By Rita Pierre, CPA and Suzy Zaky, Berdon LLP
It is a common and dangerous misconception that cyberattacks happen to others — giant retailers, government agencies — but not to real estate companies.
You might be lulled into this belief because your company doesn’t house much in the way of consumer information or intellectual property. So, why would you even be a target? In fact, there are many reasons.
Hackers recognize that, more and more, all businesses including real estate are interconnected. IT systems, the cloud, mobile devices, and social media are just some of the points of contact and connection with outside third parties.
Where once there were no technological connections, we now see highly sophisticated technology controlling building access systems. It has been reported that in the recent cyberassault on Target, the initial intrusion came about using network credentials stolen from a provider of HVAC systems.
Transactions between owners, tenants, and vendors are now almost always carried out electronically — inviting a cyberassault. Open Wi-Fi networks also increase data breach vulnerability.
The problem goes well beyond theft of information. The intrusions of cybercriminals, hackivists, and the like can cause physical damage with the resulting costs impacting your productivity, your wallet, and your bottom line.
State disclosure laws vary and may mandate that a cyberattack incident is made public, resulting in issues with confidence in your security measures and damage to your reputation that may be irreparable and weaken your position in the marketplace.
Perhaps most disturbing is the fact that often there is a substantial lag time between the breach by the cybercriminal and the discovery by the victim and any remediation. During that lag, all sorts of damage can be inflicted.
Clearly, any threat with the potential to be massive, financially debilitating, and damaging to the longevity, stability, and reputation of your company requires a comprehensive cyber risk management strategy.
Here are some points to consider:
Size Doesn’t Matter: Smaller organizations mistakenly think that they can pass under the radar as a target too small for a cyberattack. That is simply not true. Equally dangerous, small organizations often don’t invest in IT professionals capable of setting up a defense and educating the team. In both cases, you are inviting danger.
Prepare From the Top Down: Companies should recognize that cybersecurity is not just an issue for the IT and operations people. Senior management needs to take a leadership role in determining who is accountable for cyber risk management.
To be effective, at least one senior-level executive should be responsible, for this task, lead a team, and be the go-to individual in a crisis. Stepping beyond your doors and remembering what happened to Target, you should also try to assess the readiness or vulnerability of your vendors.
Fortify Your Existing Technology: Assess what you have right now. Many real estate companies have insufficient password policies or are not current on vendor updates and patches resulting in outdated antivirus and anti-malware programs. These can only serve to heighten your risk of attack.
As you continue to increase your use of technology to stay competitive, improve efficiency, and grow, ongoing attention to data protection and security must be part of the process. See to it that you have people in your organization who have a sound understanding of the threat environment, available controls, industry standards, and regulations.
Address Your Greatest Vulnerabilities First and Develop Your Policies: Working with your chief information officer or senior IT professional, develop an understanding of the cyberthreat environment you are facing and learn about the various approaches cybercriminals might take.
Consider performing a risk assessment to determine where you are most vulnerable and what areas of the business you will address first.
Once you know where you are, you can prioritize and develop policies and procedures to get you where you need to be. Of course, senior management must fully support the cybersecurity policies and frameworks you suggest.
As this will involve financial investment, the company must set appropriate risk tolerance levels and weigh options in the face of the real or perceived threats to assets.
Invest in Awareness: Your own people can be your weakest link and your first and best line of defense, so it is prudent to invest in an awareness program for all levels that includes training on all new policies and procedures — with explanations as to why they are important.
So that the importance really hits home, demonstrate how a cyberattack can impact the lives and jobs of your employees. Recognize those within your organization who demonstrate an enthusiasm for this initiative and reward anyone who comes up with policy suggestions that may improve your security.
Test Your Crisis Management Processes: In war time, the words “battle stations” are heard many times before actual combat so that a crew can be prepared when the time come.
The same applies to your cybersecurity measures. You may already have a physical disaster recovery program in place; cyberattacks can be treated in much the same way.
Run through a simulated attack to see how well your systems and processes respond and amend any that fail or present weakness. Appoint a crisis management team whose task is to help restore operations with the minimum amount of down time and work disruption.
Detection: The Earlier, the Better: We mentioned that often there is a considerable lag between the breach and the discovery. It is possible to reduce that lag time.
Financial services firms have learned this “time is money” lesson, and real estate companies can take their cue and set up incident detection systems and monitoring procedures.
Today, companies recognize that maintaining a firewall is a basic form of technology security; however, many do not regularly assess whether the firewall continues to be configured properly. In addition, many companies do not take the next step by monitoring the activity logged on the firewall for any anomalies that should be investigated in real time.
These systems can be automated to correlate and analyze large amounts of data and red flag threat indicators.
The threat of cyberattack is simply a permanent part of modern life and real estate organizations are not immune. It is only a question of when a cybercriminal will get around to you.
The best defense is to take the offense and prepare a powerful and adaptable cybersecurity policy that gives you the best chance of repelling or blunting the impact of an attack. The cost must be measured against what you are willing to lose.