Evaluating Cybersecurity and Data Privacy in CRE

The world generates an incredible amount of data every day: 2.5 quintillion bytes in 2021. The world produced 94 zettabytes of data between January and December 2022. And by 2025, cloud storage will hold over 200 zettabytes of data.

All this data includes a wealth of sensitive information tempting for cybercriminals to hack. If you’re a CRE owner of healthcare, hotel, industrial, mixed-use, or retail properties, it’s important to take steps that mitigate any risk of data exposure or unauthorized release. As important as it is for landlords to protect their own sensitive data, it’s also important for them to protect their tenants’ confidential data.

Data Privacy-Related Risks Associated with Owning or Managing CRE

Historically, CRE has focused less on data privacy — especially compared to manufacturing, finance and healthcare, which tend to have sensitive data tempting to cybercriminals. While CRE owners haven’t needed (or stored) the same type of information, the growing prevalence of CRE-friendly technology has begun to attract the attention of bad actors.

Even if your data is locked down — or you’re not storing information as sensitive as other industries — a failure to practice good data security hygiene is an invitation to a data breach, leading to fines, revenue loss, and a damaged reputation. The most common cause of data breaches in 2022 was the use of compromised or stolen credentials, which cost an average of $4.5 million to resolve, took an average of 243 days to discover — and another 84 days to contain.

It’s a good idea to verify your CRE clients understand the risks of a data breach and that property owners understand the risks inherent in each of their properties, including:

  • Data breach liability, exposure or loss. If your clients maintain tenant data and suffer a breach, the tenants could potentially sue the landlord, as could the tenant’s employees, vendors, customers and clients.
  • Cost of data repair & recovery. It’s always a good idea to have a data recovery and restoration plan — and the plan should include SOP for proper data back-up as well as mitigating and reducing the effects of a data breach. 
  • Damage to tenant inventory or property. Should a hacker gain unauthorized access to an HVAC system and raise or lower the temperature, for example, it could damage a tenant’s temperature-sensitive products.
  • Safety concerns. A hacker gaining access to a building’s controls could manipulate air quality, lighting, even the elevators, causing a risk to tenants.
  • Loss of reputation & tenant trust. A data breach that disrupts operations or results in significant data loss/exposure could significantly harm a landlord’s reputation and business and not just in the short term but the long term as well.
  • Litigation costs. Depending on a data breach’s severity, tenants or companies whose data was stolen could bring a lawsuit against their landlord or building owner. The average cost of a data breach increased 2.6% in 2022 to $4.35M.

Understand Your Clients’ Level of Tech Sophistication

To provide the best site-specific cybersecurity advice, talk to your CRE clients about:

  • The class of properties they’re leasing
  • How the properties will be used and by whom
  • What services the property owner/landlord will provide the tenants

Here are a few possible scenarios. If you have a client leasing one of your climate-controlled warehouses, and the building controls are IoT-enabled, the HVAC and any other systems connected to the internet should have strong security. Otherwise, cybercriminal could find and exploit a vulnerability and potentially damage inventory, costing tenants serious financial harm.

Retailers, grocers, and restaurants have offered free Wi-Fi access to clients (and tenants) for years. While convenient, these unsecured networks remain vulnerable to hackers who could hijack the Wi-Fi network to infiltrate and cripple other building systems. 

CRE is well into the digital age, but with modernization comes the potential for other vulnerabilities through the Internet of Things (IoT) and connected devices. From HVAC systems and computerized air controllers to cameras/security systems and automated fire suppression/alarm systems, everything relies on the internet today — and these connections can attract malicious actors and external threats. 

Protecting Against Data Breaches

Whether you’re a CRE business owner, investor, landlord, or even a tenant, conducting a technology audit allows you to understand possible threats you or your clients face. A robust audit evaluates your IT infrastructure and how it’s used, identifies potential weak points, and helps guide strategies to mitigate potential threats.

This documentation creates a record of the measures you’ve taken to protect sensitive data — something your insurance company will want if you plan to get a cybersecurity policy. In general, a technology audit covers:

  • Inventorying the property’s integrated systems
  • Analyzing the systems’ configurations for remote access and operations
  • Identifying the person (or people) responsible for their maintenance (whether it’s the building owner, landlord, or tenant)
  • Documenting the findings in any lease as well as for the insurance company

Developing Comprehensive Security SOP

Because of the diversity inherent in CRE — and as we’ve show above — there’s no one-size-fits-all approach to cybersecurity and data privacy in this industry. One of the best strategies for developing the most effective plan for your business is to partner with a cybersecurity professional. They’re best equipped to help you:

  • Develop remote access and teleworking policies
  • A cyber incident response plan
  • An employee training policy on data security best practices
  • A computer privacy and BYOD policy
  • Appropriate steps for protecting your clients’ data (like contact and banking information) from cyberthreats

Are you a commercial real estate investor, looking for a specific property to meet your company’s needs, or seeking guidance on how to protect your CRE business from cyberthreats and elevate data privacy? We invite you to talk to the professionals at CREA United: an organization of CRE professionals from 92 firms representing all disciplines within the CRE industry, from brokers to subcontractors, financial services to security systems, interior designers to architects, movers to IT, and more. 

Related Articles