Commercial Real Estate
7 Ways to Protect Your Commercial Real Estate Portfolio From Cyberattacks
Smart appliances, integrated HVAC systems and other Internet-enabled devices can help commercial properties compete for renters and tenants—but they can also attract the attention of cybercriminals. Learn how to help enhance the cyber readiness of your properties.
The risk landscape for businesses today is constantly changing. Cybercriminals have refined their tactics to be more effective—and it’s now easier than ever for anyone with basic technical skills to execute a cyberattack.
I recently met with Mike Kelly, Commercial Banking’s Head of Cybersecurity and Technology Controls, to discuss what investors should know to help protect their portfolios. Commercial real estate (CRE) likely isn’t the first industry that comes to mind when you think about a cyberattack, but there are substantial risks for those who don’t take the necessary steps to protect themselves and their properties. “There is no industry today that is immune to cyberattacks, and it’s important you’re educated on the steps you can take today to protect your business,” Mike Kelly said.
One potential vulnerability for real estate investors and owners is the increasing use of Internet-connected devices and systems. For example, many hotel and office buildings now offer amenities like Wi-Fi and smart appliances, while properties like shopping malls, hospitals and warehouses are updating to connected HVAC systems. Multifamily real estate owners are also using digital tools to engage with their tenant communities and safely store sensitive occupant information.
While connectivity can provide significant advantages—including improved building management, greater energy efficiency and cost savings—it can also draw the attention of cybercriminals. As criminals grow more sophisticated and look for new industries to attack, CRE investors need to take appropriate steps to enhance their cybersecurity.
Here are a few key takeaways from our conversation that investors can implement to help strengthen their cyber readiness:
1. Cybersecurity Starts at the Top
The consequences of a cyberattack can impact all aspects of a business, from stolen funds to reputation damage. Businesses should take a comprehensive approach to cybersecurity, which begins with leadership prioritizing it. Commercial real estate businesses are not immune to attacks—and leadership should take proactive steps to protect their organizations, including dedicating staff and funding, developing a cyber risk management plan, and ensuring that all employees and tenants understand their role in cybersecurity efforts.
2. Train All Employees in Cybersecurity Best Practices
The most vulnerable component of any connected system is the human being who uses it. Every employee has a stake in advancing cybersecurity, and investors/owners/operators should conduct regular cybersecurity training for all employees, including management. Employees should know how to identify common cyberattacks, such as social engineering exploits that target the human user through phishing schemes and email scams. Make sure all employees know to be extra cautious with money-wiring requests, even if they appear legitimate Establishing processes and procedures for wire requests is a critical way to help protect your organization.
Cyber Fraud Scheme: Phishing
Criminals target employees at a company and send emails linking to a fake home page for JPMorgan Chase.
By logging into a fake website, targeted employees provide confidential information, such as passwords, that give criminals access to email accounts. Criminals also obtain security credentials for initiating payment instructions.
The employees fail to notify the company’s Information Technology department about the incident.
Using the legitimate email credentials, criminals authorize four fraudulent transactions totaling $300,000. The company is liable and criminals continue to have access to company information and systems until discovered.
To keep pace with evolving cyber threats, organizations should regularly conduct cyberattack simulations to gauge how employees react and identify ways to further protect the business.
3. Establish a Thorough Vetting and Ongoing Review Process for All Vendors
Any vendor is a potential source of compromise. This is true not only for vendors remotely providing digital services (such as cloud storage or cybersecurity monitoring), but also for third parties that access a secure network. An HVAC repair worker, for example, could unwittingly introduce a cyber threat by using infected devices within a system.
In addition to data loss, corruption or compromise, the consequences of a cyberattack can come in the form of reputation damage and legal liability. Companies may find that they are liable for damages after an attack, regardless of whether the offending party was the business, a vendor or even an occupant. To help prevent liability, CRE building owners and investors should ensure their vendor contracts clearly establish liability and responsibilities.
4. Use Robust Antivirus and Antimalware to Protect Systems
Using robust antivirus, antimalware and other cybersecurity programs is essential for guarding secure networks and systems. One critical aspect to this is that all cybersecurity programs must be updated and maintained. The cyber threat landscape is constantly evolving, and for cybersecurity programs to be effective, their databases and programming must be regularly updated.
5. Ensure Passwords Are Strong and Changed Regularly
Cybercriminals employ sophisticated programs to compromise employee credentials, such as usernames and passwords. A brute force attack, for example, uses programs that test millions of combinations of letters and words. Most password crackers become ineffective for passwords longer than 16 characters. In addition to password length, network users with access credentials should use passwords composed of capital and lowercase letters, numbers and symbols. These passwords should be changed regularly.
| Password | Time to Crack |
|---|---|
| Investor123 | Instantly |
| Investor4Life | < 1 minute |
| 5RealEstatePropertiesLLC2000_ | >100 years |
| 4Score&7yrsAgo | >100 years |
| 2BorNot2B_ThatIsThe? | >100 years |
6. Collaborate With Occupants
All network users have a stake in preserving cybersecurity through good cyber hygiene. In the context of CRE, this includes apartment tenants, hotel guests, office employees and even building visitors. The US Department of Homeland Security advises that building owners should use leases that define the occupants’ cyber obligations, as well as the limits of the building investor’s responsibility for individual cybersecurity.
7. Develop a Cyber Response Plan Before an Attack Occurs
The time to formulate an effective cyber response plan is prior to a cyber incident. This cyber response plan should detail, among other things: the roles and responsibilities of all stakeholders; the resources that can be brought to bear to end an attack and mitigate its damage; the third-party vendors who can conduct cyber forensics to understand the attack; and how the business and its employees communicate with tenants, lawyers, government bodies and the general public.
