EY CA African Businesswomen

Six critical cyber questions for commercial real estate

Commercial real estate organizations looking to build long-term growth must build a roadmap to the future, wherever they stand on their cybersecurity journey.

In Brief

  • At enterprise and operational levels, real estate is growing in remarkable ways. To support long-term, sustainable growth, commercial real estate organizations must ground their operations in cybersecurity with a roadmap now.
  • To reach a more cybersecure future state, organizations must know their mission-critical assets, understand and be prepared for the business risks of a cyber-attack, and bake their cybersecurity plans with innovation and design from the start.

Wherever you stand on your cybersecurity journey, it’s time to build a roadmap to the future state. Doing so is critical for commercial real estate organizations looking to build long-term, sustainable growth that is equal parts innovative and secure.

Why ground real estate operations in cybersecurity now?

At the enterprise and operational levels, real estate is growing in remarkable ways. Innovation is creating all kinds of new capabilities for smarter buildings that empower tenants to deliver on environmental, social and governance (ESG) goals.

Consider the new skyscraper that generates its own solar power, or the new shopping mall that combines user-centric design with an interactive and connected user experience. Automation is fundamentally reshaping commercial buildings today. From advancements in smart, automated systems to integrations between lighting, access control and life protection: new possibilities abound. At the same time, all this change could be exposing buildings, businesses and the people who use them to cyber risks that simply didn’t exist before.

That said, these potential problems extend well beyond the more obvious ones — hackers shutting down elevators, let’s say. So much automation means real estate companies may be stewards of a whole lot more personal data than ever before. 

Enter privacy risks — and related regulatory compliance issues and potential reputational crises — galore. As a regional example, 40% of Canadian business leaders across sectors and industries say they’ve never been more concerned about cybersecurity as they are now. Operational silos, they say, are holding organizations back from bringing cybersecurity and privacy teams to the table early enough in the development of new services and offerings to make a difference.

We see similar numbers play out across industry again and again. In a separate survey, only 43% of organizations said senior management understood cyber risks and provided sufficient resources to defend industrial control systems (ICSs) and operational technology (OT) environments. Another study revealed that 52% of IT staff don’t understand OT operational requirements.

In commercial real estate, we see the impacts of that reality play out across the industry every day. One Forbes report showed a 1,110% rise in the number of business and employee email account compromise attacks from 2015 to 2017 alone. In the same period, they tracked a 2,200% rise in reported monetary loss across the real estate sector.

The ramifications of these incidents extend well beyond the initial event or financial hit. Lost data. Stolen intellectual property. Ransom demands. Reputational damage. The list goes on and takes on additional meaning for smaller businesses: some 60% that suffer a cyberattack are out of business within six months.

Without a plan in place to weave cybersecurity strategically into your broader business operations, you may now be vulnerable to all kinds of trouble. On the flipside, addressing cybersecurity more rigorously can support the business — and your stakeholders — all while setting your organization apart as a real estate provider of choice. 

How can real estate organizations bolster operations against cyber threats?

No matter where your organization stands in terms of cybersecurity maturity, there are always ways to strengthen defences and move to the next level. The key is to build a roadmap that acknowledges where you stand today, identifies gaps or risks and lays out clear action plans to ultimately reach a more cybersecure future state.

Asking these key questions now can help kickstart planning and accelerate cybersecurity efforts in meaningful ways:

  1. Do we know our mission-critical assets? Identifying business-critical assets is absolutely essential for any commercial real estate organization. Get clear on what equipment and systems are needed to keep employees safe and the business functioning.
  2. Are we doing well at the basics? Lights. Elevators. Doors. Knowing where you stand on the core exposure areas that automation creates is important. Assess whether roles and responsibilities are clearly defined. Be sure to document and manage any changes to equipment. Start configuring equipment so it’s backed up and stored in a safe location. Get clear on who controls system access. And foster a culture that ensures cybersecurity leading practices are discussed and employee training is always available.
  3. Do we understand business risks? Aligning the cyber risk to the business mission means establishing your risk appetite and tolerance levels at the organizational level. That requires an overall view of risk that can be easily understood and communicated, both internally and with regulators. Rigorously analyze operational and reputational risks. Outline any areas where additional investments and improvements should be made.
  4. Are we ready to respond to and recover from a natural disaster or cyber attack? Response and recovery time are everything. Commercial real estate organizations need proactive plans that ensure teams can respond quickly to a crisis. Test those plans regularly for business continuity to make sure operations can survive a major upheaval.
  5. Could third parties up the ante on risk? Whether your properties are managed externally or supported by a complex supply chain, chances are you have more third-party risk than you realize. Get a clear overview of just where those gaps may lie and proactively build in processes and frameworks for addressing risk across these areas now. Be sure to include proptech in that analysis, with a special focus on software deployment and vendor risk management.
  6. Is cybersecurity baked into innovation and design? Smart devices. Connected access. An increasing shift towards 5G. Internet of Things considerations for the 5 billion new devices that will come online over time. All of these factors represent emerging priorities — and new potential risks. Dismantle organizational silos to link the teams implementing these tools and technologies at the enterprise level with the cybersecurity team to drive better outcomes.

What’s the bottom line?

It’s time for commercial real estate companies to change the dynamic around cybersecurity. Bringing cyber and privacy into the fold earlier on can lead to innovation that is effective and secure — all while helping the business differentiate itself with clients seeking the best properties on offer.


Commercial real estate organizations must build a cybersecurity roadmap to the future, in order to support long-term, sustainable growth. Reaching the future state depends on how well organizations know their mission-critical assets, understand the risks of cyber-attacks, and ultimately prepare for them with innovation and design in mind.

About this article