There’s a reason the cybersecurity industry reports an unemployment rate of zero and an estimated one million unfilled cybersecurity-related positions worldwide (potentially rising to 3.5 million by 2021). Cybercrime is projected to hit a global cost of over $6 trillion annually by 2021.* A single successful scam can easily net a cybercriminal between $50,000 and $200,000 for a week’s worth of work. 

Commercial real estate (CRE) has always been an attractive cyber target – a $16 trillion asset class offering sophisticated hackers a wealth of personal information shared in banking, leases, employment information, and multiple transaction points such as brokers, lawyers, and title companies. CRE cyber risks increased substantially with the trend toward smart buildings equipped with more connected features - automatic centralized control of a building's HVAC, lighting, badge access control, security systems, and other interrelated systems through a building management system or building automation system.

Enter COVID-19 – almost overnight, nearly all routine activities are now tied to remote capabilities. Everyone is online. Businesses are installing new applications and engaging new online platforms to facilitate remote operations, workforces are provided expanded network access, and residential tenants are ordering everything from groceries to cleaning supplies online. Information technology departments are stretched beyond capacity. It’s cyber threat and cyber risks on steroids.

A Collision Between Cyber Threat Actors and Increased Opportunity

As operations leverage remote work capabilities and the technology sector continues to develop unique virtual solutions for in-person functions, commercial real estate is finally making the jump from spreadsheets and pdf reporting to the digitalization of data with real-time access and analysis. With this shift, securing data has become an even greater facet of operational oversight.

Technology investments in digitization, data modeling, artificial intelligence (AI), the internet of things (IoT), and virtual intelligence (VI) are increasing. Smart, eco-friendly buildings are becoming the norm. Data-driven usage and operational efficiencies help CRE companies, property managers, tenants, and other industry consumers and vendors. Online availability of detailed data and insights into investment performance, rent collections, leverage, and other key information now drives decision-making.

Unfortunately, some of the AI used to automate security is making the technology designed to protect buildings more vulnerable. In its AI and Security series, VentureBeat notes that with each evolution of computing the trend is always toward more data stored in ways that, unfortunately, introduce unfamiliar vulnerabilities, larger attack vectors, and richer targets that attract increasingly well-funded bad actors.

According to the most recent statistics from the Federal Bureau of Investigation’s Internet Crime Complaint Center, the most common scam faced by real estate professionals is the business email compromise scam. The scam is reliant on a criminal convincingly posing as a manager, employee, or vendor through email and tricking someone into sharing data or sending money. Business email compromise scams are a multibillion-dollar field that hasn’t slowed down during the pandemic. 

The FBI’s daily number of cyber complaints has increased from 1,000 per day pre-pandemic to between 3,000 and 4,000 complaints per day, according to Tonya Ugoretz, deputy assistant director of the FBI Cyber Division. “We’re seeing the collision between highly-motivated cyber threat actors and an increase in opportunities they can take advantage of,” Ugoretz said during an April webinar hosted by the Washington D.C.-based nonprofit Aspen Institute.  

Leverage Technology, Evaluate Your Risks and Management Strategies

You already know that technology will not only play a pivotal role in a successful COVID recovery, it can also be a competitive advantage.

• 85% of employees who feel their company's technology is ahead of the curve say they love their jobs
• 70% of employees believe that technology improves work/life balance
• 48% of employees wish that their workplace technology performed the same way as their personal technology
• 42% of millennials would leave a company due to substandard technology

Realtors recognize these trends and have taken several steps to reduce cyber risks. Some are simple, like guidance in email signatures to advise clients outside a Realtor’s firewall or how to handle sensitive information and avoid scams. Meanwhile, the National Association of Realtors provides education materials, including a “Best Practices Cybersecurity Checklist,” and is advocating for the adoption of nationwide cyber standards for Realtors.

The use of third-party suppliers (outsourcing) is common for specialized operational functions. Outsourced payroll, managed IT services, data hosting, and Software-as-a-Services (SaaS) offer businesses both savings and efficiencies upon which the business model relies. However, each key vendor relationship has the potential to damage your business. For example, the SaaS application provider suffers a data breach or the company that stores your critical system backups burns to the ground taking with it years of transactional documents. Or, your payroll processor’s access to employee data provides an access point for hackers to deploy a ransomware threat. If you assess and anticipate those potential risks, you can survive their impact. Vendor management practices include controls and processes associated with availability, security, privacy, confidentiality, and processing integrity.

The way your company manages productivity, engagement risk, and the overall shift to a remote environment will be crucial going forward. If, like many organizations, you had to quickly ramp up and support a virtual infrastructure, expand videoconferencing and develop other remote operations, now would be a good time to reassess vulnerabilities and your overall program of cyber risk management.

Additional Resources 

• How Hybrid Remote Work Challenges Information Security Teams (podcast)
• Cybercrime and cybersecurity (video) and Data Privacy & Security (online content) provided by the National Association of Realtors
• It’s Past Time for CRE Cybersecurity Strategy and Governance (article)
• Cybersecurity Assessment – Test Your Cyber Threat Readiness (two-minute assessment)
• Technology Strategies to Improve Productivity & Manage Risks (on-demand webinar)
• What’s Next For Real Estate And Proptech After Covid-19? (Forbes)

Your Team

Unauthorized access to your data can lead to devastating financial, legal, and reputational consequences. If you have questions or require additional information about cybersecurity, don’t hesitate to reach out to the author, Tiffany Garcia, a Director in the CBIZ Risk & Advisory Services practice. You can reach Tiffany at 512-340-7423 and tiffany.garcia@cbiz.com.

* Source: the 2020 Official Annual Cybercrime Report from cyber researcher Cybersecurity Ventures and Los Angeles-based IT firm Herjavec Group Inc.