Cybersecurity threats have become a constant and pervasive concern impacting multiple industries. In April, Boeing’s factory computers were held hostage by a ransomware virus, WannaCry. The same week, Baltimore was left without its 911 dispatch system for over 24 hours when hackers prevented calls from being recorded. For many commercial real estate companies, these growing threats have done little to spur significant investment in cybersecurity.
Over one-third of real estate firms have experienced a cybersecurity event themselves or at one or more of their properties in the last two years. But in a KPMG survey of real estate professionals, half of the respondents said they were not adequately prepared to prevent an attack.
For Newmark Knight Frank Executive Managing Director Geoffrey Kasselman, SIOR, it is only a matter of time before a significant cyberattack forces the industry to reckon with how insufficient cybersecurity will impact a company’s ability to develop, market and lease property.
“Real estate decision-makers are still using an analog model of real estate investment because they continue to make money,” Kasselman said. “Where has there been enough pain for people to completely reinvent their business model and include cybersecurity in the investment equation?”
Worth The Investment
A lack of understanding has made the industry slow to adopt and budget for cybersecurity. While using a firewall and strong passwords can help mitigate security breaches, comprehensive cybersecurity measures go beyond online incidents, Kasselman said. Security measures need to accomplish everything from safeguarding cloud services to preventing physical intruders from accessing the data centers that hold tenant information.
Building automation, especially building management systems that regulate HVAC, elevators and other services, have compounded the problem. While these systems have made buildings more efficient, they have also increased the number of entry points through which a hacker can access tenant data.
Frequent attacks could impact a company’s productivity and in turn, negatively affect a property owner’s ability to secure long-term leases.
“Let’s say you have a trophy building in a major market like a World Trade Center or TransAmerica Building,” NKF Executive Managing Director Steve Kapp, SIOR, said. “Somebody could come in and breach systems with thousands of people working there, hack into the system and turn all of the lights off. Now you have to evacuate the entire building.”
Hiring an executive who understands the complexities of cybersecurity has become a popular solution. After suffering a major data breach in 2014, Target hired a chief information security officer. A relatively new position within the C-suite, a CISO handles the strategic implementation of cybersecurity initiatives. The caveat is the price: The average median CISO salary is $204K.
With the exception of a handful of large real estate companies, that is cost-prohibitive. Mom-and-pop businesses cannot afford a full-time CISO, Kapp said. At the publicly traded level, REITs and multinational brokerage firms have invested in robust measures, from CISOs to training programs. At NKF, every employee is required to undergo an hour of cybersecurity training, and they must change their passwords every 90 days.
“It is a harder decision to invest in these measures when you are part of a company with only five employees,” Kapp said. “Maybe you don’t need a full-time person. Maybe it is someone who does an audit and then checks in on the status of the company quarterly. Maybe it is an outsourced service.”
For smaller shops that manage real estate assets through third-party contracts, outsourcing cybersecurity programs could help offset costs.
Who Is At Fault?
There has been a debate over whether tenants or landlords are responsible for preventing cyberattacks. Responsibility varies across lease terms and asset classes. In an industrial property, for instance, tenants assume responsibility for all building operations. In an office building, the landlord maintains control over building management. While the landlord provides amenities and the infrastructure to support the business, cybersecurity might come down to an individual tenant