[BreachExchange] It’s Past Time for CRE Cybersecurity Strategy and Governance

[Audrey McNeil]

https://www.cbiz.com/insights-resources/details/articleid/7387/it%E2%80%99s-past-time-for-cre-cybersecurity-strategy-and-governance

Cybersecurity, data security and data privacy continue to be hot topics for
all market segments, including Commercial Real Estate (CRE) companies. The
bottom line is what’s at stake – the company’s financial harm, brand and
reputational impact, and increased regulatory scrutiny and personal
liability for business leaders, and of course the impacts to customers,
clients and others in the value chain.

Most cyberattacks are designed for financial gain – data for dollars.
Personally identifiable information (PII) and financial transaction and
account access are points of focus for most hacking efforts. The data
suggests the trend will only increase.

Industry trends run straight into data security risks

Enterprise risk management (ERM) professionals identify cybersecurity risks
as one of the fastest growing concerns across all industries. Federal law
requires some industries, like hospitals and banks, to have some type of
security in place, but the real estate industry is quite vulnerable. Here’s
why and how this impacts commercial real estate:

- Capital commitments are increasing and appear to be favoring
non-traditional commercial real estate. More funds are being pumped into
global markets with an apparent preference for newer business models like
data centers and health care facilities. This translates to significantly
higher levels of data security and data privacy responsibilities for all
parties in the value chain.
- Technology investments in digitization, data modeling, artificial
intelligence (AI), the internet of things (IoT) and virtual intelligence
(VI) are increasing. Smart, eco-friendly buildings are becoming the norm.
Data-driven usage and operational efficiencies help CRE companies, property
managers, tenants, and other industry consumers and vendors.
- Cybertactics and strategies are developing rapidly. Prior data breaches
(e.g., Equifax, Yahoo, Target) have fed data aggregation and analytics used
on the darknet along with social engineering and sophisticated phishing
scams. This information is readily available and sold to competitors,
hackers, employees, previous employees and others, along with easy-to-use
applications and services to invoke an attack against any company.
- Use of third-party suppliers (outsourcing) is increasing for data
processing, data storage, data analysis and other data and processing
services, as well as common business practices such as payroll production.
Vendor-management practices need to include controls and processes
associated with availability, security, privacy, confidentiality and
processing integrity. These service providers include software as a service
(SaaS), infrastructure as a service (IaaS), managed service providers and
other cloud-based solutions.

Understand where you are

CRE companies provide a plethora of opportunity for even the average
hacker. Real estate agencies, title companies, lenders, real estate lawyers
and others operating in the CRE space all handle personally-identifiable
and financially-sensitive information such as social security numbers, bank
account information and credit-debit card numbers – all of which can be
used to defraud an organization and its customers. Here are some of the
ways your data is at risk:

Business Email Compromise (BEC). A BEC is a cyberattack that tricks a
business into wiring money to a criminal’s bank account. The hackers do
this by spoofing email addresses and sending fake messages that seem like
they are from a trusted business professional, such as the CEO or a company
attorney. The FBI has found that multibillions in business losses can be
attributed to BEC. One of the easiest and most effective ways to
substantially reduce the risk of becoming the victim of a BEC scam is to
implement a policy of never sending a wire based solely on an email. There
should always be a way to verify the accuracy of the information in an
email, such as talking to the individual who sent the email in person or by
calling the person at a known phone number.

Ransomware. This is the type of malware that makes the data on your device
or network unavailable until you pay a ransom. This is very profitable for
hackers, of course, and is becoming more and more popular. All it takes is
one member of your team clicking on a link in an email, and all of your
data could be locked. In addition to operational systems, ransomware can
target any device that is connected to the internet, including smart locks,
smart thermostats and smart lights.

Cloud-Computing Providers. Like most businesses, real estate businesses
rely on electronic information and systems to run day-to-day operations. A
cyberthief doesn’t have to hack into a company to get its data; all they
need to do instead is target the company’s cloud provider. In most
contracts with cloud-computing companies, the customer (your business) is
not well protected in the case of a cyberattack.

Understand where you need to go

We are long past assigning the safeguarding of this critical data solely to
the information technology (IT) department. Company leadership has a key
role to play in oversight and “tone at the top.” Action plans should touch
on these areas:

- Governance, responsibility and accountability begin with education. CRE
companies need to understand where they are and where they need to go.
Establishing an IT Risk & Security Steering Committee is key. This should
include the company’s IT professionals, business leadership and critical
data stakeholders (department leads, operations managers, etc.). Periodic
meetings regarding critical data protection, including key metrics and
progress against a plan, should be the main focus of this group.
- Develop actionable priorities and a risk-remediation roadmap from a
third-party assessment against a recognized, security-controls framework
(e.g., NIST CSF, CIS 20). Similar to financial controls evaluation in a
company’s annual audit, CRE companies should evaluate and establish a
baseline regarding where they are relative to an industry-recognized
security controls framework.  -This baseline helps establish priorities
that may take several years to implement.  -The good news is that the
highest risks are being mitigated early, and this sets the stage for
continuous security advancement.
- Change the security mindset and culture. Security is everyone’s
responsibility. Enhance training and awareness, and use data-driven actions
to improve the overall culture. Awareness is first, training is second, but
an enduring security culture and improved behavioral change is the goal.
This includes all employees, suppliers, third-party providers and even
clients working together to ensure safety and security for all.
- Improve the skillsets and talents (internally and externally) associated
with strategic digitization and security plans. This includes employees,
clients, leadership, the board and your partners. Continually assess and
improve the positions that touch, protect and secure critical data and
processes of the company. The pace of technological change is progressing
rapidly, and the company and investors should ensure that the right people,
processes and technology are in place to protect the investment and clients.

How should CRE companies get started?

While the topic and associated efforts may be overwhelming at times, CRE
companies need a step-by-step approach to mitigate these business risks.
Cybersecurity comes down to understanding those risks and creating a plan
to mitigate them.

CRE interfaces with so many companies and people that knowing where the
data comes from and where it goes is critical to security. The first step a
CRE company should take is to conduct an independent assessment against an
industry-accepted security controls framework (e.g., CIS 20, NIST CSF).
This effort should include a prioritized roadmap and plan to be shared with
the board of directors (typically the Audit and Risk Committee).

A data-driven response and action plan, aligned and supported by business
leaders and the board, will go a long way to protecting a CRE company’s and
clients’ data – and livelihood.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190517/342ce6f4/attachment.html>