We no longer support this browser. Using a supported browser will provide a better experience.

Please update your browser.

Close browser message

Treasury and Payments

Improve your working capital, reduce fraud and minimize the impact of unexpected disruptions with our treasury solutions—from digital portals to integrated payables and receivables—all designed to make your operations smoother and more efficient.

Learn more about our treasury solutions:

Commercial Real Estate

Get the strategic support to be successful throughout market and real estate cycles with insights, hands-on service, comprehensive financial solutions and unrivaled certainty of execution.

Learn more about our commercial real estate solutions:

International Banking

Global opportunities mean global challenges. But real success means understanding the local markets you serve—which is why we bring the business solutions, insights and market perspective you need. 

Learn more about our international banking solutions:

Commercial Real Estate

7 Ways to Protect Your Commercial Real Estate Portfolio From Cyberattacks

Smart appliances, integrated HVAC systems and other Internet-enabled devices can help commercial properties compete for renters and tenants—but they can also attract the attention of cybercriminals. Learn how to help enhance the cyber readiness of your properties.


The risk landscape for businesses today is constantly changing. Cybercriminals have refined their tactics to be more effective—and it’s now easier than ever for anyone with basic technical skills to execute a cyberattack.

I recently met with Mike Kelly, Commercial Banking’s Head of Cybersecurity and Technology Controls, to discuss what investors should know to help protect their portfolios. Commercial real estate (CRE) likely isn’t the first industry that comes to mind when you think about a cyberattack, but there are substantial risks for those who don’t take the necessary steps to protect themselves and their properties. “There is no industry today that is immune to cyberattacks, and it’s important you’re educated on the steps you can take today to protect your business,” Mike Kelly said.

One potential vulnerability for real estate investors and owners is the increasing use of Internet-connected devices and systems. For example, many hotel and office buildings now offer amenities like Wi-Fi and smart appliances, while properties like shopping malls, hospitals and warehouses are updating to connected HVAC systems. Multifamily real estate owners are also using digital tools to engage with their tenant communities and safely store sensitive occupant information.

While connectivity can provide significant advantages—including improved building management, greater energy efficiency and cost savings—it can also draw the attention of cybercriminals. As criminals grow more sophisticated and look for new industries to attack, CRE investors need to take appropriate steps to enhance their cybersecurity.

Here are a few key takeaways from our conversation that investors can implement to help strengthen their cyber readiness:

1. Cybersecurity Starts at the Top

The consequences of a cyberattack can impact all aspects of a business, from stolen funds to reputation damage. Businesses should take a comprehensive approach to cybersecurity, which begins with leadership prioritizing it. Commercial real estate businesses are not immune to attacks—and leadership should take proactive steps to protect their organizations, including dedicating staff and funding, developing a cyber risk management plan, and ensuring that all employees and tenants understand their role in cybersecurity efforts.

2. Train All Employees in Cybersecurity Best Practices

The most vulnerable component of any connected system is the human being who uses it. Every employee has a stake in advancing cybersecurity, and investors/owners/operators should conduct regular cybersecurity training for all employees, including management. Employees should know how to identify common cyberattacks, such as social engineering exploits that target the human user through phishing schemes and email scams. Make sure all employees know to be extra cautious with money-wiring requests, even if they appear legitimate Establishing processes and procedures for wire requests is a critical way to help protect your organization.

Cyber Fraud Scheme: Phishing





To keep pace with evolving cyber threats, organizations should regularly conduct cyberattack simulations to gauge how employees react and identify ways to further protect the business.

3. Establish a Thorough Vetting and Ongoing Review Process for All Vendors

Any vendor is a potential source of compromise. This is true not only for vendors remotely providing digital services (such as cloud storage or cybersecurity monitoring), but also for third parties that access a secure network. An HVAC repair worker, for example, could unwittingly introduce a cyber threat by using infected devices within a system.

In addition to data loss, corruption or compromise, the consequences of a cyberattack can come in the form of reputation damage and legal liability. Companies may find that they are liable for damages after an attack, regardless of whether the offending party was the business, a vendor or even an occupant. To help prevent liability, CRE building owners and investors should ensure their vendor contracts clearly establish liability and responsibilities.

4. Use Robust Antivirus and Antimalware to Protect Systems

Using robust antivirus, antimalware and other cybersecurity programs is essential for guarding secure networks and systems. One critical aspect to this is that all cybersecurity programs must be updated and maintained. The cyber threat landscape is constantly evolving, and for cybersecurity programs to be effective, their databases and programming must be regularly updated.

5. Ensure Passwords Are Strong and Changed Regularly

Cybercriminals employ sophisticated programs to compromise employee credentials, such as usernames and passwords. A brute force attack, for example, uses programs that test millions of combinations of letters and words. Most password crackers become ineffective for passwords longer than 16 characters. In addition to password length, network users with access credentials should use passwords composed of capital and lowercase letters, numbers and symbols. These passwords should be changed regularly.

Password Time to Crack
Investor123 Instantly
Investor4Life < 1 minute
5RealEstatePropertiesLLC2000_ >100 years
4Score&7yrsAgo >100 years
2BorNot2B_ThatIsThe? >100 years

6. Collaborate With Occupants

All network users have a stake in preserving cybersecurity through good cyber hygiene. In the context of CRE, this includes apartment tenants, hotel guests, office employees and even building visitors. The US Department of Homeland Security advises that building owners should use leases that define the occupants’ cyber obligations, as well as the limits of the building investor’s responsibility for individual cybersecurity.

7. Develop a Cyber Response Plan Before an Attack Occurs

The time to formulate an effective cyber response plan is prior to a cyber incident. This cyber response plan should detail, among other things: the roles and responsibilities of all stakeholders; the resources that can be brought to bear to end an attack and mitigate its damage; the third-party vendors who can conduct cyber forensics to understand the attack; and how the business and its employees communicate with tenants, lawyers, government bodies and the general public.

Commercial Real Estate Al Brooks

Get in Touch and Stay Informed

icon
Loading...