Data breaches reached new levels of alarm this fall, when Equifax, one of the major credit reporting bureaus, revealed it had been hacked. The company disclosed in early September that it had discovered a massive cybersecurity breach that potentially leaked private information affecting more than 143 million people.
Equifax’s revelation was another critical cybersecurity incident at a large company involving the theft of significant personal data, and the fact that it happened to one of the key players where credit information is stored was unsettling. That should serve as a stark reminder for the commercial real estate industry to step up vigilance and preparation for the inevitable attack. That’s especially true, given the pervasive and unprecedented technological innovations that continue to revolutionize and change the way commercial real estate is bought, sold, and managed.
Not only are buildings getting smarter through integrated technology, regulators are stepping up enforcement against any business that touches sensitive personal information. That means those in the CRE business who tackle increasingly complex financial transactions may hold sensitive information and will need to be responsive with cybersecurity plans, insurance and a new approach to fighting cyber crime breaches.
KPMG reports that one-third of real estate firms have experienced a cybersecurity event themselves, or at one or more of their properties in the last two years, though that number is likely higher since half of respondents also reported that they were not adequately prepared to prevent an attack (and, thus, may not know if they were infiltrated).
These breaches are a failure of leadership and culture, as much as they are failures of network security, say Daniel Dobrygowski, lead for Trust and Resilience, World Economic Forum, and an attorney whose practice and research includes privacy, security, intellectual property, and regulatory and competition law; and Dr. Walter Bohmayr, a senior partner at The Boston Consulting Group and the global leader for cybersecurity and IT risk, and a member of BCG’s internal Risk and Audit Committee. The two argue that we should learn that security isn’t an end in itself, but rather a mechanism to protect important values, one of which is privacy.
Cybersecurity experts note that there are a number of major issues that must be tackled before more secure environments can be achieved. It starts with hiring the right people who can look at the overall situation and come up with an innovative game plan to address problems. Typically, companies today bring in consultants or IT functional experts who only fix the day-to-day issues. Until companies really take cybersecurity seriously, it is likely breaches will continue to happen and may increase in severity.
Staffing to address IT needs and cybersecurity operations in the context of the entire organization will require a new approach, points out UMBC Center for Cybersecurity’s Richard Forno. Rather than trying to save money by outsourcing IT management, companies would be wise to build a strong in-house IT team who brings insight and knowledge about how networks and computer systems function, as well as institutional knowledge about how the company functions. Forno notes, cybersecurity involves both technical skills and a fair amount of creative thinking.
To be sure, IT teams require knowledge of specific products, services and techniques, as well as basic technical skills to perform essential job functions like promptly patching known vulnerabilities, changing default passwords on critical systems before starting to use them, and regularly reviewing security procedures to ensure they’re strong and up-to-date. Yet, today’s cybersecurity effort must involve those who understand the context of cybersecurity in order to be productive long term. That may encompass communicating with the public, managing people and processes, and modeling threats and risks, says UMBC’s Forno.
Avoid falling into a “cyber-complacency” trap, experts advise. That can happen when companies think they are safe simply because they’ve purchased “cyber insurance.” Insurance policies can be bought to cover the costs of response to, and recovery from, security incidents like data breaches. Equifax’s policy was reportedly more than $100 million. But, if the underlying threat and security problem is not solved, that could lead to a false sense of security, and may actually create a lack of urgency to proactively fix problems. IT experts say the industry could address the issue through better-designed products and administration of systems that employ effective security guidelines and practices.
Basic cybersecurity practices must be followed, too. That often is not the case, thus cyber attackers find easy prey. Use of products and services, such as properly implemented identity theft monitoring, can help provide consumers with reassurance when problems occur. However, UMBC’s Forno regrettably notes, it can be profitable for companies to remain vulnerable since more money can be made selling to customers whose security is violated rather than spending money to keep data safe. He believes, proper oversight would protect customers from these corporate harms.
Given the lack of any federal law requiring real estate businesses to implement information security programs, it is easy to see why there are vulnerable systems. In the past, the types of real estate companies most vulnerable were those in the retail sector, primarily because they dealt with consumer transactions.
That’s changed with the times and sophistication of cyber attackers. Now, they are capable of misdirecting wire transfers and holding computer systems hostage. Industries or companies that fail to keep up are increasingly vulnerable.
Those attacks could occur in the form of a business email compromise (BEC), ransomware of either operational or physical systems, or cloud computing applications.
A BEC attack is one in which a business is convinced to wire funds to criminal bank accounts, by pretending to be business counterparties, such as vendors or real estate sellers. Ransomware, malware that encrypts data on computers and makes the data unavailable until a ransom is paid, has become an immensely profitable method for hackers to attack businesses. Hackers can also target trusted vendors like cloud providers that store other parties’ sensitive information.
To help prepare for and prevent cyber attacks, Gregory Stein, who serves as vice chair of the data privacy and information security group at the law firm Ulmer & Berne LLP., suggests:
- Developing a wire policy that states never send a wire based solely on an email; verify the accuracy of the information in an email using two-factor authentication.
- Training can be an effective tool for lowering the risk of becoming the victim of an attack; Better-trained people are less susceptible to becoming a victim of hacking or ransomware.
- Negotiate information security provisions with counterparties to real estate agreements.
- Back up systems; ransomware threats are most significant for impacted businesses without adequate backups; backups help remove the temptation to pay the ransom.
- Negotiate cloud computing agreements with additional protections often not included in standard terms and conditions.
- Cyber liability insurance can be an important way to mitigate risk.
Implementing protections could help reduce the chance of becoming a victim of an attack, or may improve a real estate firm’s ability to respond to cybersecurity incidents. Now that real estate businesses have emerged as a cyber target, it is important to prioritize and improve cybersecurity controls and programs. The result of taking appropriate steps could help reduce risk, and enable commercial real estate businesses to focus more on completing deals and managing assets.