As smart cities begin to expand, it is becoming essential that real estate developers and investors keep cybersecurity top of mind. Smart buildings can improve building and tenant efficiency, but can also leave company and tenant information vulnerable to attacks.
Last week, Equifax came clean about a cyberattack that compromised millions of Americans as well as an untold number of people in Canada. Names, birth dates, Social Security numbers, addresses and driver’s license numbers are among the potentially leaked information that could serve to negatively affect Americans for months or years to come.
While the breach has caused uncertainty among the general population, it has also shed light once again on the possible ramifications of hacks in the commercial real estate industry if companies do not invest in cybersecurity tech.
“Building management systems may also be vulnerable. There isn’t really the profit motive to interrupting building management but, for example air conditioning, heating, elevators can be hacked. And so that’s another layer for commercial real estate companies to be aware of and protect,” said Leo Taddeo, chief information security officer at Cyxtera Technologies, a new data center company that was formed earlier this year in a $2.7B deal between private equity firms Medina Capital and BC Partners.
Getting started on protecting a network can be tricky, especially if an organization lacks an understanding of it. As was the case with tech adoption, many within the industry have been slow to adopt and budget for cybersecurity to protect sensitive information.
“One of the biggest issues is organizations just trying to get their hands around the complexity [of cybersecurity], especially larger organizations. Understanding and kind of peeling apart the layers of understanding how to protect [the network],” Hill Top Security Chief Technology Officer Neil Wright said.
To make matters more complicated, the commercial real estate industry is increasingly working to provide building automation, integration and personalization by implementing the Internet of Things, but with those benefits come risks and vulnerabilities — and even the most simple threats can have devastating consequences.
“Some of the very basic [threats] are phishing and spear phishing. These are becoming more sophisticated. These are emails where they’re sending links or sending a document. You take some action that will infect your laptop, your desktop and it will perpetuate itself and move across the desktop. It can be as simple as reconnaissance and as complicated as taking a lot of data,” Wright said.
This means financial institutions with confidential information, REITs or real estate private equity firms with sensitive data all run the risk of becoming victims to a cyberattack.
Tannenbaum Helpern Syracuse & Hirschtritt Technology lawyer Mark D. Grossman said the recent Equifax hack will lead to a new federal law that governs cybersecurity — a shift that could easily change the way many businesses operate.
“Right now there’s really nothing in place, so I could foresee something like what we have right now where Enron led to increased regulation. So this is what we might expect here, regulation that requires CEOs, CIOs to sign off on cybersecurity, security controls, hacking attempts that have occurred, breaches that have occurred, weaknesses and maybe addressing recommendations for the future,” Grossman said. “What I don’t expect to see are specific mandated requirements. You don’t want to do that because if you lock it down, in six months it could be horrifically outdated.”
An Ever-Advancing Threat
With hackers constantly changing the way in which they infiltrate systems, organizations must keep up with security measures in order to avoid a breach.
Even the National Security Agency was recently caught off guard by Russia’s “Fancy Bear” hacker group, which used leaked NSA information to target hotels and steal information from high-value guests using only the WiFi network.
“The NSA leak from a few months ago has released a good deal of high-end sets of hacker tools and script capabilities that folks like Fancy Bear [have used]. They had infiltrated WiFi at these high-end hotels and they were able to steal passwords and data from corporate individuals,” Wright said.
These threats have caused an increase in the cybersecurity market, which is now a budding industry, with analysts predicting it will grow from $138B in 2017 to $232B in 2022, JLL reports.
The recently formed data center provider Cyxtera Technologies was created with the intent of focusing on international cybersecurity. Cyxtera recognized the need to create technology to protect entire infrastructures rather than using outdated and often ineffective forms of protection such as firewalls.
“We control user access and have a robust user identity authentication process and have very limited visibility on what’s on the inside of what’s being protected. [That starts] from the ground all the way up to the user,” Taddeo said.
Similarly, Hill Top Security and Big Wind Capital this week signed two agreements with government and commercial customers to provide them with their military-grade cybersecurity platform by the name of Vauban. The platform works to assess risk and provide companies with a solid line of defense against cybersecurity attacks, including ransomware, DDoS and malware.
Other companies are using Sensitive Compartmented Information Facilities to protect their data and sensitive information. Many of the facilities are equipped with walls that have electromagnetic shielding and filtered power to prevent electronic devices from penetrating walls.
The Future Could Get Even More Personal
As for entering buildings and keeping the information inside secure, Grossman predicts security could get a lot more personal.
“I see us moving away from a card we wave at a device to a retinal scan, a fingerprint identification. Something biometric. The technology exists, it’s just a matter of implementing it.
“You want the building to recognize you,” Grossman said.
When it comes to cybersecurity, the protection does not have to be complicated. In fact, many organizations can improve their security by focusing on the basics.
“Carefully screen email that’s coming in and be aware of the threat. On the ransomware side, it is having email protection and also the ability to monitor and prevent employees from visiting websites that might introduce malware into the system. So protections against malware antivirus and email screening tools protect against ransomware,” Taddeo said. “Another thing to do when protecting against ransomware is making sure an enterprise has backups so it won’t be crippled if an attack happens.”
Maintaining security starts with gaining an understanding of the network and being mindful about impending threats, Wright said.
“Any time you’re involved with a third party, there’s just a level of awareness [you must have],” he said.