[BreachExchange] Real Estate Industry Has A ‘False Sense Of Security’ When It Comes To Cyber Safety

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 13 18:58:49 EST 2018


Last December, government services in Mecklenburg, North Carolina, ground
to a halt. What began as a malicious email attachment sent to a county
employee turned into a crippling cyberattack that held 48 of the county's
500 data servers hostage.

The attack prevented services ranging from intakes at the county jail to
processing applications for marriage licenses. Contractors were among those
hit the hardest. Unable to schedule inspections or receive approval to pour
foundations or complete electrical work, contractors had to put development
projects on hold during the multiday recovery process.

The Mecklenburg County attack, and an increasing number of high-profile
hacks in the past year, have brought to light a sobering reality: The real
estate industry is unprepared for cyberattacks.

“Real estate firms have been generally lucky where they have not
experienced the type of breaches that you see in other industry sectors,
and that has probably given many people a false sense of security,” Baker
Tilly Cybersecurity and IT Risk Senior Manager Mike Cullen said. “As other
businesses get better at security, criminals are looking for easy targets.
Construction and real estate could be such targets because they have
historically not always taken the necessary precautions.”

Cullen works with Baker Tilly clients to lead and execute IT risk
assessments, IT process audits and information security assessments, among
other cybersecurity initiatives. Historically, real estate companies were
at lower risk because they maintained less personal information and
intellectual property than financial or healthcare businesses. More
recently, attackers have been drawn to the select pool of wealthy investors
real estate ventures attract, Cullen said.

Data like personal information, blueprints and schematics, access to
building technology systems and financial information can be sold or used
to gain a competitive advantage. Money can be skimmed from tenant and
vendor accounts or credit cards and extorted directly thanks to ransomware.
Last June, property management firm BNP Paribas Real Estate reported a
ransomware attack that took down most of its global systems.

The rise of the Internet of Things has brought the threat of cyberattacks
more directly into tangible property. Building managers have started to
embrace more systems that allow them to manage security infrastructure,
HVAC, lighting controls and utilities remotely. This gives hackers another
point of entry for attacking systems and stealing data, Cullen said.

In the past, building management systems were more proprietary and offline,
creating a higher barrier to entry for hackers. Newer building systems are
more standardized, using software obtained from vendors. These programs,
like all software, come with vulnerabilities that hackers can exploit. Many
companies may also have insufficient password protection or outdated
antivirus programs that contribute to heightened cyberrisk.

More than directly sabotage the systems themselves, hackers can pull
personal data from “smart” or intelligent building infrastructure. In
November 2013, hackers infiltrated Target Corp.’s HVAC contractor’s systems
to steal the payment card records and other personal information of nearly
110 million customers. The company reported a gross financial loss of $252M
by the end of Q4 2014 as a result of the cyberattack.

Risk will continue to rise as intelligent buildings gain popularity.
According to Faculty Executive, an estimated 95% of building systems
connected to the internet have insecure connections, and 65% of vendors
have remote access to building systems.

Talking to vendors about potential cyberthreats and hiring a dedicated
person in charge of cybersecurity are the first steps real estate companies
should take in arming themselves against the growing risk, Cullen said.
Companies must have an employee who spends at least 50% of their time on
the job dealing with cybersecurity.

Once key personnel are put in place, creating a security program that is
specific to the type of real estate business and adaptable to new threats
will ensure a strong defense against future attacks.

“It is impossible to prevent 100% of every attack,” Cullen said. “Your
security program needs to include how you react to an incident so that you
can respond in a timely and thoughtful way instead of a fire drill,
figure-it-out-as-you-go strategy.”

Global spending on cybersecurity will exceed $1 trillion over the next five
years, from 2017 to 2021, with 1.5 million cybersecurity job openings by
2019. While the industry is growing, real estate might not be able to
attract the same top talent as the finance or healthcare sectors.

“Other industries have more money to attract top talent and CRE has not
been willing to spend as much on cybersecurity, which means they are not
getting the best resources,” Cullen said. “To be prepared for what is
ahead, real estate companies will need to invest more in cybersecurity.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180213/38e3cb81/attachment.html>

More information about the BreachExchange mailing list