A Cybersecurity Wakeup Call for the Real Estate Industry

By Wes Crews with SDI Presence

In this time of instant information, where everyone and everything is connected to the internet, there are amazing opportunities to improve speed and efficiency.  The real estate industry is no exception, embracing technology that improves efficiencies in building management and increased building security. However, this increase in technology adoption requires an equal increase in cybersecurity awareness. As a result of the numerous large-scale cyberattacks over the last few years, cybersecurity is starting to receive the attention of real estate executives that it deserves: According to a recent Real Estate Market Sentiment Survey completed by law firm Seyfarth Shaw from March 2019, “69% of respondents are concerned about a cyberattack hitting their business in 2019, a significant increase compared to last year (46%). “

This is a significant increase in awareness in one year.  However, given the unbelievable escalating cost of attacks to businesses in lost productivity, lost consumer confidence, and cost of remediation, the remaining percentage of executives need education.  Given the many players involved with real estate transactions (i.e., escrow companies, property managers, agents, financing, etc.), there are many opportunities for data and financial theft if an attacker exploits the right security flaw.  Real estate transactions are also usually large monetary investments, which increases the interest of cybercriminals.  Hackers also understand that when a person is buying, renting, leasing or selling a property, personal identifiable information (PII) is involved, which is a source of income on the black market.  A better awareness of these combined risks’ impact on real estate executives, employees and tenants can drive the much-needed cybersecurity assessment and budget allocation for remediation and programming that must be put into place.

Given the use of technology in the real estate market, cyber threats can come from many attack vectors. Many of the industry’s technological advances were not developed with cybersecurity in mind – instead as an afterthought.  Consider visitor management systems, software platforms that commercial office buildings rely on every day. As detailed in Wired  (https://www.wired.com/story/visitor-management-system-vulnerabilities/), SDI partner IBM identified a multitude of vulnerabilities in market leading visitor management systems that endangered sensitive data and created security exposures. The initial threat becomes exponentially amplified if the visitor management system is integrated with other systems that control physical security, like access control systems.

Minimally talked about cyberattack targets are the Internet of Things (IoT) devices that are now prevalent in both large and small buildings, and part of smart building initiatives.  IoT devices can be lighting control systems heating, ventilation and air conditioning (HVAC) systems, fire detection and suppression systems, security and access control systems - all of which are now operating on an ever-growing network.  These devices frequently contain older and less secure operating systems that are not kept current with security patches as often as they should be (if ever).  Hackers are aware of these security loopholes and are willing and oftentimes able to exploit these issues.  A devastating example is an exploit in which cybercriminals take over the Business Automation Systems (BAS) controlling a property, with the threat of shutting down the building until the property managers pays a ransom.  According to a recent article from American Security Researcher Stephen Cobb, this threat is real and has recently been used to shut down buildings of a client ( https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your-smart-building/ ).

As building systems are shared amongst the tenants of a building, a security hole adds a unique liability question for building owners and building management companies. Building executives must consider their exposure should a breached property device cause the disruption of tenants’ business, life safety issues, and financial loss.

With these real estate-centric cyberattack scenarios in mind, real estate executives must drive cybersecurity measures necessary to protect their and their tenants’ business.  A few places to start include:

• Cyber awareness training for real estate employees – at all levels of employees and including building contractors that have access to target systems and information
• An enterprise vulnerability assessment that considers your property’s systems, data, access privileges, and policies in place, with a remediation plan to achieve an effective cybersecurity posture
• Cybersecurity monitoring of your property’s IT and Operational Technology (OT) environment, including 24x7 managed detection and response via a Security Operations Center

The real estate industry must acknowledge the cybersecurity risks they face every single day and take the necessary actions to protect their current and future business.