Real Estate sector is waking up to Cyber Reality

Until around 2010, whenever people heard the word “cyber-attack”, they generally associated it with the IT sector, which has a number of internet-facing functions and devices. Subsequently, digitalization permeated across business and industry, bringing largely conservative sectors like real estate into the digital fold. Increased digitalization also gave rise to cyber-attacks, with perpetrators capitalizing on greater playing fields and attack surfaces.

It wasn’t until the cyber-attack on First American Financial Corp.⁽¹⁾– a leading real estate title insurance company – that the cyber reality began to dawn on stakeholders in the real estate sector. The attack on First American Financial Corp. in 2019 led to the compromise of the sensitive data of nearly 885 million customers. Nearly 15 years of documents related to mortgage deals, bank account details, tax records, and driver’s license images were leaked. If it can happen to a Fortune-500 company, where does this leave mid and small sized businesses, which are the likelier targets?

Risks in real estate are real, and evolving

To begin with, cybersecurity is relatively at a nascent stage within the context of real estate, due to the sector’s delayed digitalization. However, the significant uptake of Proptech in a short time has widened its susceptibility to attacks. With real estate being a capital-intensive sector, the stakes are naturally high. And stakeholders who are still averse to digitalization continue to adopt tech in a haphazard manner, thereby giving hackers an opportunity to strike.

Increased IoT and BMS adoption: Geared towards smart buildings, real estate professionals are increasing the application of IoT and AI across portfolios, in tandem with existing BMS. Although this is unlocking multiple positive outcomes, it is also expanding attack surfaces.
Collation of data: Paperless real estate operations are consolidating large amounts of financial data, personal information, and social records of occupants and owners; before storing them in the cloud. So, if hackers gain cloud access, the entire data repository is compromised.
Multi-vendor risk: Simply put, a real estate firm’s security posture is as good, or as bad, as its vendor’s posture. Since real estate is inherently a multi-vendor asset class, it presents perpetrators an opportunity to hack into a firm externally, through vendors.
Evolving attacks: According to research⁽²⁾, among the total reported ransomware attacks in the past year, around 13.9% of attacks were faced by the construction industry. And the average demanded ransom stood at $6,000. Additionally, business email compromise (BEC) is becoming commonplace in the real estate sector and the rate of malicious emails has increased, along with their shrewdness.

Action plan for better cybersecurity

Every cybersecurity program should be formulated based on location-specific regulations, risks, and resources. The UAE’s recently passed federal Data Protection Law is an example of a framework to comply with. That aside, creating a foolproof security posture will require real estate firms to formulate actionable policies pertaining to vendor assessment, incident response, access management, and awareness training, among other critical functions. Despite being in its nascent stages, cybersecurity in this domain merits sizable investments and attention.

Cybersecurity strategies must factor in the expertise of legal teams, third-party solutions providers/vendors, and most importantly, the IT teams. Functions such as incident investigation, remediation, and reporting, must be well-defined and assigned to designated teams. Concurrently, emphasis should be on periodic functions, such as vendor-risk assessment and raising awareness among in-house professionals. A majority of BEC attacks can be avoided with heightened awareness alone. Combined with effective implementation and timely upgrade of anti-virus solutions, these considerations will help real estate stakeholders assimilate into the new cyber reality with minimal damage and downtime.