By Milan Tesanovich, JD
CISSP, CRMA, CRISC, CISM, CISA, ITIL-F
Sr. Security Consultant
Over the past five years, cyber security breaches have been increasing in number to the point where they are nearly making headlines on a daily basis. Cyber criminals are using a wide variety of attacks that threaten all industries, including commercial real estate (CRE). Several major brands have suffered significant cyber security breaches since mid-June 2017, including Anthem/Blue Cross Blue Shield, California Association of Realtors, Verizon, TalentPen/TigerSwan, and Equifax. Hackers have proven over and over that they can successfully target any industry, particularly those that are behind the curve on cyber security.
Not too long ago, the CRE industry had only one major worry—physical security. The goal of corporate espionage is to steal proprietary information in order to gain a competitive advantage over, or disrupt, a competitor’s business. Corporate espionage was once accomplished solely by physical means. Physical access restrictions and tight lips offered a substantial level of security, but the computer age has changed all of that.
Now, we hear and read a lot about “compliance.” State and federal legal and regulatory mandates such as HIPAA, GLBA, Sarbanes-Oxley, and FISMA compel regulated industries to implement system security plans. That is all well and good, but how many organizations use that mandate as an excuse to implement the “bare minimum we need to do to be compliant?” Cyber security experts will gladly remind you that “compliant” does not necessarily mean “secure.”
Unlike banks, hospitals, and governmental agencies—for which these laws and corresponding regulations were enacted and promoted—there is no federal law requiring CRE businesses to implement security programs to protect information and systems. Consequently, CRE firms must voluntarily employ best practices or run the risk of having vulnerable systems.
Among other things, CRE businesses are responsible for running, overseeing, and managing buildings such as hotels, senior housing, and multifamily residences, which have huge amounts of data. In a report released in late July 2017 by KPMG, 50 percent of the surveyed CRE firms admitted that they were not adequately prepared to prevent or mitigate a cyber attack. Therefore, the CRE industry must provide its own incentive to implement voluntary best practices for cyber security.
Firms must ask themselves these questions: (1) “What level of cyber security is appropriate for our industry?” and (2) “What is the economic impact if our organization fails to meet that level?”
Planning an effective defensive strategy requires embracing the tenet that CRE must stay one step ahead of the adversary. It starts with a risk assessment wherein you ask, “Who are the potential perpetrators, and what are the different types of cyber security threats they might pose?” Understanding the motivation, potential threat exposure, and appropriate response are critical. This becomes more complex when you factor in human relationships, including employees, business partners, and tenants.
Let’s look at potential areas where threats exist and should provide motivation for CRE firms to implement proper cyber security defenses:
- General Business Applications: Threats targeting networks and other systems such as email, social media, mobile platforms, cloud infrastructure, and file storage
- Tenant-Related Activities: Threats targeting real estate-specific information systems such as property management, lease administration, finance, treasury, etc.
- Internet-Connected Smart Buildings: Threats targeting smart, connected buildings that provide an “attractive nuisance” for hackers to exploit with mischievous behavior ranging from turning out the lights to serious physical damage, and potential threat to human life
Each threat contains inherent economic impacts, both tangible and intangible. Tangible economic impacts are things such as (1) customer breach notifications, (2) post-breach customer protection, (3) litigation and attorney fees, (4) technical investigations, (5) insurance premium increases, (6) increased cost to raise debt, and (7) operational disruption, all of which are easily measurable in dollars and cents.
Intangible economic impacts, which are harder to measure but no less costly, are (1) lost value of customer relationships, (2) devaluation of trade name, and (3) loss of intellectual property. Arguably, the most devastating impact is from operational disruption.
Regardless of whether or not legislative and/or regulatory mandates are imposed on CRE, the potential economic impact should be the primary driver for the implementation of cyber security defenses for your organization.