What Manufacturing Can Teach Real Estate About Cybersecurity
Commercial property owners are poised to learn a tough lesson about cybersecurity and physical equipment — a lesson manufacturers learned years ago.
As they bring technologies into their buildings, property owners may inadvertently create entry points for organized crime, hacktivists and other threats to access tenant data and even attack their systems.
“The manufacturing industry implemented these kinds of controls years ago and simultaneously invested in security to protect their operations,” Mazars USA Cybersecurity Practice Leader Atif Ghauri said. “Now, we’re seeing the same controls come to commercial real estate, but owners are reluctant to spend the money to compensate for the raised risk level, offering justifications such as 'Why would anyone attack me?'”
When it comes to advanced equipment, manufacturing is consistently improving, Ghauri said. By growing the capabilities of their wireless environments, manufacturers are able to increase revenue and reduce energy bills.
Seeing room for growth, property owners have been rushing to make similar upgrades. Security systems, virtual assistants and smart heating and cooling can help buildings deliver a more connected experience for their occupants and lower energy costs.
But when building owners implement these smart solutions, they often install them on their own unsecured WiFi networks. These networks can feed into a building’s main digital systems, providing a route for hackers to circumvent firewalls and other security defenses.
“A common misconception is, ‘If I have a firewall, I am safe,’” Ghauri said. “That sort of confidence can mask real danger.”
If they find their way into a building’s main systems, hackers and other threat actors can begin harvesting user data. They can then sell this private, sensitive data on a black market. Ghauri also explained that user hosts can be compromised and then sold as "bots" to other threat actors, who can use the bots as a launching point to attack other systems, including third-party vendors and businesses that work with the buildings.
Malicious actors could also wrest control of some of a building’s systems and demand a ransom — often paid in bitcoin — to unlock them. According to Verizon's 2019 Data Breach Report, ransomware represents 25% of attacks. When it affects physical infrastructure, ransomware can lock up data, shut down HVAC systems and even cause power surges.
Fortunately for real estate, the manufacturing industry has already come up with a solution by establishing “zones of control” within their security architecture, encircling vulnerable devices and systems, controlling data flow in and out.
“What manufacturing plants have learned to do is to firewall off the HVAC, the wireless environment and the plant environment,” Mazars USA Director of Cybersecurity Phil Jones said. “That ensures that there’s a single route between information coming in and out. That route can be strictly controlled and monitored.”
Often, Jones said, the weak links that get exploited aren’t the building’s systems, but third parties that control a building’s smart devices. While some vendors have made heavy investments into security to protect their users, others may not have been so careful.
“If hackers want to break into a really big company, they will target their third-party technology vendors,” Jones said. “This could be a mom-and-pop midsize company that doesn’t secure its environments, and threat actors use it as a back door.”
Jones counseled that building owners must select reputable third-party vendors that place an emphasis on security.
He added that bringing in cybersecurity expertise can keep building owners informed of the threat landscape and help them safeguard their occupants’ data. While many real estate enterprises are too small to warrant hiring a full-time chief information security officer, many can benefit from having a virtual CISO, an expert who remotely provides guidance and intelligence on a company’s security architecture.
“To bring on a qualified and talented CISO could cost hundreds of thousands of dollars a year, which doesn’t make sense if your security environment is not all that complex,” Jones said. “Real estate companies may only need to protect and tend to 10 external connections. A managed security service can meet their needs for a few thousand dollars a month.”
The main lesson that real estate is learning, Jones said, is that cybersecurity is not simply a one-time investment. All companies, small ones included, face a rapidly shifting landscape of new cyberthreats, and to safeguard their property, their security strategy will need to constantly adapt.
This feature was produced in collaboration between Bisnow Branded Content and Mazars USA. Bisnow news staff was not involved in the production of this content.