Real Estate Cyber Risk: Are You Prepared?
Security breaches are, unfortunately, a part of our reality now. For industry, they have a high monetary cost, and cause erosion of the public trust. A company's reputation in such instances relies on staying apprised of cyber security protections, readiness, and a quick response to malicious events.
Executives at all levels of real estate organizations are spending more and more time on cybersecurity issues today. As innovation is driven by big data and smart analytics, a greater scope of connectivity between systems and buildings will require comprehensive and ongoing security strategies.
Historically, there are two areas of concern:
(1) Corporate Security and Information Technology: IT
These are the organizational systems and business applications employees use every day, including email, financial applications, HR applications, the internal corporate network, internet services, and more. This category is generally managed by the corporate security team, often within the technology function of the organization.
(2) Asset Operational Technology and Security: OT
Traditionally the main building systems, these now include networked building automation systems, as well as connectivity to the outside at all levels. Also known as the Industrial Internet, the physical buildings are increasingly integrated with sensors and wireless functions. Responsibility in this area may vary depending on how properties are operated; it may fall under the purview of the owner, a third-party service provider, building engineers, or a combination of entities.
These categories are converging, and yet the risk management process requires a certain amount of separation: because of inherent vulnerabilities, building systems should be separate from the corporate networks. In most cases, people—not their systems—are quite often the biggest security risk. Consistent, ongoing security awareness and training is critical, as well as constant monitoring.
The physical infrastructure is in some ways more susceptible to attack, simply because it's not traditionally as well managed by people versed in security as the corporate side. However, motive for an attack is important. Just because something is vulnerable doesn't mean it's prime for compromise; it may not be interesting for someone to compromise a system with little return. A company should focus their security efforts on the bigger targets that would yield greater gains for an intruder, and place better controls over who accesses, implements and maintains those systems.
Digital transformation leads to additional challenges
The digital transformation that's taking place in the real estate industry and the incredible investment in digital products means that the profile of real estate is increasing as never before. Real estate is now creeping into one of the top areas for nefarious infiltration. One reason may be that it's a softer target. Many real estate organizations are not subject to regulations from the SEC and other governing bodies; as an industry, real estate is not regulated the same way as banks and financial institutions, insurance companies, airlines, and utilities. These other industries have had more focus on making sure they are keeping themselves appropriately locked down.
Another reason, of course, is information. On the corporate side, real estate companies provide services that create volumes of data, valuable information in terms of transactions and money. This includes the data from supply chain contractors, third-party services, and tenants' personal data. This data is now on a network, and therein lies the potential exposure. Many companies servicing the industry operate in an entrepreneurial fashion, as contractors to large real estate organizations. Service and speed are important, and people need to work effectively—with all the access that entails. There must be a balance between security and efficiency, so that employees can do their jobs while still staying secure. As the industry standardizes security protocols, more third-party entities will be subject to vendor security reviews.
On the asset side, the goal of a comprehensive user experience is effectively changing the game. Capturing and tracking data about the user experience in a building creates information that's never been electronically available before and is no longer under closed proprietary systems. Consequently, there's an uptick in focus by the investment community about cybersecurity. This is driving behavior within companies to examine their security policies and programs.
Today, 90% of compromises start with business email and some kind of phishing attack, and they have become quite sophisticated. These emails appear to be from someone you know, asking for information or money. They may have a signature block that looks exactly like the one you are expecting. For example, a supplier who has completed a service ‘sends’ an email enclosing an invoice and new bank account or new wire instructions for payment. People develop habits that can be exploited by attacks like these because the procedure is familiar—it’s not anything unusual.
As time goes on, violations will become more creative. The Schneier on Security blog recently posted an article about hacking construction cranes. Cranes now have the capability for remote wireless diagnostics. Can you imagine a crane in the hands of someone intent on doing harm?
Another existing possibility exploits a very common activity: parking. Imagine the location is a high-value downtown Class A office building that contains building systems everyone uses. In many buildings you enter using your toll tag. The property manager is given the toll tag number and vehicle information. As a tenant, it's very convenient because there's no need for a fob or reader. However, the toll tag authority has credit card and other personal information; if a compromise occurs in the parking system, the attacker is a step away from possibly compromising all the personal information.
Resilience is the better part of valor
A majority of large companies have a security plan in place, with a budget and the requisite security officers. One statistic that's disturbing though, is that only about a third of those companies have a good cybersecurity and incident response plan in place—and have it fully tested. As we've all heard, "Companies have to be right 100 percent of the time and the bad guys only need to be right once." Cyber hackers are very nimble, and no company can defend 100 percent of the time.
A response plan—with layers of security and defenses in place—is necessary for prevention and early detection. A response team should include:
(1) A forensics team to determine what happened
(2) Your IT 'SWAT team' ready to deal with remediation quickly
(3) Your disaster recovery business continuity plan if you've lost data
(4) A law firm that understands how to manage cyber events
(5) A data privacy person (or law firm) that can advise on disclosure procedures (state- and country-specific)
(6) Your cyber insurance provider (if you don't have this, discuss with your insurance broker)
(7) An external communications firm for public-facing correspondence (to work with your internal corporate communications group)
(8) Responsible business executive
We must do more on both the corporate and the building side to protect ourselves from cyber attacks. In the event one occurs, we must be prepared to respond quickly and appropriately. The word that comes to mind for that is 'resilience'. Organizational resilience is key for cyber survival, along with the institutional will to do those things.
Cybersecurity is an important topic and will be covered in-depth at Pre-Con: Cybersecurity Forum and in a dedicated track in the education program. Realcomm | IBcon 2019 will be held at the Nashville Music City Center on June 13 & 14 (Golf and RE Tech Tours June 11 | Pre–Con Events: June 12). Register today!
This Week’s Sponsor
MRI Software delivers innovative applications and hosted solutions that free real estate companies to elevate their business. Our flexible technology platform and open and connected ecosystem meet the unique needs of real estate businesses, from property-level management and accounting to investment modeling and analytics for the global commercial and residential markets. For more information, please visit www.mrisoftware.com.
This year’s conference theme focuses on how everyone in an organization needs to fully understand how the next chapter of the digital revolution will affect their role as well as the organization as a whole. It is time to REcalibrate, identify the challenges, embrace innovative ideas and discover new opportunities in the way we design, build, lease, operate, transact and use Commercial and Corporate Real Estate.
UPCOMING REALCOMM WEBINARS
The 5G Future – Assessing the Landscape for IN-BUILDING COMMUNICATIONS - 2/20/2020
The next generation of wireless – 5G, CBRS, Wi-Fi 6 and BLE (Bluetooth Low Energy) – is on the horizon. Increased speeds, low latency, and reduced congestion on mobile networks will revolutionize the way we use an ever-increasing number of IoT devices and design in-building communication infrastructures. 5G and CBRS are technologies providing cellular service, WI-FI 6 is a short-range wireless access technology, and BLE is a wireless personal area network designed especially for short-range communication – all technologies are complementary and will each support different use cases in the built environment. This webinar will provide an overview of the different technologies and discuss how they will work together to provide enhanced mobility, capacity and data rates. First generation use cases in the real estate industry will be presented.
Nicholas Stello is the SVP of IT Infrastructure for New-York based Vornado Realty Trust. His responsibilities include leading the company's IT initiatives as they relate to in-building cellular, networking, cyber security and smart building connectivity. Vornado’s unique assets have enabled Mr. Stello to both differentiate and increase the value of its properties by structuring innovative agreements with national cellular carriers and other related technology providers.
Jeff Hipchen is EVP of RF Connect where he oversees marketing, sales and services. He also serves as President of the Safer Buildings Coalition, an industry group focused on indoor public-safety communications. Prior to RF Connect, Jeff founded Digital Data Solutions, Inc., a Midwest Voice and Data Network solutions provider. Jeff has previously been an advisor to several start-up companies, assisting them with the development of their business plans, funding and sales execution.
Richard J. (“Dick”) Sherwin has been involved in wireless communications and radio frequency transmission for the past 30 years. Together with a number of telecommunications veterans, he founded and funded Spot On Networks, LLC, a provider of wireless telecommunications for the Multifamily Residential and Multitenant commercial building industry. Previously, he was CEO of Metromedia International Telecommunications Inc. and as a member of the Board of Directors of Metromedia International Group, Inc. since its inception. He was instrumental in establishing approximately 47 wireless and wired telecommunications ventures in Eastern Europe and the former Soviet Union Republics in wireless telecommunications including cellular telephony, cable television and radio paging.
Alan Ni is the Director of Smart Spaces and IoT for Aruba, a Hewlett Packard Enterprise company, with over 15 years of technology and financial expertise with mobile computing. Alan’s team is responsible for developing Aruba’s Smart Spaces and digital workplace strategy.
John Dulin is a 30-year global telecom and enterprise executive and has held senior positions in product management, marketing and sales in the areas of fiber optics, wireless and new technology development. Currently with Corning, John is focused on introducing its fiber optic and wireless innovations to the commercial real estate market.
Luke Lucas manages the Build Your Own Coverage (BYOC) program for T-Mobile USA. His focus is on enterprise and in-building coverage, furthering the role of wireless in buildings as a 5th utility-like service. In his role, Luke is involved with smart building and smart city technologies, 5G wireless and the relationship between enterprises installing infrastructure and the connection to T-Mobile signal source and backhaul.
Jon Morris is a 20-year veteran of the telecommunications and wireless industry with deep experience explaining technology and contracting for, developing, and managing wireless real estate. He is currently CEO of Fifth Utility Solutions, an organization that provides advisory and consulting services to the wireless and telecommunications industry.