Cyber attacks are now a daily occurrence and continue to escalate. Now more than ever, companies across all industries are at risk.
In recent years, hackers have compromised 500m accounts from a major email provider, leaked 19,000 emails from US political party officials, stolen $81m from a foreign bank, and even brought down major parts of the internet.
But is cyber risk a real problem in commercial real estate? What specific cyber threats are most likely to affect property firms? And what steps can real estate leaders take to proactively prepare their organisations so as to protect valuable data and assets from cyber attackers?
The threat landscape
Cyber security is a risk that needs to be considered early on and is by no means an all-or-nothing approach. It should be something that is pragmatic and tailored to industry and sector.
In the past, real estate organisations have focused predominantly on physical security owing to the nature of the industry involving real tangible assets.
But data connectivity and digitisation are playing an ever-increasing role in every business, including property, especially as the industry looks to leverage data to make investment decisions and better understand how people use space. As a result, the number of attack vectors has risen significantly as real estate businesses become more reliant on technology.
One of the most significant trends is the rise in the frequency and size of data breaches with potentially catastrophic financial, reputational and legal consequences – and there is no need to look too far to see high-profile examples in the media.
But one specific reason that property companies are attractive to hackers is the fact that their technology systems contain leases, rental applications, credit reports and deal financing terms – many filled with payment card industry data and personally identifiable information on tenants and clients.
And it’s not just the data that’s an attractive target. Attackers know that real estate management can be a 24/7 operation, and a building system offline is simply not acceptable.
Instead of stealing data, attackers can resort to ransom, although not in the traditional sense with a human hostage.They take or block control of systems such as heating, ventilation, air conditioning, lighting, door access and emergency systems, which are now often IT controlled, only agreeing to release their control when a ransom is paid. The longer the business is offline, the more devastating the impact.
Starting out
First determine the type of cyber security strategy you need. Even if you believe you have a mature cyber security programme, it is important to reassess from time to time. What has been completed to date, and has it produced the intended results?
It is also important to reaffirm that the direction and strategy is still relevant – do you continue as intended or are adjustments required given, for example, the present business direction, market influence, technologies and threat landscape. A quick way to determine this is via a cyber maturity assessment.
While you are working through the longer-term strategic review and outlook, a short-term tactical review should be carried out to determine if you have any immediate vulnerabilities or indications of compromise that need to be addressed.
Test run
To accomplish this, you may consider an exercise where a third party – “the assessor” – tries to attack (or “red team”) your organisation through external, internal, social and physical means, just as an attacker would, to be aware of the issues before an attack happens.
This quickly gives you a view of what your risks are hypothetically and objectively, with a full report of what the tester truly accomplishes during the attack, along with a prioritised remediation plan of how to close any findings.
And to round out your assessment, no organisation will ever be impenetrable, so it’s important that exercises such as war gaming are performed. These are crisis management exercises where you work with your assessor to create scenarios and run exercises with various stakeholders within the business to test response plans fully.
If this is carried out periodically, it will give you a true objective view on preparedness, helping to identify gaps and fix them, so you have an appropriate crisis management plan should you actually need it.
Working together
The real estate industry can improve its approach to tackling cyber threats through collaboration. Subscribing to cyber threat intelligence, and putting in place the resources to interpret that data, can perhaps be prohibitively expensive for many but the largest firms. However, the benefit of access to regular up-to-date cyber threat intelligence is not in doubt.
Therefore, creating a dedicated place where firms can come together to swap, share and leverage each other’s cyber threat intelligence updates and lessons is a compelling way to reduce systemic threats across the entire industry. In asset management, for example, the Investment Association is working to produce a tailored threat intelligence information-sharing platform to encourage collaboration across the industry.
But it’s not all doom and gloom. It is simply about truly understanding your vulnerabilities, running regular tests and being prepared – that will make the difference between a simple event and a full-on crisis.
