At first glance, the commercial real estate (CRE) industry doesn’t seem like a prime target for cyberattacks. As a result, establishing a cybersecurity plan might seem a low priority.
After all, most CRE firms typically maintain less personally identifiable information (PII) or valuable intellectual property (IP) than companies in some other industries.
But don’t be fooled: Several factors make CRE uniquely vulnerable to cyber threats.
According to an analysis by the Deloitte Center for Financial Services, strategic plans, engineering drawings, and tenant information are all common targets for cyber theft.
Furthermore, the IT systems managing a building’s operations generally prioritize functionality over security. As CRE owners and operators implement smart, cloud, and mobile technology to engage tenants and drive operational efficiency, the risks associated with data security have grown significantly.
CRE companies are also uniquely vulnerable to treasury management risk, given the significant amounts of cash maintained on the average property team’s balance sheet. Not to mention the large dollar transactions related to property acquisitions, sales, and financing.
The COVID-19 Impact
Security breaches frequently have devastating consequences in financial losses and reputational damage for impacted firms. In 2021, the average data breach cost $4.24 million per company—a record high.
The COVID-19 pandemic and the prompted shift to remote work has made organizations even more vulnerable to cyberattacks. The explosive growth of video conferencing provided a juicy target for hackers looking to steal personal information.
Prior to the pandemic, 20 percent of cyberattacks used previously unseen malware or methods. During the pandemic, this number rose to 35 percent.
Hackers are always getting more sophisticated. So it’s more important than ever for CRE leaders to analyze their systems for weaknesses.
Follow these steps to implement a strong cybersecurity plan:
Establish Governance
CRE firms operating large portfolios typically have stringent cybersecurity requirements and designated IT teams to enforce them. But on smaller teams, it can be difficult to know who’s responsible for what.
To implement a strong cybersecurity plan, begin by establishing a project leader (if you haven’t already). This will typically be the Chief Information Officer or another senior technology leader. Collaborate with this individual and other high-level stakeholders to conduct a thorough analysis of the cybersecurity threats the business faces.
Then it’s time to develop a framework. Consider using the Cybersecurity Framework developed by the National Institute of Standards and Technology. This resource guides companies of all sizes and industries on how to implement cybersecurity best practices. Use this information to develop a clear cybersecurity policy that can be shared with the larger property team.
Consider as a team how your firm wants to allocate IT responsibilities to tenants. You may decide to alter lease provisions to clearly define each tenants’ responsibility for data privacy and system security. Specific topics to address can include capping/limiting damages for cyber-related losses, cyber-related insurance concerns, and who foots the bill for technology-related enhancements.
Conduct Regular Audits
CRE owners and operators should regularly evaluate cybersecurity risk exposure and determine whether current protocols are sufficient. Any new forms of cyberattack or significant changes to workflows (e.g., increased video conference calls) should be included in these evaluations.
Audits should include a thorough evaluation of all common hacker entry points. In CRE, data breaches commonly arise from the following sources:
- Non-malicious human error, such as an employee misplacing a phone or laptop that falls into the wrong hands.
- A “Bring Your Own Device” (BYOD) policy can jeopardize data governance. E.g., Members of the property management team might use personal devices to review sensitive tenant lease information.
- Open Wi-Fi access. For example, open guest Wi-Fi access in an office building.
- Online payment systems/POS: Most relevant for retail tenants who use online payment systems to conduct transactions.
- Building control systems: Hackers can exploit interconnected equipment systems like HVAC and Building Management Systems (BMS), etc. as an entry point to larger business systems.
Companies may benefit from a third-party gap analysis of recommended security control measures.
Spread Awareness
To strengthen your data protection, the entire property team needs to be aware of current threats and held accountable for preventing them.
Consider hosting an educational workshop to share the challenges associated with safeguarding a complex network, and how team members can help. Many have the perception that a cybersecurity plan is solely the responsibility of the IT team. You need to disabuse them of this notion.
Leading organizations also typically conduct simulations to help team members understand the potential threat of cyberattacks posed by daily activities. This might be as simple as distributing regular test phishing emails. Consider how and when tenants should be looped in to maximize a program’s impact.
Review Continuity Plans
As cyberattacks become more sophisticated, data breaches are almost inevitable.
When your system fails to prevent an attack, your focus should shift to responding as quickly as possible to limit damage. If your business continuity plan doesn’t include provisions for cyberattacks, it’s time for an update. Establish an incident response plan that clearly outlines what needs to be done and by whom.
Ensure the plan covers all areas a hacker might access, including your organization’s website, social media accounts, and restricted network drives. Your plan should also include a crisis communication component.
Consider how to share news of a breach with impacted tenants, vendors, and other affected stakeholders most efficiently. Address how and when your team should tap external resources such as computer forensics experts or legal counsel.
Naturally, this plan should be updated at least annually, and as threats evolve.
Property owners and operators should also review their current insurance coverage and ask agents about cyber insurance options. Keep in mind that coverage under these plans can vary widely. Pay close attention to what is covered, when coverage goes into effect, and what events are excluded before buying a policy.
Shop Wisely for CRE Technology
As CRE’s digital transformation accelerates, property teams face unprecedented pressure to innovate. For example, the Internet of Things (IoT) is gaining traction in CRE. But connecting more devices and sensors to the internet creates more points for potential data breaches. This pressure can cause some teams to overlook proper security measures when adopting new technologies.
At minimum, a secure technology platform should:
- Easily establish and demonstrate compliance with yearly audits
- Meet common data governance standards, such as GDPR and SOC II compliance
- Avoid data privacy issues by ensuring any tenant or employee information is captured by consent and securely stored using robust data encryption and intrusion detection
- Provide single sign on (SSO) support for user authentication
Before signing a contract with a potential software vendor, do your homework. Ask for their track record on data breaches, request their business continuity plans, and confirm who exactly is responsible for handling, processing, and storing personal information.
Enhance Your Cybersecurity Plan: Don’t be Hacker Bait
As buildings and systems grow more interconnected, even the smallest breach can compromise entire buildings. Property owners and operators should make a strong cybersecurity plan a top priority when setting budgets for 2022.
Secure IT infrastructure is just one component of a winning CRE tech stack.
To learn how to choose an operations platform that will position your business for better outcomes, read the Building Engines’ Buyer’s Guide to Building Operations Technology.
