Cybersecurity is a risk well known to businesses and individuals alike. The fact that someone can enter into your IT systems or any other connected devices (i.e. cameras, video conferencing, HVAC systems, printers, etc.) to your digital marketplace and disrupt your operations or collect information, damaging your business through loss of stakeholder reputation is not a new risk.
Well-known companies like Target, Yahoo and State and Federal governments have been victims of cyberattacks. While real estate companies have not yet hit mainstream media headlines for cybersecurity attacks, your business contains a wealth of information assets that make it a solid target for those trying to attack operations or collect sensitive drafts or engineering specs through a cyber attack.
What are some of the risks special to the real estate industry?
Any organization that stores information digitally or uses some form of information equipment as simple as a smartphone is prone to a cyber attack. What makes an attractive target is the nature of the information and how easily it can be acquired. Below are some examples of such information that real estate operations would collect:
Tenant-Related Information:
- Residential real estate companies receive personal data about their current or future tenants at the time of their application process. It is also a common practice among these companies to collect and update tenant data annually. This information includes Social Security numbers of the tenants, annual income details, who they share their apartment with, the make, model and license plate information of their cars, etc.
- In this day and age of electronic payments, real estate companies may keep credit card information or bank account numbers of the tenants who sign up for electronic payments.
Risk to Operations:
- Mobility! Real estate is now more mobile than ever. Remote control of heating and security systems is spreading the digital footprint of the industry. When real estate companies use such systems or provide their tenants access to such systems, they expose themselves to the risk that a hacker can intrude and gain control of the equipment and start operating it to the detriment of tenants, clients, and the business.
- Huge technological advances have been made around energy conservation as we aim to lessen our carbon footprint and decrease costs. There is a documented cyber attack regarding Smart Light Bulbs that were connected digitally and not secured. The hacker was able to gain access through the Smart Bulb and make their way to other systems.
- Much of the software used by real estate companies is cloud-based. The software contains important business intelligence on market rentals, potential and current tenant information, etc. which could expose those people and companies should an unwanted party get their hands on it.
- Ransomware attacks can prevent access to a company’s information systems. Imagine being in the middle of a transaction and suddenly the systems are being controlled by a remote computer. Unless a required sum of money is paid, access to systems will not be granted.
What can be done?
Cybersecurity is an ongoing risk and needs to be managed. There are a number of measures that a real estate company can take to mitigate this risk:
- Educate and train your employees and tenants. Just as friendly neighborhood policies exist, make your tenants aware of the information you collect, how you store it and how they can help keep it secure through complex passwords to your systems.
- Just as you have fire drills, conduct a “cyber drill”. Have ethical hackers conduct phishing email tests and see which of your tenants and employees fall prey. Then use the results of the tests to educate your personnel.
- Conduct external penetration tests of your systems and devices.
- Perform a risk-based analysis of your systems and identify all critical information and systems. Determine the extent of security and testing required for each of these systems so that there is more focus on the most vulnerable systems.
- Have a written action plan to address an attack in progress or post-attack in place with the roles and responsibilities of your team, similar to your disaster recovery and business continuity plans. Companies not only need to invest in resuming their operations and controlling damage to their reputations, but they also have legal costs of any lawsuits that may follow. Talk to your insurers and learn exactly what risk-based scenarios (i.e. events) are covered.
Ask the Experts
Matthew Ferrante leads Withum’s Cyber and Information Security practice and is a former Top Electronic Crimes Special Agent. He provides security and security assurance for SMB to global enterprise-class businesses and governments, including critical infrastructure. He is recognized as a top-tier industry expert for providing appropriate due diligence on some of the largest and most highly publicized data breaches to date, including but not limited to data breaches involving Target, Neiman Marcus, Sony PlayStation Networks, Operation Firewall, Operation ‘Get Rich or Die Trying’, and much more. Matthew was with Barclays Bank in London, where he founded Barclays CFI/e-Discovery and was its first director.