The commercial real estate industry has always relied on data — and with new tools available for collecting and analyzing it at a greater scale, it’s become even more valuable and tempting to cybercriminals. Real estate consultancy companies have listed cybersecurity concerns among the top 10 issues that could impact CRE in 2023.
While the threat is lower in real estate compared to other industries like education, finance, and healthcare, it remains a concern. Why? Because real estate transactions include a wealth of personal information including financial and personal data, insurance information, and social security numbers. Building tenants — whether retailers or restaurants, banks or families — also share personal information with their landlords. And that information must be managed properly and stored securely.
Commercial real estate firms also work with a wide range of vendors, with transactions regularly involving multiple parties. Here, the number of targets for cybercriminals to attack is even greater. One survey discovered 30% of real estate organizations had dealt with a cybersecurity incident within the past two years but only 50% of the firms had appropriate measures in place to prevent one. With ransomware attacks and other breaches occurring with increased frequency, robust cybersecurity measures are a necessity.
New Tech? New Threats.
While real estate as a whole remains lower on the priority list of cybercriminal targets, commercial real estate sees more ransomware attacks. Cyberthreats keeping real estate chief information officers up at night include:
- Organized cybercrime (69%)
- Amateur cybercriminals (48%)
- Insiders (40%)
- Spammers (37%)
- Foreign entities (27%)
- Competitors (16%)
Opportunities that may prove irresistible to cybercriminals include the increased connectivity of smart buildings. Modern office buildings and warehouses, for example, can have dozens of interconnected operational technologies and computer systems using the same network infrastructure to facilitate easy central access. Yet often, Internet of Things (IoT)-connected devices have weak or no security protocols. With more and more buildings adopting these systems, cybercriminals may see these vast attack surfaces as an easy, tempting target.
While infiltrating building networks via IoT-connected devices remains relatively rare, as more buildings are upgraded and constructed as smart buildings with technology, this link may become an easier point of access for hackers.
The highly sophisticated technology many CRE companies have implemented in their intelligent buildings offers many benefits. For example, integrating building management, comms tech, and business systems increases connectivity with tenants and vendors. This tech enables a real-time, comprehensive view of the facilities and their operating systems. The tech also facilitates better, more efficient adaptability to address specific tenants’ and building requirements.
However, there are cons to these enhanced systems, too, including:
- Adding layers of complexity
- Increasing data vulnerability from the interconnectedness of internet protocol-based networks, Wi-Fi networks, and HVAC and other industrial control systems
- Broadening the attack system with an operating ecosystem that has become “boundaryless”
What Are the Risks?
A Deloitte analysis of which commercial real estate properties are most at risk found the most vulnerable are hotel and retail properties. Here’s a look at the attack surface by property type and in order of most to least at risk.
- Hotel: Online payments/POS, employee devices, and open wi-fi access — all high risk
- Retail: Online payments/POS, industrial control systems/HVAC/BMS, open wi-fi access — all high risk
- Healthcare: Industrial control systems/HVAC/BMS, web server/network/cloud — all high risk
- Multifamily: Web server/network/cloud — high risk; mobile web applications, online payments/POS, employee devices, open wi-fi access — medium risk
- Datacenter: Industrial control systems/HVAC/BMS, web server/network/cloud — all high risk; mobile/web applications — medium risk
- Office: Industrial control systems/HVAC/BMS, employee devices, web server/network/cloud — medium risk
- Industrial: Industrial control systems/HVAC/BMS, web server/network/cloud — medium risk
The unifying entry that posed either a high or medium risk, whether via owner or tenant, is the web server/network/cloud. The data suggests that while some CRE sub-sectors might be less vulnerable than others to a cyberattack, taking precautions still makes good sense.
Cyber Risk Management Strategy
To secure CRE against cyberattacks, there’s no better time than to take the following steps. They’ll not only protect brokers, landlords, tenants, vendors, and anyone else associated with commercial real estate against known and emerging threats but also ensure compliance with current (and future) regulations and standards. A consistent, vigilant approach via better situational awareness across the tech ecosystem enables you to detect anomalies and violations. Finally, a robust security strategy also embraces resiliency, helping to establish a quick return to normal operations while hopefully minimizing any damage requiring repair.
Elevate cyber risk as a strategic issue across the company. Assign ownership and accountability for cyber risk management. Create and implement a governance model for management and leadership teams to use.
Develop frameworks and policies. Start by conducting a gap analysis to identify and understand threats. Then, compare current and anticipated cybersecurity levels — and finally, adopt best practices to ensure protection.
Invest in effective implementation. Identify weak points in the building’s technology infrastructure and lifecycle. Invest strategically in priority assets. Leverage simulations, modeling, and even cyber war-gaming to run drills and adjust policies and procedures.
Champion awareness and education. These steps won’t work without everyone’s buy-in and understanding of their importance. Offer training and education to employees about common cybercriminal activities like phishing, social engineering, and ransomware attacks. Don’t consider this step a “once and done” affair, either. Revisit it regularly, as part of new employee onboarding and regular refreshers for current employees. It’s worth the time investment.
Include building owners in this training, too, as they should be aware of (and up-to-date on) the operational technology (OT) threats to intelligent buildings. Understanding how cybercriminals can break into a building’s network-connected operating systems and from there infiltrate the IT systems is important. Comprehensive cyber insurance will help protect against catastrophic loss, but having systems and processes in place to meet minimum compliance and cyber insurance requirements is also necessary.
Are you a commercial real estate investor or looking for a specific property to meet your company’s needs? We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more.
