Half of the businesses in the real estate sector admit to not being adequately prepared to prevent or mitigate a cyberattack, according to a 2017 KPMG study.
This constitutes an oversight, to say the least, by key players in the real estate field when it comes to the cybersecurity implications of digital transformation, and the new types of inherent risks. The reason for this relative absence of “cyber urgency” in real estate is perhaps the lack of, especially in the United States, a market-specific information security regulatory framework requiring business to adhere to and maintain sufficient cybersecurity controls. This reliance on regulatory direction, and in this case the absence of it, has led to the belief held by many real estate C-levels and stakeholders that cybersecurity is a mere compliance issue, having little to do with financial viability or business continuity. And since the real estate sector does not depend much on the heavily regulated tasks of collecting, processing and storing of personally identifiable information (PII), the sector doesn’t seem to sufficiently prioritize securing their information assets.
It can be argued that it is easier for real estate firms to comply with information security regulatory frameworks (like the GDPR in the EU) due to the limited range in which they collect, process and store personal data. And although the real estate sector generally falls outside the scope of industry-specific regulations such as HIPAA, SWIFT, FISMA, PCI etc., cyber risk is still relevant to their operations, financials, reputation and stock value. And this is because digital transformation refers to the broad adoption of automation technologies in all sectors, including real estate.
Digital transformation converges Information Technology (IT) and Operations Technology (OT) as they become more and more prevalent in successful management and decision-making in all businesses regardless of industry. The challenge of digital transformation lies in transforming existing manual activities into automated digital systems that can exceed human capacity, aiming to reduce costs, increase output and maintain more sustainable business models. However, this requires venturing into uncharted territory with regards to security, leaving organizations exposed to all kinds of risks related to information security.
The question remains: with more and more sensitive data extracted, processed and stored due to the inevitable and rapid digital transformation of today, how more exposed are we becoming through its inherent wider attack surface?
Let’s start from the basics.
Automation, data processing and data analytics vastly improve the design, planning, implementation, maintenance, management and supervision of real estate projects, asset management, or property trading. Today, every aspect of the real estate sector is affected by the implications of digitization, technology substitution, and task allocation. It is undeniable that technological advancements bring immense benefits to business efficiency and operational capacity, that also introduce their own risks to security and business continuity.
In other words, despite the new opportunities brought by new technologies, a broader use of technologies may also represent an expanded attack surface as well as unforeseen vulnerabilities to digital assets, intellectual property and operations for threat actors to exploit.
For this reason, digital transformation goes hand in hand with Security Transformation, simply because the enlarged exposure inherent in an increased reliance on data, digitization and technology, translate to bigger and more targets when it comes to cybercrime.
In the real estate sector, including smart city infrastructure, operational vulnerabilities are greatly expanding due to the proliferation of Operations Technology factors, such as sensors, IoT devices and APIs, internally or externally. A potential blackout or total data loss in a smart infrastructure due to a ransomware attack for example, can cripple operations and be devastating to an organization’s financial viability, continuity and brand reputation. The cost of remediating and restoring normal operational continuity after such a security breach can be enormous.
An increased susceptibility to cyberattacks against smart buildings, for example, comes from the broad adoption of Internet of Things (IoT) devices, sensors, automation technologies and even centralized control platforms. It only takes watching the 2018 movie “Skyscraper” to see how human lives can be threatened directly by a compromised real estate asset management system. From physical access control and security monitoring systems to biometric sensors and environmental controls, smart building management faces unprecedented and elusive cyber-threats as well as operational vulnerabilities, if security is not properly managed.
Now suppose a real estate business develops an online app for property listings. The app contains a number of unspotted bugs that constitute serious security flaws. These security vulnerabilities, including client-side injection, poorly configured certificates or authentication, and improper session handling, result in exposure to innumerable cyber-threats that are constantly evolving. Such a vulnerable property listing app can cause data leakage, privacy violations and other security incidents that carry high remediation costs.
Another example of susceptibility to cyberattack is the contemporary real estate sales process, which today involves digital marketing with automated lead acquisition funnels. The compromise of a detailed database full of real estate sales leads could divulge high-profile investors’ strategic interests to potential extortionists, stock market manipulators, political campaign saboteurs, or just thieves prospecting lucrative targets.
In a nutshell, real estate cyber risk emerging as part of increased automation and digitization includes threats such as security systems compromise, data loss, espionage, sabotage, extortion, and even cyber warfare.
In the age of technological advancement and a booming in security solutions, it is the illusion of relative safety that poses the greatest and most immediate threat in the real estate business. The costs of successful cyberattacks can range from hefty fines and reputation damages to data loss, sabotage, data theft, monetary theft and total disruption of business continuity.
Furthermore, with the enforcement of more and more complex privacy and cybersecurity compliance frameworks, the cost in penalties that may be incurred due to data breeches and security violations significantly increase financial risk in all sectors.
For the above reasons, IT and OT in real estate should go hand in hand with Security Transformation, simply because of the increased exposure inherent in digital transformation, and the widened attack surface it constitutes when faced with contemporary cybercrime.
A proactive approach to cybersecurity is always the most viable option, because the cost of an inevitable cyberattack is exponentially higher than the cost of maintaining an optimized security posture. Securing an organizational network environment should involve flexible cybersecurity solutions tailored to address individual organizational characteristics, regional considerations and industry-specific threats. Depending on the industry and organizational size/complexity, adopting a robust Next-Gen SIEM implementation with Advanced Security Analytics, and complemented by an Endpoint Detection & Response (EDR) solution, as well as 24/7 Managed Detection & Response (MDR) by a proven cybersecurity vendor, may constitute an absolute necessity.
With robust cybersecurity solutions in their arsenal, real estate businesses can then seize the opportunity to accurately quantify their cyber risk, triage cyber-threats relevant to their sector depending on severity and impact, and better position themselves to make informed decisions when determining their organizational risk appetite.
But the greatest safety precaution is a security-oriented attitude and mindset. Leaders in real estate are encouraged to foster a culture of vigilance and cyber awareness, always remaining up to date with the constantly evolving cyber-threat landscape, as well as staying abreast of the developments in cybersecurity as it relates to real estate sector idiosyncrasies and special considerations.