Cybersecurity for Real Estate Companies

Cybersecurity has become a pervasive part of anyone doing business in today’s world. Every organization, no matter the size, needs to be aware of cyber threats and what they can do to protect themselves, their business, and the information they store and transmit. The real estate industry is no exception to this.

The prevailing wisdom when it comes to cyber attacks is no longer if, but when a business will become the victim of a cyber attack. With the use of online rent payments, wire transfers, and ACH transactions, servers filled with sensitive information relating to properties, mortgages, and tenants, batch accounting systems accessed through virtual private networks (“VPN”), and much more, cybersecurity should be a priority for every real estate entity. So, how should those in the real estate profession protect their organizations?

The first thing you should do is understand what assets you have and where your data is located. Most will have at a minimum a laptop and a cell phone. Some may have server(s) onsite, in the cloud or often both. Most will also have access to the internet from their offices, at home and while mobile. Your data will be on all these devices and in the clouds that you use.

Next, businesses need to understand the threats they face when it comes to cybersecurity. Hacking collectives and nation-state groups have come to the forefront when it comes to threats to our information systems. With an understanding of the cybersecurity threats to your company and proper preparation through security programs, you can mitigate the risk of business shutdown due to a cybersecurity attack.

How and Why Do Hackers Attack Real Estate Entity Computer Systems?

There are many ways that a hacker can attack a company’s computer systems, but the two most common are:

  • Phishing – emails sent from hackers that appear to be from reputable sources and are designed to entice company personnel to reveal confidential information or click on attachments within the email that allow attackers to hack into the company’s systems or to steal your credentials.
  • Ransomware – a malicious software program that prohibits access to computer systems until a “ransom,” typically a sum of money in the form of cryptocurrency, is paid.

Hackers use the attacks mentioned above to either block the ability to make money or steal money directly. The first scenario uses ransomware to block access to computer systems and halt operations. Attacks are often timed to occur at the worst possible moment for a business in order to force the payment of a ransom. Hackers are becoming increasingly more effective with this strategy as they spend more time (some hackers can be in your environment for up to nine months!) studying your network environment and looking for the perfect moment to strike. For real estate companies, an attack could be generated near the end of the month, so that operations can be halted on the first of the month when most transactions occur. After operations are halted, it takes an average of 7 to 14 days for mid-sized firms to become fully operational again.

For the second scenario, hackers can steal directly from real estate entities by hacking into the computer system by way of phishing and then utilizing wire transfers, which is one of the most lucrative areas for hackers of real estate firms. Real estate companies must be aware of their most valuable and vulnerable functions, including wire transfers and various sources of confidential information stored on company servers. When it comes to cybersecurity attacks, a company is fine until it’s not, so preemptive measures should be taken.

Another “why” that real estate entities should be aware of is an increased scope across niches by hackers. Industries that have seen a higher rate of attacks in the past, such as the healthcare industry, are now putting significant investment into cybersecurity measures. These measures have forced hackers to broaden their scope to include industries that have not been under attack to the same degree, such as the real estate industry. A lack of attacks usually means a lack of investment in cybersecurity, so the real estate industry is a soft target for hackers.

Considerations When Implementing Cybersecurity Programs

Can your business operate without computers? This is a question real estate companies must ask when considering cybersecurity programs. Even with the best security programs in place, there is still a risk that cybersecurity attacks will succeed, so firms should consider having business continuity and disaster recovery plans in place should the worst happen. That being said, effective cybersecurity programs can significantly mitigate the risk of successful attacks. Some of the most common security programs for real estate entities include:

  • Cloud security platforms.
  • Internal controls and best practices relating to the use of different software platforms, especially those involving wire transfers and programs containing confidential information relating to tenants, properties, bank information, and more.
  • Email best practices training and guides for all personnel.
  • Password hygiene practices that encompass the use of passphrases, not using the same password on more than one system, and not re-using old passwords. Using a password vault will help users with these measures.
  • Up-to-date antivirus software and firewalls, as well as regular updates to operating systems and software.
  • Cybersecurity education programs for personnel.

There are many different combinations of security programs that may be right for a company, so how to make a choice and how much to pay? Generally speaking, 8% of revenue should be dedicated to information technology (“IT”), and 6-14% of that amount should be dedicated to cybersecurity. As for how to choose security programs, or how to gain further insight into the strength of the programs that are currently in place, companies should involve a reputable third party that specializes in cybersecurity. Even if an IT function is in place, and whether or not that IT function has capabilities in the cybersecurity field, an objective set of eyes will always find something subjective eyes gloss over. A third-party cybersecurity specialist can take on the form of a hacker and perform penetration testing to help identify the weak points in computer systems and build a suitable cybersecurity infrastructure designed to be prepared for attacks by hackers. This healthy external view is the best way to prepare for inevitable cybersecurity attacks.


The year is 2022 and cybersecurity is a hot topic as we have become increasingly aware of the capabilities of hacking groups and nation-states when it comes to compromising organizations. For real estate professionals, it is time to ask, “Is our company prepared for a cybersecurity attack?” Whether the answer to that question is yes, no, or unsure, it would be beneficial to gain the insight of a reputable third-party company specializing in cybersecurity in order to be certain the answer to that question is yes. Real estate industry competition is always changing, so we must welcome the newest competitor to the field and prepare for them appropriately.

Authors: Nick Ottum, CPA, MBA | [email protected] and Julie Tracy, Executive Cybersecurity Advisor | [email protected]

Contact Us

For more information on this topic, please contact a member of Withum’s Cyber and Information Security Services Team.