Cybersecurity in CRE: A Business Continuity Guide

Cybersecurity is no longer a luxury but a necessity for businesses of all sizes, and the commercial real estate (CRE) sector is no exception. As the industry becomes increasingly reliant on technology, the risk of cyberattacks grows exponentially¹. These attacks can disrupt business operations, compromise sensitive data, and damage a company's reputation, ultimately impacting business continuity. This report delves into the importance of cybersecurity in CRE, explores the various cyber threats faced by CRE companies, and outlines the essential cybersecurity services that can help mitigate these risks and ensure business continuity.

The Importance of Cybersecurity for Business Continuity in CRE

In today's interconnected world, CRE companies handle vast amounts of sensitive data, including personal information of tenants, financial records, and property details. A cyberattack can lead to:

• Data breaches: Unauthorized access to sensitive data can result in significant financial losses, legal consequences, and reputational damage².
• Operational disruptions: Cyberattacks can disrupt critical business operations, such as property management systems, communication networks, and financial transactions, leading to downtime and lost revenue³.
• Reputational damage: A cybersecurity incident can erode trust among clients, tenants, and investors, potentially impacting future business opportunities⁴.
• Loss of intellectual property: Cybercriminals may target proprietary information, such as development plans or investment strategies, giving competitors an unfair advantage².

Furthermore, studies have shown that a significant number of small and midsize businesses that fall victim to cyberattacks go out of business within six months⁵. This alarming statistic highlights the severe consequences of cyberattacks for CRE companies and emphasizes the critical need for robust cybersecurity measures.

Protecting tenant data and ensuring the security of building systems are crucial for maintaining tenant satisfaction and retention². Tenants rely on CRE companies to safeguard their personal information and provide a safe and secure living or working environment. A cyberattack that compromises tenant data or disrupts building operations can severely damage tenant trust and lead to dissatisfaction and potential legal liabilities.

Data protection is a critical component of any cybersecurity strategy for business continuity⁶. Organizations must implement measures to safeguard sensitive information from unauthorized access, modification, or...source breach.

In addition to preventing data breaches and operational disruptions, cybersecurity also plays a vital role in crisis management⁷. Handling and containing a cybersecurity incident effectively is crucial to prevent further damage and minimize downtime. This involves having a well-defined incident response plan, trained personnel, and the ability to quickly isolate affected systems and restore normal operations.

By integrating cybersecurity into their business continuity planning, CRE companies can proactively identify and mitigate potential risks before they escalate into crises⁶. This approach enables more effective incident response, allowing teams to quickly contain damage and restore critical functions⁶.

Key benefits of incorporating cybersecurity into business continuity planning:

• Reduced risk of data breaches and financial loss. ⁷
• Enhanced customer trust by protecting sensitive data. ⁷
• Minimized downtime in the face of cyber incidents. ⁷
• Competitive advantage through robust resilience measures. ⁷
• Meeting regulatory requirements for data protection. ⁶

Cyber Threats Facing CRE Companies

CRE companies face a wide range of cyber threats, including:

• Ransomware attacks: These attacks involve encrypting a company's data and demanding a ransom for its release. CRE companies are particularly vulnerable due to their reliance on critical data and systems⁸. A common attack vector for ransomware is through email, where malicious actors send phishing emails with infected attachments or links³. Remediating a ransomware attack can take a significant amount of time, leading to prolonged downtime and operational disruptions³.
• Data breaches: Cybercriminals may target CRE firms to gain access to large volumes of valuable data, including personal and financial information of clients and tenants⁸.
• Phishing and social engineering: These attacks deceive individuals into revealing sensitive information or transferring funds to fraudulent accounts⁸.
• Insecure IoT devices: As buildings become "smarter" with IoT devices for monitoring and control, these devices can be exploited by hackers if not properly secured².
• Espionage: Competitors may engage in corporate spying to gain an advantage in negotiations or development projects².

It is important to note that cyberattacks are becoming increasingly sophisticated and targeted⁹. Hackers are constantly developing new techniques and exploiting vulnerabilities to gain unauthorized access to systems and data. This requires CRE companies to adopt proactive and adaptive security measures to stay ahead of the evolving threat landscape. Moreover, there has been a notable shift in hacker targets from large corporations to small and midsize businesses, making CRE companies even more vulnerable to cyberattacks⁵.

Cybersecurity Services for CRE Companies

To mitigate these threats and ensure business continuity, CRE companies can leverage various cybersecurity services, including:

• Risk assessments: Identifying potential cyber security threats and vulnerabilities. This involves a thorough evaluation of the company's IT infrastructure, data assets, and security practices to identify potential weaknesses and prioritize security measures.
• Security awareness training: Educating employees about cyber security threats and best practices. This includes training on how to recognize phishing emails, social engineering tactics, and other common cyber threats, as well as best practices for password security, data handling, and online safety.
• Data backup and recovery: Implementing measures to protect data from loss or damage. This involves regular data backups, secure storage solutions, and disaster recovery planning to ensure that critical data can be recovered in the event of a cyberattack or other disaster.
• Incident response planning: Developing a plan to respond to cyber security incidents. This includes establishing procedures for identifying, containing, and recovering from cyberattacks, as well as communication protocols and escalation procedures.
• Network security: Implementing measures to protect networks from unauthorized access and attacks. This includes firewalls, intrusion detection systems, and other security measures to prevent unauthorized access to the company's network and protect sensitive data.
• Vulnerability assessments: Penetration testing to identify and address security weaknesses¹¹. This involves simulating real-world cyberattacks to identify vulnerabilities in the company's systems and applications and provide recommendations for remediation.
• Continuous security monitoring: 24/7 monitoring of critical assets to detect and respond to threats¹¹. This involves using security information and event management (SIEM) systems and other tools to monitor network traffic, system logs, and other security events for suspicious activity.
• Endpoint protection: Securing employee devices from malware and phishing attacks¹². This includes installing antivirus software, firewalls, and other security measures on employee devices to prevent malware infections and protect against phishing attacks.
• Managed IT services: Outsourcing IT and cybersecurity management to specialized providers¹³. This can provide CRE companies with access to specialized expertise, advanced technologies, and cost-effective solutions for managing their IT infrastructure and cybersecurity needs.

In addition to these services, it is crucial for CRE companies to consider the potential for administrative mismanagement to cause cybersecurity incidents³. This includes implementing proper vendor management and access control measures to prevent unauthorized access to systems and data by third-party vendors or contractors. It is also essential to consider the impact of cyberattacks on building safety systems and implement appropriate security measures to prevent life safety incidents³.

Cyberattacks can also lead to significant productivity loss due to downtime and disruptions³. Implementing robust cybersecurity measures can help minimize downtime and ensure that employees can continue to work efficiently. Furthermore, cyberattacks can result in regulatory non-compliance, especially with data protection regulations and industry standards³. CRE companies must ensure that they comply with all relevant regulations to avoid penalties and maintain business operations.

Finally, it is important to recognize that cyberattacks can have a significant financial impact, including equipment replacement costs³. Damaged or compromised equipment may need to be replaced, resulting in unexpected expenses. Cyberattacks can also cause brand damage, eroding trust and impacting a company's reputation in the long term³.

Partnering with experienced cybersecurity providers can offer CRE companies access to specialized expertise, advanced technologies, and cost-effective solutions¹³. These providers can help CRE companies develop and implement a comprehensive cybersecurity strategy tailored to their specific needs and risk profile.

Case Studies of Cyberattacks in CRE

While many cyberattacks go unreported, several incidents highlight the impact of cyberattacks on the CRE sector:

• G4S Australia: This global security services provider experienced a sophisticated cyberattack, demonstrating that even large, well-known companies are vulnerable¹⁵.
• Target Breach: The 2013 Target data breach originated with stolen credentials from a third-party HVAC provider, emphasizing the importance of securing building systems and vendor access¹⁶.
• Inadequate Backup Plan: In one instance, an inadequate backup plan led to several floors of a building becoming unoccupiable for two days, resulting in lost rent and significant business disruption³. This case highlights the importance of robust data backup and recovery solutions to minimize downtime and financial losses in the event of a cyberattack.

These cases underscore the need for robust cybersecurity measures and proactive risk management in the CRE industry.

Cost of Cybersecurity Services

The cost of cybersecurity services for CRE companies varies depending on several factors, including the size of the company, the complexity of its IT environment, and the specific services required¹⁷.

In addition to the cost of cybersecurity services, CRE companies must also consider the regulatory landscape and ensure compliance with relevant government regulations.

Government Regulations Related to Cybersecurity in CRE

While specific cybersecurity regulations for CRE companies may vary, several federal regulations and initiatives impact the industry:

• NIST SP 800-171: This standard outlines cybersecurity controls for protecting sensitive, unclassified information¹⁸.
• CMMC (Cybersecurity Maturity Model Certification): This framework measures a contractor's cybersecurity maturity and requires certification at specific levels¹⁸.
• FAR and DFARS clauses: These clauses in the Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement impose cybersecurity requirements on government contractors¹⁸.
• Executive Order 14028: This order focuses on improving national cybersecurity and incident reporting¹⁹.
• Executive Orders related to cybersecurity: These include EO 13800, EO 13691, EO 13681, EO 13636, and EO 13556, which address various aspects of cybersecurity, including strengthening federal networks, promoting information sharing, and improving critical infrastructure security²⁰.

Furthermore, CRE companies must prioritize cybersecurity to maintain the integrity of smart building systems and IoT devices²¹. These systems are increasingly interconnected and vulnerable to cyberattacks, which can disrupt building operations, compromise tenant safety, and lead to significant financial losses.

Compliance with data protection regulations is also crucial for CRE companies²¹. They must ensure the privacy and security of tenant and client data, complying with regulations such as GDPR, CCPA, and other relevant state or sector-specific regulations.

Cybersecurity plays a vital role in preserving brand reputation and client trust²¹. A cyberattack can severely damage a company's reputation, erode client trust, and impact future business opportunities. Therefore, CRE companies must prioritize cybersecurity to protect their brand image and maintain a positive reputation in the market.

Finally, it is essential for the board and management of CRE companies to understand and be involved in the cybersecurity program²¹. Leadership engagement in cybersecurity governance is crucial for ensuring that cybersecurity is integrated into the company's overall risk management strategy and that appropriate resources are allocated to support cybersecurity initiatives.

Conclusion

Cybersecurity is paramount for business continuity in the CRE sector. The increasing reliance on technology in CRE has made cybersecurity essential for protecting assets, maintaining operations, and ensuring long-term success. CRE companies face a growing range of sophisticated cyber threats that can disrupt operations, compromise data, and damage reputation. A comprehensive cybersecurity strategy, including risk assessments, employee training, and proactive security measures, is crucial for mitigating these threats. Partnering with specialized cybersecurity providers can offer CRE companies access to expertise and cost-effective solutions. Moreover, CRE companies must stay informed about and comply with relevant government regulations to avoid penalties and maintain business operations.

To effectively navigate the evolving threat landscape and safeguard business continuity, CRE companies must cultivate a security mindset that permeates every aspect of their business operations⁵. This includes fostering a culture of security awareness among employees, prioritizing cybersecurity investments, and implementing robust security measures across all aspects of the business. By adopting a holistic approach to cybersecurity, CRE companies can protect their assets, maintain tenant trust, and ensure long-term success in an increasingly digital world.

Works cited

1. The Looming Cyber Threat in Real Estate | Tripwire, accessed December 17, 2024, https://www.tripwire.com/state-of-security/looming-cyber-threat-real-estate
2. Cybersecurity Challenges in Commercial Real Estate: Safeguarding Your Investments, accessed December 17, 2024, https://investingincre.com/2024/06/21/cybersecurity-challenges-in-commercial-real-estate/
3. Commercial Real Estate: Securing Your Portfolio & Mitigating Risk - Intelligent Buildings, accessed December 17, 2024, https://intelligentbuildings.com/outcomes/cybersecurity/
4. Role of Cyber Security in Business Continuity - Calsoft Blog, accessed December 17, 2024, https://www.calsoftinc.com/blogs/role-of-cyber-security-in-business-continuity.html
5. 10 Steps to Cybersecurity for Small CRE Companies and Their Tenants - ICSC, accessed December 17, 2024, https://www.icsc.com/news-and-views/icsc-exchange/10-steps-to-cybersecurity-for-small-cre-companies-and-their-tenants
6. Strengthening Business Continuity Through Cybersecurity Integration - Bryghtpath, accessed December 17, 2024, https://bryghtpath.com/intersection-of-business-continuity-and-cybersecurity/
7. What Is The Role Of Cybersecurity In Ensuring Business Continuity? - - Control Audits, accessed December 17, 2024, https://www.controlaudits.com/blog/what-is-the-role-of-cybersecurity-in-ensuring-business-continuity/
8. Cyber Security Real Estate Industry threats - Marsh, accessed December 17, 2024, https://www.marsh.com/en-gb/industries/real-estate/insights/cyber-threats-real-estate-sector.html
9. Top 10 Real World Case-Studies on Cyber Security Incidents? - Birchwood University, accessed December 17, 2024, https://www.birchwoodu.org/top-10-real-world-case-studies-on-cyber-security-incidents/
10. Types of Cyberattacks That Threaten Businesses, Part I: Malware and Ransomware, accessed December 17, 2024, https://online.eou.edu/resources/article/types-of-cyberattacks-that-threaten-businesses-part-i/
11. Cybersecurity for the Real Estate Firm - BrothersKeep, accessed December 17, 2024, https://brotherskeep.co/cybersecurity-for-real-estate/
12. Top 5 Cyber Security Threats for Real Estate Companies | CoreTech, accessed December 17, 2024, https://www.coretech.us/blog/top-5-cyber-security-threats-for-real-estate-companies-coretech
13. IT & Cybersecurity Services for Real Estate Agencies | Purple Guys, accessed December 17, 2024, https://www.purpleguys.com/it-and-cybersecurity-services-for-real-estate/
14. 5Q | CRE Technology and Cyber Security Experts, accessed December 17, 2024, https://www.5qpartners.com/
15. The Rising Threat of Cyber Attacks on Security Firms - El Dorado Insurance Agency, accessed December 17, 2024, https://www.eldoradoinsurance.com/security-industry-news/the-rising-threat-of-cyber-attacks-on-security-firms-lessons-learned-from-case-studies/
16. The Growing Threat of Cyber Attacks in the Real Estate Industry - stratafolio, accessed December 17, 2024, https://stratafolio.com/cybersecurity-attack-real-estate-company/
17. How Much Do Managed Cybersecurity Services Cost? - VC3, accessed December 17, 2024, https://www.vc3.com/blog/managed-cyber-security-services-cost
18. Federal Cybersecurity Requirements Ought Not Be Ignored by Contractors | Troutman Pepper, accessed December 17, 2024, https://www.troutman.com/insights/federal-cybersecurity-requirements-ought-not-be-ignored-by-contractors.html
19. Proposed Rules Overhaul Cybersecurity Requirements for Government Contractors, accessed December 17, 2024, https://www.pillsburylaw.com/en/news-and-insights/government-contractor-cybersecurity-requirements.html
20. Cybersecurity programs and policy - GSA, accessed December 17, 2024, https://www.gsa.gov/technology/government-it-initiatives/cybersecurity/cybersecurity-programs-and-policy
21. A guide to cybersecurity governance for the commercial real estate industry - BPM, accessed December 17, 2024, https://www.bpm.com/insights/cybersecurity-governance-for-the-commercial-real-estate/