Weekly Briefing

article sponsor image
Feature

Quantifying Cyber Risk: How Much Can a Security Breach Really Cost You?

5 min read
listen to article Listen to this article

Nearly every business has been a target to some form of cyber attack. This year, we’ve seen a major pipeline company and U.S. meatpacker become the latest victims of ransomware. The U.S. government even experienced one of the nastiest breaches to date from the SolarWinds Sunburst attack. While none of these examples fall in the realm of commercial real estate, that’s not to say this industry is immune to risk.

In fact, the opposite is true. Building owners, operators and all those working in commercial real estate are privy to sensitive data and operations that can be valuable to cyber criminals – like building management systems, tenant information and more. In an assessment of more than 400 properties in the Americas, it was found there were six common vulnerabilities within CRE networks:

  1. Flat networks
  2. Remote access
  3. Shared logins
  4. Patching
  5. Unmanaged switches
  6. Multi-factor Authentication (MFA)

These vulnerabilities offer fertile ground for hackers to infiltrate, especially in today’s remote/hybrid environments. And unfortunately, vulnerabilities often are not apparent until an incident has occurred. An attack as “simple” as a phishing email can wreak havoc on a network and cause damage. Other more serious attacks, like ransomware or the Verkada breach, can cost thousands (or even millions) to rectify – not to mention the damage done to the affected company’s reputation.


Take a moment to put yourself in the shoes of a company that has been breached. Have you given thought to how much an attack would cost your business – monetarily and in terms of lost time and productivity?


Quantifying your cyber risk can help put into perspective the ramifications of a potential attack and shed light on the importance of regular cyber training and maintenance. To illustrate the seriousness of a breach in the world of commercial real estate, let’s examine what happened to Verkada, then the practices and assessments needed to quantify your risk and prevent attacks.


Invasion of Privacy

How exactly were hackers able to gain access to so many customers? Bad cyber practices.


The group behind this attack was able to obtain control of a “super admin” account through credentials they claimed were publicly available on the internet. After 36 hours of access, the breach was remediated – but only after being reported to Bloomberg News. By then, it was too late. Hackers were given access to live feeds, as well as Verkada’s complete video archive, connected devices, and customer and financial information. The failure to maintain proper cyber practices essentially gave hackers access to billions of dollars’ worth of businesses’ data and information – and cost Verkada an indeterminate amount of money in damages.


Commercial real estate companies must remember they have access not only to customer information, but personal information and capital flow – which are all valuable assets to hackers. In the case of ransomware, attackers could demand thousands or even millions of dollars to release information back to the company.


There are few preventative measures you can take once an attack has begun, but there are tools to put in place to reduce your risk. There are assessments available to help you calculate risk and costs, as well as tools to implement to standardize your IT practices to prevent attacks.


Quantifying Risk: FAIR Assessments, Phishing Campaigns & More

Factor Analysis of Information Risk, or FAIR, is a standard for cyber risk quantification, expressing loss in terms of dollars and cents so business leaders understand why cyber security should be a priority. With FAIR, you utilize a core set of scenarios to account for most of the risk you would encounter. These scenarios are:

  • Foothold scenario – when an attacker gains a “foothold,” typically through phishing or malware, for access
  • Big Game Ransomware – after gaining access, the attacker ransoms your data/information/assets
  • Ransomware – general ransomware invades the network
  • Web App Attack – an attack performed against a web app on an external asset
  • DDoS – an attack launched by a Distributed Denial of Service
  • Inside error or misconfiguration – internal accidental loss through an error or misconfiguration
  • Malicious insider – when a privileged insider performs an attack with malicious intent

While there are always nuances or differentiators in any cyber attack, these scenarios form a baseline against which the FAIR assessment can be performed. Focusing on specific instances or assets would be much more time consuming.


FAIR has been adopted by financial institutions, government agencies and other corporations as the primary methodology for determining risk and where cyber investments are needed. For commercial real estate companies, FAIR can assess property assets (OT/IoT devices) and traditional IT assets to provide a comprehensive risk picture. The FAIR framework helps you identify any potential threats and valuate total risk. The FAIR framework follows four steps:

  1. Classify all systems
  2. Identify Threats
  3. Calculate the potential risk and probably impact
    • High – damage has been incurred and will be costly to repair
    • Medium – there is damage, but it can be repaired
    • Low – no damage incurred or easy repairs
  4. Assess control environment

Once these steps are complete, you multiply the impact of the threat to the business by the possibility it will occur – the NIST Special Publication 800-30 offers approximate impact and probability values. This provides you a risk rating, ranging from severe to low.


In addition to FAIR assessments, other basic IT practices should be implemented to lower your risk profile, such as phishing campaigns. Conducting campaigns to simulate phishing attacks with employees is an easy way to assess their knowledge and give them better understanding of what occurs in these attacks. In an assessment conducted by KnowBe4, one of the largest providers of security awareness training, it was found that the failure rates among customers were reduced by upwards of 30 percent after undergoing phishing campaigns and security training. This diminished the potential for being phished, which will prevent most breaches.


Next Steps

While cyber attacks within commercial real estate haven’t made the news recently, it certainly doesn’t mean leaders can start cutting corners on their cyber practices. Now is the time to act, before alarm bells start ringing and the costs start adding up. Use the FAIR methodology to quantify your risk and start investing in cyber training to save you and your customers time and money and help your business grow.

Don Goldstein, President & CISO, 5Q
As President, Don Goldstein is responsible for the overall leadership, operations, cyber security strategy, and direction of 5Q’s four service lines. He is an accomplished, award winning C-Level technology executive as Global CIO and CISO, with a distinguished 37-year career of providing robust technology and cyber security solutions to enable business growth. He possesses over 22 years of commercial real estate experience across all lines of business with the largest commercial real estate services, investment management and development company in the world.

This Week’s Sponsor

Yardi® develops and supports industry-leading investment and property management software for all types and sizes of real estate companies. Established in 1984, Yardi is based in Santa Barbara, Calif., and serves clients worldwide. For more information on how Yardi is Energized for Tomorrow, visit yardi.com.