING REALCOMM WEBINARS
A Path to Net Zero – Driving ENERGY EFFICIENCY in Smart Buildings - 7/18/2019
One of the first trends to emerge in the modern smart building movement was energy conservation and efficiency. Approximately eight years ago, the industry realized that connecting energy related equipment to a network and applying advanced analytics and complex integration strategies could result in a significant reduction in energy and natural resource consumption and a resultant decrease in energy related expenses. In recent years, operational efficiency and occupant experience have been added to the smart building discussion, sometimes overshadowing energy efficiency. This webinar will focus on the very important goal of including energy efficiency in the comprehensive smart building strategy.
Tom Shircliff is a co-founder and principal of Intelligent Buildings, a nationally recognized smart real estate professional services company that was started in 2004. Intelligent Buildings provides planning and implementation of next generation strategy for new buildings, existing portfolios and urban communities. Tom is a speaker and collaborator with numerous universities and national laboratories, a gubernatorial appointee for energy strategy and policy and founding Chairman of Envision Charlotte, a Clinton Global Initiative.
Sarah currently serves as a Senior Advisor for the U.S. Department Building Technology Office where she leads commercial zero energy efforts, district-scale solutions, and a pSarah currently serves as a Senior Advisor for the U.S. Department Building Technology Office where she leads commercial zero energy efforts, district-scale solutions, and a portfolio of data infrastructure projects. In previous roles at DOE, Sarah led local government clean energy innovation programs. Sarah has over 15 years of experience in sustainability and energy work. Before DOE, Sarah worked for Baltimore City where she helped establish their Office of Sustainability.
Ryan Knudson, is the AVP for Operations and Energy Management at Macerich. He is responsible for the development, execution and operations for all Capital Expense Energy and Smart Building projects as well as national program vendor management. He oversees the daily operations of Macerich’s portfolio with a focus on same center NOI growth.
Akshai Rao, a vice president at Yardi, is responsible for the development of procurement and energy management solutions to ensure high-performing buildings. Prior to Yardi, Akshai spent five years at Bain & Company where he focused on technology and telecom.