Cyberattacks in CRE: A Growing Threat

Cyberattacks are an increasingly common threat to businesses of all sizes, and the commercial real estate (CRE) industry is no exception. In fact, the real estate industry has been the second largest target of cyberattacks since mid-2017¹. These attacks can disrupt operations, compromise data, and damage reputations, making it crucial for CRE businesses to understand the risks and take steps to protect themselves. Cybercrime costs the global economy about $445 billion each year².

Types of Cyberattacks Targeting CRE Businesses

Cyberattacks come in various forms, each with its own unique characteristics and potential impact. The CRE industry is particularly appealing to cyber attackers because real estate transactions contain significant amounts of personal information, including financial data, Social Security numbers, driver's license numbers, passport numbers, insurance information, and passwords³. Organizations are increasingly storing this information in the cloud, which may make it more accessible to hackers³. Additionally, real estate companies work with a variety of vendors, and each transaction may involve several parties, providing ample opportunity for an internal or external bad actor to wreak havoc³.

Some of the most common types of cyberattacks that target CRE businesses include:

• Malware: Malicious software designed to harm or steal from a device within an organization. This broad category includes viruses, Trojan horses, and worms⁴. For example, a virus might attach itself to a legitimate file and spread throughout a network, infecting other files and programs.
• Ransomware: A type of malware that encrypts critical data, preventing businesses from accessing essential information and disrupting their operations. Attackers typically demand a ransom in exchange for the decryption key⁵. For instance, a ransomware attack could encrypt a CRE firm's property management system, preventing access to tenant data and lease agreements.
• Phishing: An attack where cybercriminals attempt to steal information by tricking someone into downloading a malicious file or clicking on a malicious link. This can lead to the installation of malware or the compromise of sensitive data⁶. For example, a CRE employee might receive a phishing email that appears to be from a trusted source, such as a bank or a vendor. The email might contain a link that, when clicked, downloads malware onto the employee's computer.
• Password Attacks: Cybercriminals use various techniques to steal passwords, such as brute-force attacks, dictionary attacks, and phishing. Weak or reused passwords make businesses more vulnerable to these attacks⁷. If a CRE employee uses the same password for multiple accounts, a hacker who gains access to one account could potentially access other accounts with sensitive information.

Case Studies of Cyberattacks on CRE Businesses

While specific case studies of cyberattacks on CRE businesses are limited, it's important to recognize the potential impact of these attacks. The research indicates that real estate transactions often involve a significant amount of personal information, including financial data, Social Security numbers, and other sensitive details³. This information is highly valuable to cybercriminals, making CRE businesses attractive targets.

The following examples illustrate the types of consequences CRE businesses may face:

• Data Breaches: A cyberattack on a CRE firm could lead to the theft of sensitive tenant information, lease agreements, financial transactions, and personal data. This can result in significant legal and financial repercussions⁸. For example, a data breach could expose tenants' personal information, leading to identity theft and potential lawsuits against the CRE firm.
• Operational Disruptions: Cyberattacks can disrupt critical business operations, such as property management systems, financial transactions, and communication networks. This can lead to delays, financial losses, and reputational damage⁹. For instance, an attack on a CRE firm's email system could disrupt communication with tenants, vendors, and investors, leading to delays in lease negotiations and property management tasks.
• Reputational Damage: A cyberattack can damage a CRE firm's reputation and erode trust with tenants, investors, and partners. This can lead to lost business opportunities and difficulty attracting new clients¹⁰. Cyberattacks can also damage a brand's long-term credibility by lowering its share price¹¹. For example, if a CRE firm suffers a data breach, tenants may lose confidence in the firm's ability to protect their information, leading them to seek alternative properties.

Resources and Guides for Preventing and Responding to Cyberattacks

CRE businesses can take proactive steps to prevent cyberattacks and mitigate their impact. Here are some key resources and guides:

Prevention:

• The Department of Homeland Security's Cyber Security and Infrastructure Security Agency (CISA): Provides resources and training for small businesses to help prevent cyberattacks, including the "Stop Ransomware" website and the "Stop.Think.Connect" campaign¹².
• The Small Business Administration (SBA): Provides resources and guidance on cybersecurity best practices, understanding common threats, and dedicating resources to improve cybersecurity¹³.
• Conduct regular cybersecurity risk assessments: Regularly assess your systems and processes to identify vulnerabilities and implement necessary security controls¹⁴.

Response:

• The Federal Communications Commission (FCC) Cybersecurity Planner: Offers guidance on cybersecurity controls and business continuity and disaster recovery preparation¹⁵.
• The Federal Trade Commission (FTC) Data Breach Response Documents: Provides information on data breach response and vendor security¹⁵.
• Have a pre-planned strategy: Develop a Cyber Incident Response Plan (CIRP) that outlines the steps to take in case of a cyberattack¹⁶. This plan should include a designated incident response team, a communication strategy, data backup procedures, and a recovery process.
• Business Continuity Plan/Disaster Recovery (BCP/DR): Having a BCP/DR process in place prior to a cyber incident is crucial for a successful and expeditious recovery¹⁵.

Other Resources:

• The PCI Security Standards Resource Guide: Offers tips to protect online businesses from cybercriminals¹⁷.

Cybersecurity Insurance for CRE Businesses

Cybersecurity insurance can help CRE businesses mitigate the financial impact of a cyberattack. A cyber insurance policy is usually divided into two categories: first-party and third-party liability coverage¹⁸. First-party coverage protects the insured's own losses, while third-party coverage protects against claims from others.

Key features of this insurance include:

• Coverage for Data Breaches: Helps cover the costs associated with notifying customers, providing credit monitoring services, and legal fees¹⁹.
• Protection Against Malware and Ransomware Attacks: Provides financial assistance to recover from these attacks, including data restoration and system repairs²⁰.
• Coverage for Business Interruption: Helps compensate for lost income and expenses resulting from a cyberattack that disrupts business operations¹⁹.
• Cyber extortion demands: Coverage for expenses related to responding to extortion threats, such as ransomware attacks¹⁹.
• Forensic investigations: Coverage for the costs of investigating a cyber incident to determine the cause and extent of the damage²¹.
• Public relations expenses: Coverage for the costs of managing the public relations fallout from a cyberattack²¹.

The cost of cybersecurity insurance varies depending on factors such as the size of the business, the type of data handled, and the level of coverage desired²⁰. Some companies that offer cybersecurity insurance for CRE businesses include:

Government Regulations and Industry Standards for Cybersecurity in CRE

While specific government regulations for cybersecurity in CRE may be limited, several general regulations and industry standards can help guide CRE businesses in protecting their data and systems. It's important to understand the distinction between cybersecurity regulations and frameworks²³. Regulations are legally enforced rules, while frameworks provide guidelines and best practices.

Here's a table summarizing some key regulations and standards:

The Role of Technology in Mitigating Cyberattacks in CRE

Technology plays a crucial role in mitigating the risk of cyberattacks in CRE. A multi-layered approach to cybersecurity, combining technology with strong security policies, employee training, and incident response planning, is essential for comprehensive protection.

Some key ways technology can help include:

• Modern Cloud-Based Platforms: Moving away from legacy systems to modern cloud-based technology can enhance security and prevent single points of failure²⁸. Cloud platforms often have built-in security features and can be more easily updated than on-premises systems.
• Advanced Detection and Protection Tools: Utilizing technologies like artificial intelligence, firewalls, and intrusion detection systems can help detect and respond to threats in real time²⁹. AI-driven threat detection systems can analyze network traffic and identify suspicious patterns that may indicate an attack.
• Data Encryption: Encrypting sensitive data in transit and at rest can protect it from unauthorized access³⁰. Encryption scrambles data, making it unreadable without the decryption key.
• Multi-Factor Authentication: Implementing multi-factor authentication can add an extra layer of security to user accounts³¹. This requires users to provide multiple forms of identification, such as a password and a code sent to their phone, to access an account.
• Data Backup: Regularly backing up important information can minimize downtime and ensure business continuity in case of a cyberattack³². Backups should be stored securely, preferably off-site or in the cloud.
• Blockchain: Blockchain technology can be used to create secure and tamper-proof records of transactions and data, enhancing security and preventing fraud²⁹.

Best Practices for CRE Businesses

Based on the research findings, here are some best practices for CRE businesses to implement:

• Develop a comprehensive cybersecurity strategy: This strategy should include a risk assessment, security policies, employee training, incident response planning, and regular security audits.
• Implement strong security controls: This includes using strong passwords, multi-factor authentication, firewalls, intrusion detection systems, and other security technologies.
• Educate employees about cybersecurity risks: Train employees on how to identify and avoid phishing scams, social engineering attacks, and other common threats.
• Regularly update software and systems: Keep all software and systems up to date with the latest security patches to prevent vulnerabilities.
• Invest in cybersecurity insurance: Obtain cyber insurance to mitigate the financial impact of a cyberattack.
• Stay informed about government regulations and industry standards: Keep up to date with the latest cybersecurity regulations and standards to ensure compliance.
• Partner with cybersecurity experts: Consider working with cybersecurity professionals to assess your security posture and implement necessary measures.

Conclusion

Cyberattacks are a significant and evolving threat to business continuity in the CRE industry. More and more, the targets of hackers are small businesses, not large corporations³³. Cybersecurity has officially become a business risk³³. By understanding the types of attacks, learning from case studies, and implementing preventive measures, CRE businesses can strengthen their cybersecurity posture and protect their operations, data, and reputation. Investing in cybersecurity insurance and staying informed about government regulations and industry standards can further enhance their resilience against cyber threats. Finally, leveraging technology effectively is crucial for mitigating risks and ensuring business continuity in the face of evolving cyberattacks. CRE businesses must take immediate action to assess their cybersecurity posture and implement the necessary measures to protect themselves from potentially devastating attacks.

Works cited

1. Real Estate Companies Are Prime Targets For Cyber Attacks - Inman, accessed December 17, 2024, https://www.inman.com/2018/11/27/real-estate-companies-are-prime-targets-for-cyber-attacks/
2. THE IMPACT OF CYBERSECURITY ON SMALL BUSINESS - SBIR, accessed December 17, 2024, https://www.sbir.gov/sites/all/themes/sbir/dawnbreaker/img/documents/Course10-Tutorial1.pdf
3. Is the Real Estate Industry a Target for Cyberattacks? - Jackson Lewis, accessed December 17, 2024, https://www.jacksonlewis.com/insights/real-estate-industry-target-cyberattacks
4. The Most Common Cyber Attacks Targeting Businesses, and How to Prevent Them, accessed December 17, 2024, https://www.theamegroup.com/uncategorized/the-most-common-cyber-attacks-targeting-businesses-and-how-to-prevent-them/
5. Types of Cyberattacks That Threaten Businesses, Part I: Malware and Ransomware, accessed December 17, 2024, https://online.eou.edu/resources/article/types-of-cyberattacks-that-threaten-businesses-part-i/
6. 11 Companies Who Have Recently Faced a Cyberattack - Growbo, accessed December 17, 2024, https://www.growbo.com/recent-cyber-attacks-on-companies/
7. Top 5 Cybersecurity Threats to Small Businesses & Solutions - C&S Insurance, accessed December 17, 2024, https://www.candsins.com/blog/top-small-business-cyber-security-threats/
8. 7 challenges for CRE cybersecurity - Building Engines, accessed December 17, 2024, https://www.buildingengines.com/blog/cre-cybersecurity-challenges/
9. Evolving Cyber Risk in Commercial Real Estate | Deloitte US, accessed December 17, 2024, https://www2.deloitte.com/us/en/pages/real-estate/articles/evolving-cyber-risk-in-commercial-real-estate.html
10. How Cyberattacks Affect Business Reputation - Centripetal Networks, accessed December 17, 2024, https://www.centripetal.ai/blog/how-cyberattacks-affect-business-reputation/
11. 6 Ways Cybercrime Impacts Business - Investopedia, accessed December 17, 2024, https://www.investopedia.com/financial-edge/0112/3-ways-cyber-crime-impacts-business.aspx
12. Protect Your Small Business from Cybersecurity Attacks | U.S. Small ..., accessed December 17, 2024, https://www.sba.gov/blog/protect-your-small-business-cybersecurity-attacks
13. Strengthen your cybersecurity | U.S. Small Business Administration, accessed December 17, 2024, https://www.sba.gov/business-guide/manage-your-business/strengthen-your-cybersecurity
14. How to Prevent Cyber Attacks from Impacting Your Business | - Cybernetic Search, accessed December 17, 2024, https://www.cyberneticsearch.com/blog/how-to-prevent-cyber-attacks-from-impacting-your-business/
15. Avoiding a Cyber-Attack - River City Bank, accessed December 17, 2024, https://rivercitybank.com/avoiding-a-cyber-attack/
16. Cyber Threats: Preventing and Responding to Them | Phelps ..., accessed December 17, 2024, https://www.phelps.com/insights/cyber-threats-preventing-and-responding-to-them.html
17. Resource Guide: Tips to Protect Online Businesses from Cyberattack - PCI Perspectives, accessed December 17, 2024, https://blog.pcisecuritystandards.org/resource-guide-tips-to-protect-online-businesses-from-cyberattack
18. Cyber Insurance for Small Businesses: A Guide, accessed December 17, 2024, https://www.otto-ins.com/blog/cyber-insurance-for-small-businesses-a-guide
19. Cyber Insurance for Real Estate Businesses | Insureon, accessed December 17, 2024, https://www.insureon.com/real-estate-business-insurance/cyber-liability
20. Cyber Insurance for Small Business – Protect Against Cybercrime ..., accessed December 17, 2024, https://www.nextinsurance.com/cyber-liability-insurance/
21. Commercial Cyber Insurance for Small Businesses | Boost, accessed December 17, 2024, https://boostinsurance.com/product/smb-commercial-cyber/
22. Cybersecurity Options for Real Estate Companies - CRES Insurance, accessed December 17, 2024, https://www.cresinsurance.com/insurance/real-estate-errors-omissions/cyber-liability/
23. Ultimate List of Cybersecurity Regulations by Industry - UpGuard, accessed December 17, 2024, https://www.upguard.com/blog/cybersecurity-regulations-by-industry
24. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) - CISA, accessed December 17, 2024, https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
25. What Are Cyber Security Regulations? - Bitsight, accessed December 17, 2024, https://www.bitsight.com/glossary/cyber-security-regulations
26. 7 Cybersecurity Frameworks to Reduce Cyber Risk in 2024 - Bitsight, accessed December 17, 2024, https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk
27. Cybersecurity Standards and Frameworks - IT Governance USA, accessed December 17, 2024, https://www.itgovernanceusa.com/cybersecurity-standards
28. How Technology Can Mitigate Cybersecurity Risks To Infrastructure - Forbes, accessed December 17, 2024, https://www.forbes.com/councils/forbestechcouncil/2022/09/23/how-technology-can-mitigate-cybersecurity-risks-to-infrastructure/
29. How (And What) Technology Can Help Combat Cyber Attacks - OnSolve, accessed December 17, 2024, https://www.onsolve.com/blog/technology-combat-cyber-attacks/
30. 5 ways health care practices can mitigate cyberattack risk - Urology Times, accessed December 17, 2024, https://www.urologytimes.com/view/5-ways-health-care-practices-can-mitigate-cyberattack-risk
31. 12 Tips for Mitigating Cyber Risk | JPMorgan Chase, accessed December 17, 2024, https://www.jpmorgan.com/insights/cybersecurity/ransomware/12-tips-for-mitigating-cyber-risk
32. How technology can help school boards mitigate cyberattacks - Diligent, accessed December 17, 2024, https://www.diligent.com/resources/blog/technology-help-school-boards-cyberattacks
33. 10 Steps to Cybersecurity for Small CRE Companies and Their Tenants - ICSC, accessed December 17, 2024, https://www.icsc.com/news-and-views/icsc-exchange/10-steps-to-cybersecurity-for-small-cre-companies-and-their-tenants