As technology changes consumer behavior, the real estate industry is making significant changes in its market offerings and making them technologically savvy. At a recent meeting of real estate professionals discussing cybersecurity, which I attended as a panelist, there were many concerns about “smart” real estate and making sure your IT security is in a good place.
Just as we rely upon smartphones and have other smart devices, investors in real estate are demanding an internet-empowered, remotely-operated, convenient environment, both at work and at home. Real estate is indeed becoming smart.
Both landlords and facilities management professionals are challenged with not just deployment of such smart technologies, but also managing the risks that come with such connectivity and using third-party vendors to support the infrastructure or provide technology-enabled services. The question is – what steps can real estate businesses – be it landlords, brokers, property managers or hotels – take to enhance their IT security as technology reshapes the real estate industry? The following are a few of the high-risk scenarios that require consideration.
It’s common for property managers or residents to use their own smart devices to control climate, open and close doors and windows, view deliveries and view cameras remotely for access points. What happens when such devices can get hacked and the hacker could use these devices to attack the network of the business? One needs to ensure that the IT department not only has the company’s network covered but also ensure that the internet-based devices and apps are updated regularly for security patches.
The real estate industry, like many other industries, works through an ecosystem of subcontractors. For example, a real estate owner company’s IT network would interact with that of brokers, repair contractors, maintenance companies, concierge facility providers, security agencies and others. As much as you invest in your IT department and make its security robust, your network is perhaps as strong as or as weak as that of your providers. Carefully monitoring the security protocols of such outsourced providers through third party risk management programs is key. Tools such as an IT security questionnaire, IT security audits of third-party providers or reviewing these companies’ System and Organization Control reports are useful.
The majority of real estate software and service providers have moved towards cloud technology. This essentially means that your data and the data of your tenants is now being collected, processed and maintained by a Software as a Service “SaaS” provider. This data can include personal information (social security numbers, credit cards numbers and bank account details) of your tenants. Many companies have no idea as to which physical location in the world is hosting that data and they place significant reliance on the cloud-based service provider for keeping it secure. If there is a data breach, the company will still continue to be responsible and it may not matter where the breach occurred. Each such cloud service provider requires their customers to keep a list of IT controls to be kept in-house. Your IT department, together with other operational functions using such software platform, should ensure that such controls are in place. It is a best practice to work with a service provider that has been through a System and Organization Control (SOC) Audit, which is an audit of the provider’s processing controls, confidentiality, integrity, security and privacy.
Do you provide guest WiFi in the cafeteria or lobby of your office premises for tenant and visitor experience? If you are managing real estate within the education industry, many campuses are now offering free connectivity to students and visitors. Each device that so connects through the internet becomes part of the network created by you and has the potential of bringing each device’s individual vulnerability to the network. It’s difficult for the facility management’s IT function to control which devices get connected and to assess the level of security. Safeguards need to be in place to segregate networks by users. Always segment the free WiFi network from the main operating network.
Co-working spaces are fundamentally built on the premise that shared physical and IT infrastructure, when used commonly, are cost-effective. The traditional concept of fortifying your network is not effective because different businesses using the same co-working spaces use a common physical infrastructure and increase the risk of data pilferage and compromise. An organization should conduct a detailed review to ensure the co-working space-provider maintains its security and determine how an organization using this co-working space needs to adjust its IT controls to supplement and be compatible with such co-working spaces.
An effective IT security program requires a periodic review of changes in technology and related risks and reviews of existing controls. Demonstrative effective IT security programs may be key in securing a tenant’s trust as well as keeping a watch on service providers.
Withum cybersecurity professionals have the expertise to help identify weaknesses in your systems and design parameters to strengthen your operations and help prevent cybersecurity attacks. Please reach out to any member of the firm’s real estate niche or your Withum service professional for additional information.