Cyberattacks can wreak long-term havoc on all industries, including the commercial real estate sector, with higher-profile companies increasingly susceptible to security breaches that can cause both economic loss and reputational damage.
With the frequency and complexity of these instances growing, IT experts are urging companies to safeguard their assets by continually updating their security technology and protocols, maintaining training sessions that can recognize and help deflect attacks, and executing simulations that can quicken reaction time and improve outcomes should a worst-case scenario unfold.
Phishing, the illegal practice of asking for private information, such as passwords and financial information from a disguised company, remains the most common form of cyberattack and accounts for approximately 90% of all data breaches. This is followed by malware attacks in which outsiders gain access to networks to steal information or manipulate data and ransomware attacks, where companies are forced to pay criminals to unlock data or restore the use of a computer system. Insider threats, as caused by negligence from existing employers, the acts of former employees holding a grudge, vendors and competing companies are also rising.
According to a recent article in Real Assets Advisor, commercial real estate companies are encouraged to “follow data management and cybersecurity best practices, update security software and establish data backup plans.” When hiring a third-party contractor for any IT assignment, a diligent vetting process should ensue to “assess the company’s existing cybersecurity protocols as they could by extension be inadvertently exposed to vulnerabilities.”
The rapid increase in remote work practices has added additional pressure on IT departments looking to maintain communication channels and networks that are secure. Risks faced by companies include employees accessing their corporate email account when using unsecured home wireless networks or public Wi-Fi, transferring files between work and personal computers, exposing a computer screen in a public place, utilizing weak passwords and failing to encrypt data when sharing sensitive files.
An IT professional working for a commercial real estate development firm, who wished to remain anonymous, said he invests considerable time devising security awareness training and phishing simulations for company employees. This includes programs focusing on active threat detection and response using a network security appliance and hosted solution. The group also maintains a retainer with a cyber security company for specific incident responses and forensics.
“Executives need to walk the talk and promote a strong cybersecurity culture,” stated Rick Arthur, Chief Information Security Officer for Hartman Executive Advisors. “The technology controls that firms put in place can only be so effective without completely locking down business activity. The security programs and technical controls are foundational, but driving a cybersecurity culture that applies to everyone – including regular briefings, education and testing – is critical. In many ways, the cybersecurity program needs to be discussed and managed the same way safety metrics and briefings are handled. Days without cybersecurity incidents should become a part of the firm culture.”
He added that remote and off-site work has contributed to the rise in incidences. “Unfortunately, firms that are not required to comply with a given cybersecurity framework tend to embrace cybersecurity once an incident has already happened,” Arthur said.