Contact Us
Sponsored Content

As CRE Cyber Threats Grow, Study Says Middle Market Companies Are The New Targets


By now, most commercial real estate executives know that they can fall prey to a cyberattack, and many companies have already taken precautions to safeguard their transactions, data and privacy.

But with the number of data breaches growing, those precautions may not be enough to secure CRE companies — even small ones — against ransomware, malware and phishing. Worse, executives’ confidence in their companies’ preparation might be blinding them to glaring vulnerabilities.

According to RSM’s 2019 Special Report on Cybersecurity, middle market companies have become more popular prey for hackers, phishers and other malicious actors looking to steal valuable information and make a quick dollar at their victims’ expense.

“The second you are small enough to convince yourself that you don’t matter, you’re the key demographic,” RSM principal Daimon Geopfert said.

RSM’s study, which surveyed 404 business executives at midsize companies, found that 15% of middle market companies reported experiencing a data breach within the last 12 months. That is triple the percentage from just four years ago and up two percentage points from last year. 

Despite the growing prevalence of breaches in these smaller companies, confidence remains very high. The overwhelming majority — 93% — of middle-market executives said they are secure in their companies’ abilities to protect sensitive customer data. 

While that number may sound encouraging, the report cautioned that this overconfidence could mask potential vulnerabilities. Executives may think they are already covered; however, maintaining cybersecurity is a constant struggle. Companies’ IT teams may also not be giving their executives a full enough picture of the landscape of cyber threats.

“Executives may have a false sense of security, seeing their peers falling victim to attacks but fully believing that ‘it can’t happen to us,’” the report states.

But for these companies, breaches are becoming a matter of when, not if. Among respondents, 43% said malicious actors have attempted to manipulate their employees by pretending to be trusted third parties or company executives. These low-tech attacks — known as business takeover threats — can come through emails, phone calls and even in-person meetings.

Business takeover threats are especially common in CRE. According to the FBI, there was a 110% rise from 2015 to 2017 in the number of business takeover threats in the real estate sector.


Ransomware attacks, while less common, are often more costly. When asked if they knew someone who had suffered a ransomware attack, 35% of respondents said yes, and 20% said their own companies were affected by a ransomware attack.

While email phishing remains the most common source of ransomware in real estate, internet-enabled physical devices, like smart locks and smart lighting, can also open gateways to ransomware attacks. In 2017, attackers held an Austrian hotel network for ransom, demanding a payoff to unlock the network. Among other things, the attack took down the system of smart locks on the doors of the hotel's rooms.

In order to defray the cost of a potential cyberattack, many companies are now purchasing cyber insurance. RSM’s survey found that 57% of respondents’ companies had invested in such a policy. 

These policies can fill in the gaps left by general liability insurance, and rescue middle market companies from financial ruin: On average, a data breach costs $604K. But Geopfert cautioned that companies need to know exactly what their insurance policy stipulates. 

“Ensure your policy has specific requirements for penetration testing and security monitoring and confirm you are meeting those obligations,” Geopfert said. “If you violate the requirements of the policy, the insurer can claim that the policy is not in effect.”

Ken Stasiak, another principal at RSM, suggested that reviewing a policy with a cybersecurity adviser before purchasing insurance can make sure companies don’t end up in the lurch. 

“Cyber insurance is only as good as the application or questionnaire you fill out,” Stasiak said. 

Working with an outside adviser can also help companies make the most of their cybersecurity purchases. Most security tools are only so useful out of the box, the report stated, and they can require extensive tailoring to each organization. A consultant can validate that a company has the major parts of a security program in place. 

The bottom line: Protecting companies from cyberattacks has to be an ongoing project, the report said. While there are hundreds of steps that companies can take to make themselves less attractive targets for cyberattacks, their digital footprint may never be completely invisible. 

“You can’t hide your assets any more than you can hide your house,” Geopfert said. “That said, you know where your important belongings are. Do what you can to lock them down.”

This feature was produced in collaboration between Bisnow Branded Content and RSM. Bisnow news staff was not involved in the production of this content.