In Commercial Real Estate Cybersecurity Is Not Enough
Tom Shircliff, Co-Founder, Intelligent Buildings
Those of us in the commercial real estate community know that it has a very different operating environment and culture from other industries, especially when it comes to “front of house” technology such as building systems (e.g., HVAC, elevator, lighting, parking, access control, etc.).
Cybersecurity risks originate with the contractors that install and maintain those building systems. Because these risks are almost completely associated with the contractors, we must say that cybersecurity alone is not enough to secure buildings and is better approached as vendor risk management (VRM). Gartner defines VRM as: “The process of ensuring that the use of service providers and suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.” This is a broader view than just cybersecurity.
Why is VRM so important in real estate? One word: fragmentation. To state the obvious, the HVAC contractor doesn’t manage the parking control system, the access control contractor doesn’t manage the elevator or conveyance systems, and so on. Additionally, each contractor may or may not manage those systems in multiple buildings of a portfolio. Add to that broader geography separation, joint ventures, term contracts, and technician turnover, and it’s hard to imagine how leadership can communicate and manage policy across the portfolio with consistency, much less deploy technology solutions.
The other aspect of fragmentation is that the technicians generally do not work directly for the building owner; so it’s unlike a typical industry organization where the CIO can dictate technology tools and practices throughout all personnel in the company. In a study we performed on a 100-building portfolio, we found more than 300 contractor service companies, 600 separate monitor and control systems, 2,000 network connections, and over 3,000 technicians that can or do service the systems.
Yes, it’s still important to deal with IT aspects such as the networking and Internet access that have been in our buildings since the 1980s, but even the firewall from hell won’t stop some types of ransomware. One of your technicians might click on a malicious link in an email that could affect a system that was not backed up, and you may then be faced with the choice of bitcoin payments or total rebuild of the system. In another internal study we performed on 500 million square feet of commercial real estate office space, we found ransomware attacks were up 700% during 2020, and contractor technicians were opening phishing emails at seven times the rate of the general public. These results were staggering, and a big part of the problem is building owners and managers failing to create and enforce policy for cybersecurity, system configuration, back up, and other important practices.
So how do you deal with VRM in such a fragmented industry? You need complete vendor risk management. After 18 years in the smart building advisory business and conducting over 5,000 cybersecurity site assessments, we developed our managed services monitoring approach based on three key areas:
- Networking and Remote Access Management: Building systems are Internet-accessible and operate on local area networks. As a result, there needs to be proper server management and backup as well as “zero trust” remote access management. Zero-trust makes the systems invisible to the Internet and only allows one-to-one connections. Additionally, we determined that this solution had to be so simple that it could be “plug and play” including drop ship with a telephone call setup.
- Building System Backup and Configuration: While defending against hacking, we need to recognize that the building systems themselves are the “Alamo” and must be properly configured and backed up. Even if there is a network breach, a system with proper password protection, updated software, and disciplined credential management along with a backup will have far less risk of downtime or damage and can quickly recover by restoring the system.
- People Policy Management: Policy management includes communicating the policy to all technicians and staff, auditing the policy, and augmenting the audits with tailored phishing campaigns and automated training. The policy should be basic and quickly understandable, the audits should be fast and easy with a series of yes/no compliance questions, and the phishing messages should be tailored to the facility contractor industry segment.
In subsequent articles, we will break down each area while keeping them in the context of the overall approach. While we include all three aspects in a monitoring approach, they each have important characteristics worthy of examination. You can learn more at www.buildingcybersecurity.com and see a comprehensive video outlining the issues that create risk and some of the consequences, including insurance gaps, downtime, equipment replacement, network hopping, and brand damage.
This Week’s Sponsor
Intelligent Buildings® offers portfolio-wide cybersecurity site assessments and ongoing managed services including secure remote access, system backup and policy audits. We are the only company solely focused on real estate technology advisory, assessment, and managed services. Since 2004, we are the most trusted and experienced name in Smart Buildings. Find out more at www.intelligentbuildings.com.
Trusted PropTech News & Views Check out the Weekly Briefing for trusted PropTech news and views!
Changing the Rules: SEC Cybersecurity Updates for 2024 and What You Need to Know The latest SEC (Securities and Exchange Commission) ruling on cybersecurity governance requires companies to disclose material cybersecurity incidents they experience and to report, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.
How Insights are Driving CRE Investment Organizations worldwide are at a crossroads in their journey to successful hybrid working. In this time of change, it's crucial to use facts and data as guides for evolving organizational strategy.
AHR Expo 2024. A Snapshot Recap. Yet another AHR Expo is in the books. This year’s event was at Chicago’s McCormick Place and yes, Chicago did not disappoint with its weather this time of year (you all know what I mean).