July 11, 2017 Maria Verdin

Is CRE Ready for Cyber Attacks? Cyber Attacks are a Real Threat to CRE

Torso of a manager is locking one virtual lock in a lineup of open padlocks. Business metaphor and technology concept for cyber security, critical data streaming, encryption and personal information.

Companies will spend a trillion dollars globally on IT security between 2017 and 2021, according to Cybersecurity Ventures’ recent Cybersecurity Market Report. The effort to thwart cybercrime is high on just about every CEO’s priority list, and even savvy commercial real estate leaders understand it is a threat they must also manage.

“Cyber attacks, which are prevalent in our society today and which will continue in the future, pose a significant risk to occupiers and owners of commercial real estate,” said Ed Wlodarczyk, a partner at Bespoke Real Estate Advisors. “It is paramount that occupiers, owners, managers and practitioners develop a cyber security plan that insures the safety and complete privacy of data and records housed on servers throughout the asset.”

Where do Cyber Attacks Originate?
Ironically, cybercriminals are typically sophisticated professionals who operate without big budgets, though are capable of disrupting much larger organizations. That can involve holding a company or its data hostage, creating chaos for a business and its communications, while compromising its ability to deploy critical resources.

Data breaches arise from several sources, including rogue employees, mistakes, such as when a laptop or mobile device gets lost or stolen, or by third party hackers. Increasingly, Internet of Things devices, email, mobile phones, wireless service providers, and even the building’s WiFi network, are creating new backdoors for cybercriminals to gain entry.

In the case of Target’s data breach, it was later discovered hackers got consumer credit card information via a third-party building monitoring service provider.

New technology in intelligent buildings allows remote control of systems, which are regularly accessed by many people. Everyday building systems such as HVAC, fire alarms, security, utilities, parking and CCTV generate considerable amounts of data as they monitor and safeguard buildings. That data can be used by cybercriminals. Thus, JLL EMEA’s Chief Information Officer, Chris Zissis says, it is important to determine which data is of value, so experts can deploy measures to secure it.

Typically, the IT systems managing the building’s physical components weren’t designed with security as a primary feature, as they focused on functionality. Now that systems for physical elements are merged together with technical IT systems, an attack has the capability of affecting a greater disruption or gaining access to a larger scope of interconnected properties and data.

The result is those who manage and own buildings, as well as those who transact deals on behalf of those assets, must take steps to protect against cyber attacks. That can encompass educating themselves and conducting thorough and regular due diligence.

Owners should insist that systems involved in managing the physical aspects of a building be continually assessed on cybersecurity, as well as conducting regular reviews of who can access data that’s generated, while updating legacy technology to reduce use of open-source systems that are easier to hack.

Cyber Plan Solutions
Bespoke Real Estate Advisors’ Wlodarczyk highly recommends that “prior to the time staff and employees move into a new location, the occupier hires an independent third party that specializes in cyber security to perform a vulnerability or penetration test/study of the occupiers’ systems. Likewise, owners and managers can establish protocols and add security products that will help secure the tenants’ space prior to occupancy.”

Protecting assets from a cyber attack requires constant monitoring and those threat management services can let a firm know how vulnerable they are by scanning and testing databases and networks for weakness. That process can help with compliance management, cover risk assessment, as well as the deployment of security best practices.

A cybercrime service provider’s resources can include security experts, ethical hackers, and researchers to monitor the latest bugs and scams. Monitoring resources that are tapped into a global threat database is wise too, so it receives the most current cyber security alerts and updates.

Cyber Attack Vulnerability
Security breaches can be costly, both in terms of financial impact, as well as reputation. IBM conducted a study that showed a single data breach could cost a company $3.6 million on average per company. The costs are expected to escalate as countries adopt requirements for remediation when data protection is deemed inadequate. That is an important consideration for CRE companies that operate global portfolios or when a client’s business is outside the U.S., since compliance may be required.

Another key factor to consider is regulatory liability when data is stolen. If personal information, such as medical information that gets stolen from a medical or insurance tenant in an office building, the owner may be held in violation of Health Insurance Portability and Accountability Act (HIPPA) regulations.

Stolen identities can be used to gain information about an owner and property, which then may be used to apply for a loan secured by the property, notes, Rinat B. Klier-Erlich at Manning & Kass Ellrod, Ramirez Trester. That can lead to other cybercrimes including tax refund fraud, credit card fraud, loan fraud or similar types of crimes.

Those processing sensitive or financial information, such as an escrow officer or title company, could be a prime target for cybercriminals. Experts advise to be wary of investors, especially from outside the U.S., that seek to rent or invest via email involving wired funds, or a mystery client that sends a check for deposit or one not properly vetted.

In escrow transactions, cybercriminals have assumed the identity of an involved party while the deal is pending. They can change escrow instructions, redirect brokers actions, re-route buyers trust funds to another account, or seek to profit in various other ways.

The continued proliferation of network breaches, data theft, and cybercrime will continue to impact and affect everyone involved in CRE – from brokers and owners, to investors and tenants. Essentially, any party involved in a real estate transaction, whether as a primary or a vendor faces the risk, and it would be wise for large and small companies to prepare for the attack.

Tips for Fighting Cyber Attacks
• Avoid instructions via email when handling funds
• Speak to parties personally and obtain instructions in person, preferably notarized
• If a client can only be reached by email, that may be a red flag since cybercriminals can and have altered email addresses and compromised communications channels
• Watch out for instructions that differ from a prior instruction via email
• Be wary of an instruction directing money to an out-of-state bank or different name
• Consider purchasing cyber insurance
• Use protected servers to send and receive emails
• Notify all parties immediately if email is hacked
• Greater scrutiny of employees when hiring
• Review and audit employee’s files
• Watch for small details that change, i.e. a different email address, nonsensical instructions, different signatures, different banks, new address, emails out of context or with poor writing
• Verify information personally with parties you know
• Request checks rather than wiring funds, since checks take longer to cash, have clearer payee indication, and if attempted to be deposited into a wrong account may be caught by the bank, which may be liable for releasing funds without matching names. That procedure is not carried out with wiring instructions
• Update purchase and sale agreements, leases, and loan documents to ensure cyber security needs are adequately addressed