We use cookies to improve your experience and optimize user-friendliness. Read our cookie policy for more information on the cookies we use and how to delete or block them. To continue browsing our site, please click accept.

Cybersecurity for Real Estate Companies

Cybersecurity has been one of the most common buzzwords of the 21st century, as industries become increasingly reliant on technology for day-to-day operations. The real estate industry is no exception to this trend.

With the normalcy of online rent payments, wire transfers, and ACH transactions, servers filled with sensitive information relating to properties, mortgages, and tenants, batch accounting systems accessed through virtual private networks (“VPN”), and much more, cybersecurity should be a priority for every real estate entity. As if that alone were not enough, the Coronavirus pandemic has brought cybersecurity concerns to the forefront due to an increase in remote working. In addition, hackers are getting more difficult to stay away from with the use of artificial intelligence (“AI”) in the form of “bots” that automatically search for new targets to test for weaknesses without the manual guidance of a hacker.  Due to the use of AI, a web server will be detected by a hacker for the first time in an average of eight minutes after first being launched. That being said, there is no need to panic; hackers should be thought of as another form of business competition. With an understanding of the cybersecurity threats to your company and proper preparation through security programs, you can mitigate the risk of business shutdown due to a cybersecurity attack.

How and why do hackers attack real estate entity computer systems?

There are many ways that a hacker can attack a company’s computer systems, but the two most common are:

  • Phishing – emails sent from hackers that appear to be from reputable sources and are designed to entice company personnel to reveal confidential information or click on attachments within the email that allow attackers to hack into the company’s systems.
  • Ransomware – a malicious software program that prohibits access to computer systems until a “ransom,” typically a sum of money, is paid.

Hackers use the attacks mentioned above to either block the ability to make money or steal money directly. The first scenario uses ransomware to block access to computer systems and halt operations. Attacks are often timed to occur at the worst possible moment for a business in order to force the payment of a ransom. Hackers are becoming increasingly more effective with this strategy as they spend more time studying niches and looking for the perfect moment to strike. For real estate companies, an attack could be generated near the end of the month, so that operations can be halted on the first of the month when most transactions occur. After operations are halted, it takes an average of 7 to 14 days for mid-sized firms to become fully operational again.

For the second scenario, hackers can steal directly from real estate entities by hacking into the computer system by way of phishing and then utilizing wire transfers, which is one of the most lucrative areas for hackers of real estate firms. Real estate companies must be aware of their most valuable and vulnerable functions, including wire transfers and various sources of confidential information stored on company servers. When it comes to cybersecurity attacks, a company is fine until it’s not, so preemptive measures should be taken.

Another “why” that real estate entities should be aware of is an increased scope across niches by hackers. Industries that have seen a higher rate of attacks in the past, such as the healthcare industry, are now putting significant investment into cybersecurity measures. These measures have forced hackers to broaden their scope to include industries that have not been under attack to the same degree, such as the real estate industry. A lack of attacks usually means a lack of investment in cybersecurity, so the real estate industry is a soft target for hackers.

Considerations when implementing cybersecurity programs

Can your business operate without computers? This is a question real estate companies must ask when considering cybersecurity programs. Even with the best security programs in place, there is still a risk that cybersecurity attacks will succeed, so firms should consider having business continuity and disaster recovery plans in place should the worst happen. That being said, effective cybersecurity programs can significantly mitigate the risk of successful attacks. Some of the most common security programs for real estate entities include:

  • Cloud security platforms.
  • Internal controls and best practices relating to the use of different software platforms, especially those involving wire transfers and programs containing confidential information relating to tenants, properties, bank information, and more.
  • Email best practices training and guides for all personnel.
  • Password strength and periodic change requirements.
  • Up-to-date antivirus software and firewalls, as well as regular updates to operating systems.
  • Cybersecurity education programs for personnel.

There are many different combinations of security programs that may be right for a company, so how to make a choice and how much to pay? Generally speaking, 8% of revenue should be dedicated to information technology (“IT”), and 10% of that amount should be dedicated to cybersecurity. As for how to choose security programs, or how to gain further insight into the strength of the programs that are currently in place, companies should involve a reputable third party that specializes in cybersecurity. Even if an IT function is in place, and whether or not that IT function has capabilities in the cybersecurity field, an objective set of eyes will always find something subjective eyes gloss over. A third-party cybersecurity specialist can take on the form of a hacker and perform penetration testing to help identify the weak points in computer systems and build a suitable cybersecurity infrastructure designed to be prepared for attacks by hackers. This healthy external view is the best way to prepare for inevitable cybersecurity attacks.


The year is 2021 and cybersecurity is a hot topic. For real estate professionals, it is time to ask, “Is our company prepared for a cybersecurity attack?” Whether the answer to that question is yes, no, or unsure, it would be beneficial to gain the insight of a reputable third-party company specializing in cybersecurity in order to be certain the answer to that question is yes. Real estate industry competition is always changing, so we must welcome the newest competitor to the field and prepare for them appropriately.

Author: Nick Ottum, CPA, MBA | nottum@withum.com

Please reach out to a Withum real estate team member for further assistance.

Real Estate Services

Previous Post
Next Post
Article Sidebar Logo Stay Informed with Withum Subscribe

Get news updates and event information from Withum