Cybersecurity Vigilance and Privacy Strategies: Realcomm Webinar Series Reveals Best Practices
Nearly every recent conversation about cybersecurity begins with clarifying the competing priorities between information technology (IT), operational technology (OT) and privacy. Each presents different challenges, and strategies can vary significantly from one organization to the next.
Overview
The unique skillsets required to respond to each risk area highlight the need to analyze them individually, but their collective threat to all business processes cannot be understated. Commercial and corporate real estate executives are realizing that multiple threat vectors must be addressed simultaneously as part of a company-wide cybersecurity and privacy program.
Traditional business continuity and disaster recovery plans have extended beyond the boundaries of technology into incident response plans that demand collaboration across multiple business units. Cybersecurity insurance policies require companies to provide details about their cyber program to qualify for coverage. There are growing concerns about the type of data being collected by building owners and how it is being used. The volume of data collected by technology companies, individual businesses, and even world governments is raising privacy alarms across the board.
IT Cybersecurity
In past years, companies implemented IT business continuity and disaster recovery plans that focused primarily on their response to an extended server or network outage. With the steady increase in security incidents, ransomware attacks, and privacy breaches, businesses today understand the threat extends well beyond the IT department. Senior executives are now participating in tabletop exercises that result in detailed Incident Response Plans (IRPs) that analyze multiple business processes and each department’s ability to restore normal operations. They must also be prepared to answer media inquiries and protect their brand’s reputation. During Realcomm’s IT Cybersecurity webinar, Cecilia Li, CIO at Urban Edge Properties remarked, “By participating in realistic cybersecurity tabletop exercises, our senior executives were convinced of these threats and the risks they posed to all business areas. They quickly authorized the necessary resources to develop, test and refine appropriate incident response plans that addressed these issues.”
Panelists discussed the need to make sure that each IRP is periodically tested. IRPs should be tailored to each function, as there are different responses by tech teams compared to business units. If a third-party security service will be part of the strategy, they should provide 1) Regular and systematic recommendations for improvement, not simply an annual assessment; 2) Best practices based on their wider experience with other clients, and 3) Consistent delivery of new solutions addressing emerging threats.
Company-wide Security Awareness Campaigns are also valuable, provided that policies are updated regularly and (most importantly) communicated effectively so that people fully understand the processes. Successful strategies included events (Cyber Awareness Month, Hacktober), gamifying responses with prizes and recognition, and relating corporate security to personal security, which most people already cared about.
When live audience questions came in about where to find useful assessment criteria, the discussion shifted toward the NIST Cybersecurity framework and Center for Internet Security (CIS) Controls. These frameworks are a good start, but the Real Estate Cyber Consortium (RECC) provides industry-specific resources for any CRE company to collaborate with others who have already advanced their cybersecurity program.
OT Cybersecurity
The operational technology (OT) concerns must be approached differently. IT’s servers, network devices, and end-point devices are patched regularly on predictable weekly cycles. Building management systems (BMS), access controls, HVAC, and lighting systems are typically installed to function for several years without an update. Building engineers are reluctant to patch their active BMS due to high levels of uncertainty and no available test environment. These legacy systems may have been installed 10 - 20 years ago when cybersecurity attacks were less common. Today, companies are more likely to pay 3rd-party consultants to provide a full assessment of their building’s network configuration, physical security vulnerabilities, and prioritized risks.
Panelists on Realcomm’s OT Cybersecurity webinar shared their thoughts on physical security, devices and the need for effective change management.
Bayron Lopez, Director of Operational Technology at Kilroy, described his organization’s implementation strategy and the foundation that allowed them to achieve security at scale. “Standardization across the board helped us avoid headaches down the road.” he said. “The biggest benefit was internally bringing all the functional teams together and agreeing on what was needed.” He also said Kilroy’s IT and OT departments are in constant communication. “When a problem happens, we are all IT, whether it’s a corporate server or a building. We are all responsible for it, with synergy between us.”
Sandra Shadchehr, Director of Buildings Technology Service at GSA, shared their cyber journey of the last decade, over an immense portfolio while keeping continuity of service. “There is no silver bullet,” she said. “It’s an iterative, multi-pronged approach with all parties engaged. Everyone has to be aware of the risk and co-own that risk. We’ve been very successful with that.”
Panelists agreed that being proactive about partnerships was critical. Streamlining preferred service and product vendors was critical in ensuring accountability, identifying product security vulnerabilities (that are part of the natural lifecycle), and standardization that enables quick action if needed. This also enables future ease for upgrades, patches, or changes to policies and physical sites.
Privacy
During the Cybersecurity Privacy webinar, polling revealed a large portion of the live audience had concerns about the volume of data being collected by public venues and the ease at which it could be obtained, stored, and analyzed. Property owners confirmed their ability to consolidate Wi-Fi and Bluetooth device information with video analytics, human movement, and physical feature classifications. While applications normally anonymized the data, the technical capability to identify individuals is readily available. Examples of questionable data collection practices by such companies as Uber, Lift, On-Star, and Google accentuated the concern about how much information is available in many public forums and through mobile devices. Even concerns about how far governments may go to collect personal information are outlined in this 2019 document, “The Digital Surveillance State of China."
Property owners do have a responsibility to keep all occupants safe within their building, but doing so can come sometimes at the expense of personal privacy. AI combined with video surveillance can be useful in identifying weapons within the building, medical emergencies, and other unsafe conditions while automatically notifying first responders. However, the exact same technology can be used to accurately identify fans in the stands of a stadium, potential customers passing a storefront, or even unsuspecting citizens through contact tracing.
Conclusion
Most modern real estate companies have a cybersecurity program in place. Our live audience poll revealed that almost 90% rated themselves as intermediate (some written procedure, no audit findings so far) to advanced (published procedures, tabletop exercises, response plans). All panelists agreed that while IT and OT cybersecurity concerns are different, they must be addressed collectively as part of a comprehensive program.
Incident response plans must integrate all aspects of the business. Senior executives who participate in tabletop exercises will gain valuable insight during the IRP development process. CRE companies must protect the personal and private information of investors, employees, guests, and building occupants. All indicators confirm that cyber-attacks will continue to increase in frequency and sophistication. CRE companies must use every advantage to prepare and respond to these threats.
This Week’s Sponsor
Yardi® develops and supports industry-leading investment and property management software for all types and sizes of real estate companies. Established in 1984, Yardi is based in Santa Barbara, Calif., and serves clients worldwide. For more information on how Yardi is Energized for Tomorrow, visit yardi.com.
Read Next
Making Visitor Management a Welcome Experience If you’re in CRE, you already know the challenges of managing and tracking visitor access at your properties.
Shadow IT: The Hidden Threat to Real Estate Companies In today's rapidly evolving technological landscape, the emergence of Shadow IT poses significant challenges for organizations, particularly in the commercial real estate sector.
How Bridge Investment Group Cut Manual Data Entry and Improved Onsite Productivity In CRE, efficiency isn't just a goal; it's a necessity for survival. Leveraging technology as a means to cutting through operational drag and optimizing employee productivity has become a competitive imperative for success.
Updated Enterprise Architecture Overview for Corporate Real Estate and Facilities: Are We Still Treading Water or Making Progress? Realcomm has released an updated version of its Corporate Real Estate and Facilities Information Management Systems Enterprise Architecture Overview infographic.