Real Estate Cyber Risk: Are You Prepared?
Security breaches are, unfortunately, a part of our reality now. For industry, they have a high monetary cost, and cause erosion of the public trust. A company's reputation in such instances relies on staying apprised of cyber security protections, readiness, and a quick response to malicious events.
Executives at all levels of real estate organizations are spending more and more time on cybersecurity issues today. As innovation is driven by big data and smart analytics, a greater scope of connectivity between systems and buildings will require comprehensive and ongoing security strategies.
Historically, there are two areas of concern:
(1) Corporate Security and Information Technology: IT
These are the organizational systems and business applications employees use every day, including email, financial applications, HR applications, the internal corporate network, internet services, and more. This category is generally managed by the corporate security team, often within the technology function of the organization.
(2) Asset Operational Technology and Security: OT
Traditionally the main building systems, these now include networked building automation systems, as well as connectivity to the outside at all levels. Also known as the Industrial Internet, the physical buildings are increasingly integrated with sensors and wireless functions. Responsibility in this area may vary depending on how properties are operated; it may fall under the purview of the owner, a third-party service provider, building engineers, or a combination of entities.
These categories are converging, and yet the risk management process requires a certain amount of separation: because of inherent vulnerabilities, building systems should be separate from the corporate networks. In most cases, people—not their systems—are quite often the biggest security risk. Consistent, ongoing security awareness and training is critical, as well as constant monitoring.
The physical infrastructure is in some ways more susceptible to attack, simply because it's not traditionally as well managed by people versed in security as the corporate side. However, motive for an attack is important. Just because something is vulnerable doesn't mean it's prime for compromise; it may not be interesting for someone to compromise a system with little return. A company should focus their security efforts on the bigger targets that would yield greater gains for an intruder, and place better controls over who accesses, implements and maintains those systems.
Digital transformation leads to additional challenges
The digital transformation that's taking place in the real estate industry and the incredible investment in digital products means that the profile of real estate is increasing as never before. Real estate is now creeping into one of the top areas for nefarious infiltration. One reason may be that it's a softer target. Many real estate organizations are not subject to regulations from the SEC and other governing bodies; as an industry, real estate is not regulated the same way as banks and financial institutions, insurance companies, airlines, and utilities. These other industries have had more focus on making sure they are keeping themselves appropriately locked down.
Another reason, of course, is information. On the corporate side, real estate companies provide services that create volumes of data, valuable information in terms of transactions and money. This includes the data from supply chain contractors, third-party services, and tenants' personal data. This data is now on a network, and therein lies the potential exposure. Many companies servicing the industry operate in an entrepreneurial fashion, as contractors to large real estate organizations. Service and speed are important, and people need to work effectively—with all the access that entails. There must be a balance between security and efficiency, so that employees can do their jobs while still staying secure. As the industry standardizes security protocols, more third-party entities will be subject to vendor security reviews.
On the asset side, the goal of a comprehensive user experience is effectively changing the game. Capturing and tracking data about the user experience in a building creates information that's never been electronically available before and is no longer under closed proprietary systems. Consequently, there's an uptick in focus by the investment community about cybersecurity. This is driving behavior within companies to examine their security policies and programs.
Today, 90% of compromises start with business email and some kind of phishing attack, and they have become quite sophisticated. These emails appear to be from someone you know, asking for information or money. They may have a signature block that looks exactly like the one you are expecting. For example, a supplier who has completed a service ‘sends’ an email enclosing an invoice and new bank account or new wire instructions for payment. People develop habits that can be exploited by attacks like these because the procedure is familiar—it’s not anything unusual.
As time goes on, violations will become more creative. The Schneier on Security blog recently posted an article about hacking construction cranes. Cranes now have the capability for remote wireless diagnostics. Can you imagine a crane in the hands of someone intent on doing harm?
Another existing possibility exploits a very common activity: parking. Imagine the location is a high-value downtown Class A office building that contains building systems everyone uses. In many buildings you enter using your toll tag. The property manager is given the toll tag number and vehicle information. As a tenant, it's very convenient because there's no need for a fob or reader. However, the toll tag authority has credit card and other personal information; if a compromise occurs in the parking system, the attacker is a step away from possibly compromising all the personal information.
Resilience is the better part of valor
A majority of large companies have a security plan in place, with a budget and the requisite security officers. One statistic that's disturbing though, is that only about a third of those companies have a good cybersecurity and incident response plan in place—and have it fully tested. As we've all heard, "Companies have to be right 100 percent of the time and the bad guys only need to be right once." Cyber hackers are very nimble, and no company can defend 100 percent of the time.
A response plan—with layers of security and defenses in place—is necessary for prevention and early detection. A response team should include:
(1) A forensics team to determine what happened
(2) Your IT 'SWAT team' ready to deal with remediation quickly
(3) Your disaster recovery business continuity plan if you've lost data
(4) A law firm that understands how to manage cyber events
(5) A data privacy person (or law firm) that can advise on disclosure procedures (state- and country-specific)
(6) Your cyber insurance provider (if you don't have this, discuss with your insurance broker)
(7) An external communications firm for public-facing correspondence (to work with your internal corporate communications group)
(8) Responsible business executive
We must do more on both the corporate and the building side to protect ourselves from cyber attacks. In the event one occurs, we must be prepared to respond quickly and appropriately. The word that comes to mind for that is 'resilience'. Organizational resilience is key for cyber survival, along with the institutional will to do those things.
Cybersecurity is an important topic and will be covered in-depth at Pre-Con: Cybersecurity Forum and in a dedicated track in the education program. Realcomm | IBcon 2019 will be held at the Nashville Music City Center on June 13 & 14 (Golf and RE Tech Tours June 11 | Pre–Con Events: June 12). Register today!
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
Four Keys to Deploying a Smart Building Program During COVID-19 Now more than ever, the idea of a smart building is gaining popularity and showing promise for property and facility managers across the country. The siren’s song of saved operating expenses, reduced energy consumption and the associated smaller carbon footprint has captivated many.
Commercial Rent Payments: Signposts on the Road to Recovery Across the country, offices and retail stores are beginning to reopen. On the surface, things are looking more positive for the commercial real estate market than they did in March or April. But do the numbers justify optimism? In terms of rental payments from office and retail tenants, the data suggests that a celebration would be a bit premature.
Post-COVID-19: Is it Time to Rethink Flex Space Strategies? Coworking is a decades old concept: think Regus, WorkClub and Techspace. But in the past five years, the industry has witnessed a meteoric rise in coworking and flex space options. The top 10 independent operators, including WeWork, Convene and Industrious, now account for approximately 10 million square feet of the aggregate leased flex office space in primary markets here in the U.S.
Technology and the Pandemic: Fee Managers Discuss The COVID-19 pandemic is affecting every aspect of business and leaves us no choice but to face these challenges head on with as many technological resources as possible to mitigate the impact on our companies.