Real Estate Cyber Risk: Are You Prepared?
Security breaches are, unfortunately, a part of our reality now. For industry, they have a high monetary cost, and cause erosion of the public trust. A company's reputation in such instances relies on staying apprised of cyber security protections, readiness, and a quick response to malicious events.
Executives at all levels of real estate organizations are spending more and more time on cybersecurity issues today. As innovation is driven by big data and smart analytics, a greater scope of connectivity between systems and buildings will require comprehensive and ongoing security strategies.
Historically, there are two areas of concern:
(1) Corporate Security and Information Technology: IT
These are the organizational systems and business applications employees use every day, including email, financial applications, HR applications, the internal corporate network, internet services, and more. This category is generally managed by the corporate security team, often within the technology function of the organization.
(2) Asset Operational Technology and Security: OT
Traditionally the main building systems, these now include networked building automation systems, as well as connectivity to the outside at all levels. Also known as the Industrial Internet, the physical buildings are increasingly integrated with sensors and wireless functions. Responsibility in this area may vary depending on how properties are operated; it may fall under the purview of the owner, a third-party service provider, building engineers, or a combination of entities.
These categories are converging, and yet the risk management process requires a certain amount of separation: because of inherent vulnerabilities, building systems should be separate from the corporate networks. In most cases, people—not their systems—are quite often the biggest security risk. Consistent, ongoing security awareness and training is critical, as well as constant monitoring.
The physical infrastructure is in some ways more susceptible to attack, simply because it's not traditionally as well managed by people versed in security as the corporate side. However, motive for an attack is important. Just because something is vulnerable doesn't mean it's prime for compromise; it may not be interesting for someone to compromise a system with little return. A company should focus their security efforts on the bigger targets that would yield greater gains for an intruder, and place better controls over who accesses, implements and maintains those systems.
Digital transformation leads to additional challenges
The digital transformation that's taking place in the real estate industry and the incredible investment in digital products means that the profile of real estate is increasing as never before. Real estate is now creeping into one of the top areas for nefarious infiltration. One reason may be that it's a softer target. Many real estate organizations are not subject to regulations from the SEC and other governing bodies; as an industry, real estate is not regulated the same way as banks and financial institutions, insurance companies, airlines, and utilities. These other industries have had more focus on making sure they are keeping themselves appropriately locked down.
Another reason, of course, is information. On the corporate side, real estate companies provide services that create volumes of data, valuable information in terms of transactions and money. This includes the data from supply chain contractors, third-party services, and tenants' personal data. This data is now on a network, and therein lies the potential exposure. Many companies servicing the industry operate in an entrepreneurial fashion, as contractors to large real estate organizations. Service and speed are important, and people need to work effectively—with all the access that entails. There must be a balance between security and efficiency, so that employees can do their jobs while still staying secure. As the industry standardizes security protocols, more third-party entities will be subject to vendor security reviews.
On the asset side, the goal of a comprehensive user experience is effectively changing the game. Capturing and tracking data about the user experience in a building creates information that's never been electronically available before and is no longer under closed proprietary systems. Consequently, there's an uptick in focus by the investment community about cybersecurity. This is driving behavior within companies to examine their security policies and programs.
Today, 90% of compromises start with business email and some kind of phishing attack, and they have become quite sophisticated. These emails appear to be from someone you know, asking for information or money. They may have a signature block that looks exactly like the one you are expecting. For example, a supplier who has completed a service ‘sends’ an email enclosing an invoice and new bank account or new wire instructions for payment. People develop habits that can be exploited by attacks like these because the procedure is familiar—it’s not anything unusual.
As time goes on, violations will become more creative. The Schneier on Security blog recently posted an article about hacking construction cranes. Cranes now have the capability for remote wireless diagnostics. Can you imagine a crane in the hands of someone intent on doing harm?
Another existing possibility exploits a very common activity: parking. Imagine the location is a high-value downtown Class A office building that contains building systems everyone uses. In many buildings you enter using your toll tag. The property manager is given the toll tag number and vehicle information. As a tenant, it's very convenient because there's no need for a fob or reader. However, the toll tag authority has credit card and other personal information; if a compromise occurs in the parking system, the attacker is a step away from possibly compromising all the personal information.
Resilience is the better part of valor
A majority of large companies have a security plan in place, with a budget and the requisite security officers. One statistic that's disturbing though, is that only about a third of those companies have a good cybersecurity and incident response plan in place—and have it fully tested. As we've all heard, "Companies have to be right 100 percent of the time and the bad guys only need to be right once." Cyber hackers are very nimble, and no company can defend 100 percent of the time.
A response plan—with layers of security and defenses in place—is necessary for prevention and early detection. A response team should include:
(1) A forensics team to determine what happened
(2) Your IT 'SWAT team' ready to deal with remediation quickly
(3) Your disaster recovery business continuity plan if you've lost data
(4) A law firm that understands how to manage cyber events
(5) A data privacy person (or law firm) that can advise on disclosure procedures (state- and country-specific)
(6) Your cyber insurance provider (if you don't have this, discuss with your insurance broker)
(7) An external communications firm for public-facing correspondence (to work with your internal corporate communications group)
(8) Responsible business executive
We must do more on both the corporate and the building side to protect ourselves from cyber attacks. In the event one occurs, we must be prepared to respond quickly and appropriately. The word that comes to mind for that is 'resilience'. Organizational resilience is key for cyber survival, along with the institutional will to do those things.
Cybersecurity is an important topic and will be covered in-depth at Pre-Con: Cybersecurity Forum and in a dedicated track in the education program. Realcomm | IBcon 2019 will be held at the Nashville Music City Center on June 13 & 14 (Golf and RE Tech Tours June 11 | Pre–Con Events: June 12). Register today!
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
This year’s conference theme focuses on how everyone in an organization needs to fully understand how the next chapter of the digital revolution will affect their role as well as the organization as a whole. It is time to REcalibrate, identify the challenges, embrace innovative ideas and discover new opportunities in the way we design, build, lease, operate, transact and use Commercial and Corporate Real Estate.
UPCOMING REALCOMM WEBINARS
COMMERCIAL REAL ESTATE & Technology – The Importance of Developing a STRATEGY - 9/19/2019
It wasn’t long ago that a Commercial Real Estate CIO was responsible only for functions such as networking, file and print servers, computer hardware, desktop applications and e-mail. Over the last 5+ years other responsibilities have entered the sphere of the CIO including marketing, operations (smart buildings), occupant experience and cybersecurity, to name a few. Additionally, emerging technologies such as AI, Machine Learning, Blockchain, AR/VR, autonomous, robotics and others are impacting their world as well as their clients. Never before has it been so important for a Real Estate CIO to develop a comprehensive digital strategy, encompassing all aspects of the organization. This webinar will focus on the importance of developing a comprehensive digital strategy.
Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. As CEO, Jim interacts with some of the largest companies globally pertaining to some of the most advanced and progressive next generation real estate projects under development.
Ilan Zachar is currently Chief Technology Officer at Carr Properties, a privately held REIT known for its portfolio of trophy-quality properties in the Washington D.C. In this role, Ilan leverages vision and foresight to cross-pollinate best practices, processes, systems and resources across corporate operations/affiliates. Under his leadership, this has resulted in improvements in bottom-line costs, top-line business growth/scalability, operational sustainability and high performance and overall, strengthening his company’s role as a market leader. For over 20 years, Ilan has been executive business leader and innovative technology strategist for multinational real-estate and property development companies worldwide.
Sineesh Keshav is the Chief Technology Officer at Prologis. In this role, he oversees all aspects of the technology strategy and is responsible for leading the company’s global data and digital transformation. Since joining Prologis in 2018, Sineesh and his team have been focused on a capability driven, customer-centric approach to innovation and digitalization.
With over 24 years of experience in real estate, Kevin's expertise encompasses enterprise IT design, integration and ecological adaptation, helping his clients deriving ongoing value by improving their manageability, effectiveness and ongoing efficiencies. Prior to joining RealFoundations, Kevin served as a CIO for a large-NY owner operator and as a SVP of IT for an Ohio based REIT overseeing the strategic planning, enterprise architecture and information architectures.
Mike Salazar has extensive experience in consulting and sales with Enterprise companies, regarding strategic cross function technology, mainly focused on IoT and AI platforms. Named Star on the Rise by Security Industry Association in 2016, he is currently the Practice Director for Smart Buildings at HID Global. Through innovative solutions he helps organizations unlock value and realize business intelligence. Honored to call many of the most notable companies of our time happy customers.
Dharmendra is the Industry Principal at Yardi Systems. Dhar’s well-rounded and practical background in the industry includes experience as a software vendor, consultant and customer. Prior to Yardi Systems, he was the Vice President of Revenue Management and Analytics for Denver-based Apartment Investment and Management Co. (AIMCO), one of the largest multifamily REITs in the U.S., where he led the development and implementation of revenue management and business intelligence systems.
Malcolm Hobbs is VP of Marketing and Market Development at Join. Malcolm has extensive startup and enterprise marketing and business development experience in markets including SaaS, Industrial IoT, Analytics and Sustainability. At Join, he is helping to redefine how owners secure their buildings from digital threats and deliver advanced digital workplace services in today's tech-forward buildings.