Cybersecurity threats are all around us. They come through hackers and viruses, worms and other means of compromising the integrity of the systems we all have in place in our businesses and personal lives.
There is a common misconception in the commercial real estate community that minimizing the technological capability of a physical asset or the business in general will in turn minimize the threat of cyberattacks. Our depth of experience in this field reveals that is not the case.
There is literally no area of a business that cannot be compromised by an attack. Therefore, there is no area of your business that cannot find added protection in a well-planned, all-encompassing cyber strategy.
The other good news in this scenario of systems protection is that the assets in a client’s portfolio do not stand alone.
Legislation in the US and Europe has been enacted to address cybersecurity breaches with varying fines and penalties. Furthermore, the timing of reporting such incidents is also being written into law in order to increase the immediacy of investigation.
Why are we at such risk? Our report, Managing real estate cybersecurity, notes: “Building management systems, which handle everything from air conditioning to closed-circuit television, access control, lighting and door locks, traditionally worked on serial networks and were segregated from conventional IT networks. As these systems have become internet-enabled, they are now open to all possible threats that afflict conventional IT systems. The potential for harm is significant.”
In fact, while the most immediate impact can be felt by the building tenancy, with loss of sales and clientele, “the longer-term impact is felt by the real estate company as it is forced to compensate its tenants for loss of trading revenues and brand reparation when the true cause of the incident is discovered.”
This is without question an epidemic of global proportions. According to a report by Dell Security, cyberattacks on control systems doubled from 2014 to 2015 — an increase of 600% from 2012. In 2015, it was reported that at least four major hotel chains were the victims of cyber attacks, breached in varying ways with the goal of accessing credit card information. Two years prior, both a New Jersey manufacturing company and a state government facility were also hacked through their energy management systems, allowing for temperature manipulation.
Increasingly, a company’s “cyber readiness” is becoming a key issue in determining future business partnerships. For instance, insurance companies are re-evaluating their investment parameters based in large part on the security measures in place.
Furthermore, for public companies, Moody’s is now factoring cybersecurity into their ratings.
For these reasons, we recommend annual cyber audits to reassess both the current threat environment and a company’s overall degree of protection. As we point out in our report, Is the answer to cybersecurity more technology, more people or more process?, a robust cybersecurity strategy is “the intersection of business strategy, risk management, digital evolution, real-time operations, technology innovation and predictive analytics that allows you to prioritize the right decisions, faster.”