One of the few positives that came out of the pandemic for the commercial real estate industry was that it finally pushed many tech-hesitant brokers to embrace technology—mostly as a way to survive. But while the adoption of digital technologies has produced tremendous efficiencies for brokers, investors, tenants, and others in the CRE transaction chain, it has also increased opportunities for cyber hackers to exploit vulnerabilities. And for an industry that holds a treasure trove of financial and customer data within its networks, cybersecurity at some commercial real estate firms can be woefully lacking.
“In the security industry we encounter a lot of misunderstanding in terms of where the opportunity lies for the bad guys,” says Timur Kovalev, chief technology officer at Untangle, a network security provider for small-to-medium businesses (SMBs). “In the real estate business you usually don’t hear cybersecurity and real estate brokerage mentioned in the same sentence, but if you look at the kind of data that real estate brokers have and what can be done with that data, it’s significant. And it has become kind of a low-hanging fruit for the hackers who know that they can get access to customer data.”
Kim Ford, SIOR, CEO of exclusive tenant representation brokerage firm Rise Pittsburgh agrees. “I think too many people don’t realize that cyber threats are real,” says Ford. “A lot of people are naïve and don’t believe it’s going to happen to them, and the problem is that not only can it happen to us as brokers or brokerage companies, it could happen to our clients as well.”
A recent Untangle whitepaper cites the Keeper Security 2019 SMB Cyberthreat Study, which found that the majority (66%) of business leaders at SMBs don't believe they will fall victim to a cyberattack. The paper concludes that this attitude often leads to lax security practices, including “weak passwords, ineffective mobile device policies, and not keeping up with cybersecurity threats.” This tendency to downplay threats comes as more businesses are transitioning to a remote or hybrid workforce—using more apps, third-party hardware, online systems, and adding more IoT (Internet of Things) devices to their networks, thus increasing exposure.
“Before, employers could say ‘everyone is on my network, so I can control what websites people go to,’” says Kovalev, “but nowadays, with so many people outside the office, they may be going to websites on their own that are malicious, get malware on their systems and then log into your system and (spread the malware).”
Some of the “it can’t happen to us” mentality is fueled by the hyper-focus on large-scale ransomware events, such as the cyberattacks on Colonial Pipeline that disabled the nation’s largest fuel pipeline and the shutdown of JBS Foods’ entire U.S. beef processing operation. Colonial and JBS paid the hackers $4.4 million and $11 million respectively in cryptocurrency to restore operations (although Colonial was able to recover $2.3 million with the help of the FBI). Those 2021 attacks came following a year where ransomware victims paid at least $406 million worth of cryptocurrency to attackers in 2020—quadruple the amount ($92.6 million) paid in 2019, according to the 2021 Crypto Crime Report issued by blockchain analysis firm, Chainalysis. The report also notes the “drastic growth” in the size of the average known ransomware payment, which also quadrupled from $12,000 in Q4 2019 to $54,000 in Q1 2021.
Given those gaudy numbers, it’s tempting to conclude that cyber-criminals are only setting their sights on larger enterprises, but according to the Verizon Business 2020 Data Breach Investigations Report, “the growing number of SMBs using cloud- and web-based applications and tools has made them prime targets for cyberattackers…as SMBs have adjusted their business models, the criminals have adapted their actions in order to keep in step and select the quickest and easiest path to their victims.
"So number one, we have to protect ourselves and more importantly, we have to protect our clients."
While ransomware garners most of the headlines, phishing (where a malicious perpetrator impersonates a trustworthy individual or business to obtain confidential data) is the biggest threat for small organizations, accounting for over 30% of breaches, followed closely by the use of stolen credentials (login passwords) at 27%, according to the Verizon Business report. Ransomware accounted for 27% of the data breaches involving malware infections last year, but 94% of organizations whose data was encrypted following an attack got it back, with twice as many doing so through backups (56%) than by paying the ransom (26%), according to an independent survey of 5,000 IT managers commissioned by cybersecurity provider Sophos.
One of the most common of the phishing scams is the business email compromise (BEC), where the hacker sends an email message that appears to come from a known source, such as a trusted vendor making a legitimate request. Hackers often use the vendor’s logo and a sender address that is a slight variation of the legitimate email address in order to manipulate unsuspecting employees into revealing sensitive information or to initiate a wire transfer.
“It happens all the time,” says Ford, who reports knowing at least ten people that have been duped in BEC scams. “And they’ve suffered significant—$20,000-plus—losses. So number one, we have to protect ourselves and more importantly, we have to protect our clients. We handle client information that is highly confidential, and it’s in our computers, on our servers, and in our clouds. So if we’re using something like ‘ABC123’ for every one of our passwords and somebody gets access to those, all of our clients are at risk.”
Ford’s firm protects client data as well as their own by practicing sound fundamental cybersecurity “hygiene”—best practices—and it begins at the employee level. The latest report by Untangle cites “employees not following cybersecurity rules” as the top barrier to ensuring a secure workplace, so Rise Pittsburgh takes employees through cybersecurity training as soon as they are hired. Employees are mandated to use the company password manager, which creates long, randomized passwords that protect against hacking. If an employee receives a suspicious email, they are instructed to forward it to the IT person, who then issues an alert to all company employees. Data cannot be stored on any computer for more than 24 hours, and must be transferred by the end of the business day to the cloud-based platform Microsoft Teams, where servers are constantly monitored and data is consistently backed up. “When you don’t keep data on your laptop, you have less risk of people getting to the data—and you also have a lot less risk of losing it,” says Ford.
Gary Joel Schacker, SIOR, principal of Long Island, N.Y.-based United Realty, stresses the value of having a skilled IT person on board, rather than taking a DIY approach. “It’s vital to have someone who really knows what’s going on,” says Schacker. “Don’t try to be your own carpenter.”
Malware protection and firewalls are kept up to date on all United Realty computers, and they back up all of their data to an onsite server stored in a locked closet, which constantly backs up data to a local appliance (DATTO), which in turn backs up multiple times a day to the cloud. “In the case of a ransomware attack, we could be up and running in five minutes,” he asserts. “We do this for our own data, and we obviously have confidential information related to our transactional business, so that is all backed up and kept from any prying eyes.” United owns and manages properties as well, using Yardi Voyager as their property management software, and employ the same measures to protect the data of their tenants.
Schacker and Ford have their IT leadership conduct regular cyber audits for their own companies. And while they avoid offering direct cybersecurity guidance to their clients (“It’s not my business. I don’t advise clients on their IT business or how to protect their own data,” says Schacker), Ford suggests to clients that are preparing to relocate that it may be the ideal time to evaluate their cybersecurity infrastructure. “A relocation is a great time to do a cyber audit as well as other processes because you’re already making a change.”
"Whether to conduct an audit or implement other cyber protections may no longer be a choice for companies, as insurance carriers will soon make them mandatory."
Whether to conduct an audit or implement other cyber protections may no longer be a choice for companies, as insurance carriers will soon make them mandatory, according to Kevin Heher, president of Liberty Insurance Agency in Pittsburgh. “The requirements to do cyber audits, to have cloud backup services, to have multi-factor verification testing are no longer about ‘If I do these things will I get a better rate?’ It’s now about having those things in order to qualify (to be insured),” says Heher. “Right now the underwriting for the cyber insurance market is understated, so you’re going to see a tightening of underwriting requirements.”
Despite the increased exposure to cybersecurity risks that remote work and new time-saving technologies can potentially bring, real estate companies should not shy away from adopting these innovations, says Kovalev. Instead companies should take a proactive stance towards developing effective cybersecurity strategies to protect themselves and their clients
Kim Ford, SIOR
Gary Joel Schacker, SIOR