Volume 42, Number 2
January 23, 2018
By Marie-Noëlle Brisson, CRE, and Michael Savoie, Ph.D.
Fundamentals of Cybersecurity Oversight and Risk Management
Anyone who deals with large amounts of data, especially from multiple sources, is vulnerable to the various attacks we read about every day. Cybersecurity has become a major issue for commercial real estate in many more ways than was anticipated. Recent exploitations of vulnerabilities include a smart meter hack allowing perpetrators to access a building information system (BIM) and the use of free wireless access at a shopping mall to access credit card numbers on point of sale systems in stores. A multitude of phishing scams continue to fool users into giving away user ids and passwords to hackers who then roam through corporate databases looking for personally identifiable information (PII). A quick review of market practices and of the internet shows how few articles have been written on this topic, and how typical commercial real estate operations are vulnerable and only recently have begun moving to address their cyber vulnerabilities.
To combat this, we are providing a series of three articles that cover various aspects of cyber security for commercial real estate. In the first of three articles, we address the basic issues of security of operations in commercial real estate. The second article will delve deeper into Data Protection and Governance. The third article will look at the future of the industry, both here and abroad, to help you get and stay ahead of the market.
Value of Data
Historically, especially when our industry was not yet as transparent as it is today, data was valuable to real estate players. But data collection more often than not was left to trainees. Senior executives had no time to spend on “data”. Data mining had not been invented. Data analysis was really about statistical analysis and even it was not used profusely. The paradox was that access to information was critical but at the same time, data was taken for granted – not exploited, not mined. The focus was on the contracts and related parties. The data was simply the information needed to complete the transaction.
It takes time to plan, design, permit, build, and hold or transfer real estate. This results in real estate cycles with durations and amplitudes considered inelastic and reflecting delays from business cycles. However, as the world gets flatter, a real estate project needs to be benchmarked with other similar real estate opportunities or vehicles in markets across the globe. Indices now proliferate across countries, regions, and property types. Furthermore, real estate has become an asset class like other investment instruments in portfolios. Commercial real estate returns and risk/reward characteristics are now compared in or near real time to those of bonds and stocks. As real estate is now more commonly monetized, the velocity of information exchanges and need for transparency keep increasing. Reliable data must be available at the click of a keyboard or a swipe on a mobile application.
Today, data is considered a corporate resource and processes and procedures need to be in place to protect this valuable corporate asset. Data used to be referred to as the “sludge of the Information Age”1 and not much attention was devoted to its management and protection. Today, however, the success of a company now hinges on how better it is utilizing knowledge and information than its competition. Additionally, the amount of data required for a transaction – or for managing and optimizing an equity or debt asset – has increased significantly. Combine this with the requirement to protect personally identifiable information (PII), and the increase in the use of electronic documentation (documents, signatures, etc.) and you have the “perfect storm” for cyber security breaches. Thus, it is about time that data should be considered a corporate asset, and as such, managed properly.
As more and more data and forms become electronic, we need to change our perception of our role in the process. We must consider ourselves IT companies that do real estate, rather than real estate companies that handle sensitive information. Commercial real estate interfaces with so many companies and people that knowing where the data comes from and where it goes is critical to our security. How data is created, handled and protected is a competitive advantage. It is critical, therefore, that we protect and use data properly.
Where to Start?
There are four areas that must be addressed to secure data in an organization.
Focus on vulnerabilities inside and outside your organization.
The first step of any plan should be to do a security audit on your processes. This audit involves not only internal processes, but all areas where sensitive data is received or distributed. For example, a key area often overlooked by companies is trash. Used paper that is thrown away often contains sensitive information. Putting these documents in the trash without shredding them or not deleting your electronic trash is no different than leaving your credit card on your desk overnight. Your card may not be stolen or copied, but why take the risk? Ensure that your organization has a “cradle-to-grave” strategy for all sensitive information.
Mind your third parties.
Check with other organizations you interface with as part of any project. Find out what kind of security they have regarding the specific documents you exchange with them. Before you exchange any information, ask yourself whether you can trust the other parties with your data. Not being asked similar questions by the other parties should be a red flag. These concerns should be outlined at the onset of any relationship, and may require editing of confidentiality clauses. Banks, for instance have a great deal of security on financial processes, but principals, consultants and service providers often do not extend this cyber protection to more traditional processes such as sending and receiving lease information. Security of electronic media can vary a great deal between parties.
Verify that the transfer method used to transfer documents between all interested parties is secure. This is perhaps the most difficult part of the process as there are so many ways to access electronic data. For instance, ensure that “read only” versions of documents are available for viewing on a mobile device. A downloaded file and a lost cell phone are a deadly combination. The third party operational risk can very well be the tip of the data breach iceberg.
Employees must not only understand their role in the process but must be educated to know when they are handling sensitive information. Each employee should be trained on what to do with sensitive data – both in terms of protecting it from outside access and in terms of ensuring that the data is only seen by those with a need to complete the task or project. This is even more imperative as trends of working remotely or sharing workspaces amplify. Human error is the number one reason for release of sensitive data. Properly training employees will do more to minimize the improper release of data than any technology upgrade.
Recognize that security is everyone’s job.
Hiring a Chief Information Security Officer (CISO) may sound like a good solution, but a single person (or department) will not solve a company-wide problem. Ensuring that cyber security is everyone’s business – and part of the company culture – is the best defense. Once you’ve addressed your cyber issues, extend your security requirements to all parties with whom you interface. Remember, you’re letting their data into your organization. If the data has already been breached, you may be allowing the fox access to the hen house.
Questions You Should Be Asking
Data security is not a one-time event and goes far beyond simple business continuity plans. Security is an ongoing activity that should be integrated into the daily operations of the organization. There are some key points of vulnerability that should be addressed as you start your cyber security upgrade.
How do you set up your electronic storage?
The industry is very fragmented – real estate companies, surveyors, valuers, title companies, lawyers, banks, brokers, managers, underwriters, counselors etc., all may touch the data at some point during building, managing or servicing, and holding or transacting. Because of this fragmentation, it is extremely difficult to protect the entire process. Ensure that your data storage areas (databases, data rooms, data warehouses) are protected with physical and cyber security.
What do you control?
Identify all information associated with a given project and ensure the interface point between you and another party includes a scan of the data to confirm it is free of viruses and other malware before letting it into your system.
How do you control it?
Have clearly written procedures and guidelines for the prioritization of data and the handling of data deemed sensitive. Ensure that all employees who interact with the data are trained and knowledgeable of the procedures. Finally, audit to verify the policies and procedures are being followed.
Which cultures and operations do better with cybersecurity?
In general organizations that include cyber security in their corporate strategy, train their people to be aware of potential vulnerabilities, have a good handle on their project and processes, and provide adequate oversight, have fewer breaches than those who do not have these four items under control. Maintain an ongoing assessment of your organization against these four goals to maximize your data protection.
To ensure data security, your first step is to take a serious – and quick – look at your organization to see if the issues described in this article exist. If so, take immediate action to address the areas of highest vulnerability. Develop a plan to address each of the areas under the “Where to Start?” section of this paper. If needed, don’t hesitate to use a consultant to help with this process. It is imperative that you get it right as quickly as possible.
Remember, secure what you can control and then vet what comes in and goes out to ensure validity of the process. Ongoing vigilance – making security a part of the culture of your organization – is the best defense against a data breach. While the steps outlined in this paper will not guarantee the safety of your data, they will make your organization more secure and probably improve your efficiency in the process.
Our next article will discuss data governance and the policies and procedures necessary to ensure ongoing data security.
1. Anany V. Levitin and Thomas C. Redman. Data as a Resource: Properties, Implications, and Prescriptions. Sloan Management Review. October 15, 1998. Cited from R.W. Lucky, Silicon Dreams: Information, Man, and Machine (New York: St. Martins Press, 1989); Viewed at http://sloanreview.mit.edu/article/data-as-a-resource-properties-implications-and-prescriptions/, September 6, 2017.↩