May 14, 2019

It’s Past Time for CRE Cybersecurity Strategy and Governance

Cybersecurity, data security and data privacy continue to be hot topics for all market segments, including Commercial Real Estate (CRE) companies. The bottom line is what’s at stake – the company’s financial harm, brand and reputational impact, and increased regulatory scrutiny and personal liability for business leaders, and of course the impacts to customers, clients and others in the value chain. 

Most cyberattacks are designed for financial gain – data for dollars. Personally identifiable information (PII) and financial transaction and account access are points of focus for most hacking efforts. The data suggests the trend will only increase.

Industry trends run straight into data security risks

Enterprise risk management (ERM) professionals identify cybersecurity risks as one of the fastest growing concerns across all industries. Federal law requires some industries, like hospitals and banks, to have some type of security in place, but the real estate industry is quite vulnerable. Here’s why and how this impacts commercial real estate:

  • Capital commitments are increasing and appear to be favoring non-traditional commercial real estate. More funds are being pumped into global markets with an apparent preference for newer business models like data centers and health care facilities. This translates to significantly higher levels of data security and data privacy responsibilities for all parties in the value chain.
  • Technology investments in digitization, data modeling, artificial intelligence (AI), the internet of things (IoT) and virtual intelligence (VI) are increasing. Smart, eco-friendly buildings are becoming the norm. Data-driven usage and operational efficiencies help CRE companies, property managers, tenants, and other industry consumers and vendors.
  • Cybertactics and strategies are developing rapidly. Prior data breaches (e.g., Equifax, Yahoo, Target) have fed data aggregation and analytics used on the darknet along with social engineering and sophisticated phishing scams. This information is readily available and sold to competitors, hackers, employees, previous employees and others, along with easy-to-use applications and services to invoke an attack against any company.
  • Use of third-party suppliers (outsourcing) is increasing for data processing, data storage, data analysis and other data and processing services, as well as common business practices such as payroll production. Vendor-management practices need to include controls and processes associated with availability, security, privacy, confidentiality and processing integrity. These service providers include software as a service (SaaS), infrastructure as a service (IaaS), managed service providers and other cloud-based solutions.

Understand where you are

CRE companies provide a plethora of opportunity for even the average hacker. Real estate agencies, title companies, lenders, real estate lawyers and others operating in the CRE space all handle personally-identifiable and financially-sensitive information such as social security numbers, bank account information and credit-debit card numbers – all of which can be used to defraud an organization and its customers. Here are some of the ways your data is at risk:

Business Email Compromise (BEC). A BEC is a cyberattack that tricks a business into wiring money to a criminal’s bank account. The hackers do this by spoofing email addresses and sending fake messages that seem like they are from a trusted business professional, such as the CEO or a company attorney. The FBI has found that multibillions in business losses can be attributed to BEC. One of the easiest and most effective ways to substantially reduce the risk of becoming the victim of a BEC scam is to implement a policy of never sending a wire based solely on an email. There should always be a way to verify the accuracy of the information in an email, such as talking to the individual who sent the email in person or by calling the person at a known phone number.

Ransomware. This is the type of malware that makes the data on your device or network unavailable until you pay a ransom. This is very profitable for hackers, of course, and is becoming more and more popular. All it takes is one member of your team clicking on a link in an email, and all of your data could be locked. In addition to operational systems, ransomware can target any device that is connected to the internet, including smart locks, smart thermostats and smart lights.

Cloud-Computing Providers. Like most businesses, real estate businesses rely on electronic information and systems to run day-to-day operations. A cyberthief doesn’t have to hack into a company to get its data; all they need to do instead is target the company’s cloud provider. In most contracts with cloud-computing companies, the customer (your business) is not well protected in the case of a cyberattack.

Understand where you need to go

We are long past assigning the safeguarding of this critical data solely to the information technology (IT) department. Company leadership has a key role to play in oversight and “tone at the top.” Action plans should touch on these areas:

  • Governance, responsibility and accountability begin with education. CRE companies need to understand where they are and where they need to go. Establishing an IT Risk & Security Steering Committee is key. This should include the company’s IT professionals, business leadership and critical data stakeholders (department leads, operations managers, etc.). Periodic meetings regarding critical data protection, including key metrics and progress against a plan, should be the main focus of this group.
  • Develop actionable priorities and a risk-remediation roadmap from a third-party assessment against a recognized, security-controls framework (e.g., NIST CSF, CIS 20). Similar to financial controls evaluation in a company’s annual audit, CRE companies should evaluate and establish a baseline regarding where they are relative to an industry-recognized security controls framework.  -This baseline helps establish priorities that may take several years to implement.  -The good news is that the highest risks are being mitigated early, and this sets the stage for continuous security advancement.
  • Change the security mindset and culture. Security is everyone’s responsibility. Enhance training and awareness, and use data-driven actions to improve the overall culture. Awareness is first, training is second, but an enduring security culture and improved behavioral change is the goal. This includes all employees, suppliers, third-party providers and even clients working together to ensure safety and security for all. 
  • Improve the skillsets and talents (internally and externally) associated with strategic digitization and security plans. This includes employees, clients, leadership, the board and your partners. Continually assess and improve the positions that touch, protect and secure critical data and processes of the company. The pace of technological change is progressing rapidly, and the company and investors should ensure that the right people, processes and technology are in place to protect the investment and clients.

How should CRE companies get started?

While the topic and associated efforts may be overwhelming at times, CRE companies need a step-by-step approach to mitigate these business risks. Cybersecurity comes down to understanding those risks and creating a plan to mitigate them.

CRE interfaces with so many companies and people that knowing where the data comes from and where it goes is critical to security. The first step a CRE company should take is to conduct an independent assessment against an industry-accepted security controls framework (e.g., CIS 20, NIST CSF). This effort should include a prioritized roadmap and plan to be shared with the board of directors (typically the Audit and Risk Committee). 

A data-driven response and action plan, aligned and supported by business leaders and the board, will go a long way to protecting a CRE company’s and clients’ data – and livelihood.

Your Team.

Unauthorized access to your data can lead to devastating financial, legal and reputational consequences. If you have questions or require additional information about cybersecurity, don’t hesitate to reach out to the author, Ray Gandy, Director and Leader of the IT Risk and Security Practice at CBIZ & MHM New England. You can reach Ray at (617) 761-0722 and rgandy@cbiz.com.

Cyber risk assessment screenshot

Accelerated Recovery Resources

Access articles and tools to help your business generate cash, improve leverage, and align & transform as you recover from the pandemic.

COVID-19 Resources

Access all COVID-19 related articles to help your business respond to the pandemic.

Insights in Your Inbox