Cybersecurity A Pressing Concern As Real Estate Companies Bring Sensitive Data Online

Although commercial real estate deals primarily with tangible assets, it is becoming an increasingly information-intensive industry, generating a number of highly sensitive and exploitable records and contracts.

Many CRE assets are physical, which may create a false sense of security among industry professionals. The information pertaining to renting, buying and selling, along with the dollars associated with those transactions, is being stored on company servers or in the cloud. Real estate data is more readily accessible than ever before, and as a result is vulnerable to a security breach, Berdon LLP Director of Operational Advisory and Risk Management Services Alexander Moshinsky said.

“Real estate may not be as aggressively targeted as financial services, government, healthcare or retail, but everybody is at risk,” Moshinsky said. “Property managers, brokers, agents, developers and appraisers hold a significant amount of confidential, third-party information in applications, credit reports and lease agreements.”

Cybersecurity Measures 

To protect confidential information, firms need to implement effective risk management controls. Rather than rely on one line of defense, companies should invest in multilayered security strategies that include preventive and detective controls, Moshinsky said. 

A firewall can be an indispensable safeguard for warding off hackers. Because cyberthreats like viruses, worms, malware, ransomware and phishing scams constantly mutate, IT specialists must continuously update and patch the firewall’s operating system and regularly review its rules.

“Firewalls are only good if you monitor, review and calibrate them, because hackers innovate, just like every other business, to stay competitive,” Moshinsky said. “As services and employees change, you have to update the rules.”

Hackers often use a trial-and-error strategy to see if anything penetrates. Since hackers vary the source and method of attacks, intrusion prevention systems, which monitor the content of data rather than from where it originates, are helpful in staying one step ahead of the attacker.

The industry is also heavily reliant on third-party contractors, who require temporary access to records to complete project-based work. It is imperative for CRE companies to check contractors’ permissions regularly.

Determining Vulnerabilities

It can be difficult for companies to anticipate a cyberattack, but there are services that can help make networks less vulnerable. Several companies have invested in penetration testing by hiring a certified, "ethical" hacker to see how far they can breach the security network.

Engaging a third-party hacker may be better than relying on the internal team to test the network. "White hat” hackers can test a system’s susceptibility to identity theft, worms and denial of service attacks from malicious, or “black hat,” hackers.

“It’s similar to an audit,” Moshinsky said. “Independence is important.”

Training Employees

Hackers often go after low-hanging fruit such as user credentials to gain access to company information. According to a study from Verizon, 63% of confirmed data breaches involved using weak, stolen or default passwords. Employees untrained in best password practices can be the weak link in a company's defense plan.

"Training company personnel on cybersecurity best practices is critical, as they represent a company’s first line of defense and its greatest vulnerability," Moshinsky said.

Moshinsky recommends internal cybersecurity training programs include a lecture or webcast on the topic, case studies that demonstrate employee participation in corporate cybersecurity efforts and a test to make sure employees have grasped and retained the material.

Firms can also implement frequent mock phishing campaigns and other impromptu tests to keep employees on their toes.

Looking Forward

More CRE assets are integrating connected devices, like smart door locks, creating new avenues for vulnerabilities and an increased need to enact measures to ward off hackers.

“If you’re a cybersecurity expert, you definitely won’t be unemployed, and that speaks to demand as well as the pressing nature of various threats,” Moshinsky said. “Since so much is at stake, new tools are constantly being developed and investments in cybersecurity are being made to confront mounting threats.”

To learn more about this Bisnow content partner, click here.