Trespassers and would-be thieves have always posed a threat to commercial real estate, but those threats have always been on site and on the ground. Now, a much more direct threat is emerging:wire fraud attacks through phishing emails. Losses range from tens of thousands to millions per successful attack. With the risk of this type of attack and the constant threat of ransomware, real estate organizations need to identify sustainable ways to combat this rising threat.
As more owners, developers and brokers migrate and expand their services, data and communication online, they are increasingly vulnerable to these types of attacks. Without a sustainable cybersecurity program and access to the right expertise, commercial real estate companies will find themselves suddenly unprepared in the face of a breach.
“As threats evolve, commercial real estate cybersecuritystrategies need to evolve in response. They need to understand the threats and where to find the right expertise – both to prevent and to weather an attack,” Baker Tilly Principal David Ross said. “Right now, commercial real estate companies may not realize the extent of their risk. To avoid falling victim to an attack, they must evaluate alternative models for building a sustainable cybersecurity management program.”
To create an effective cybersecurity program, companies must first define their acceptable “risk envelope”, Ross said. He suggested that working with a third-party team in a managed services model is a practical way to verify what vulnerabilities are present and deploy a sustainable program.
“If you don’t start with the risk analysis, it’s impossible to see where you are now and what you need to do to attain your overall security goal,” Ross said.
The biggest risks that commercial real estate companies face center on human vulnerabilities. Malicious actors pretending to be legitimate entities can acquire confidential information and gain access to some of the most important transactions real estate businesses make: wire transfers.
“Phishers will buy a domain name and pose as a legitimate entity by changing a single letter in an email address,” Ross said. “They compose an email that appears to be from the company’s CEO in order to trick employees into compromising systems or data. This opens the door to financial information or confidential documents.”
In order to build an effective security plan, Ross said a company does not only need new data infrastructure, but access to top cybersecurity professionals who also understand the commercial real estate industry.
“Many organizations are realizing that protecting their information, assets and business in this changing landscape requires risk-based, executive-level consideration, and that goes beyond their existing IT department,” Ross said. “A new model with a virtual chief information security officer can bring the expertise immediately needed to build a program and then execute with the right level of expertise to sustain and evolve with new threats.”
Baker Tilly supports this new model through its Virtual Chief Information Security Officer (vCISO) service. Baker Tilly specifically designed the vCISO service for organizations that need a comprehensive cybersecurity program but do not have the complete complement of resources for an in-house, dedicated security team or chief information security officer.
“Investing in cybersecurity is different for every organization, but to successfully implement a program, companies need to consider their options holistically,” Ross said. “Understanding how these options will affect the company’s IT and business operations can help the organization make the right decision. It is also important to understand how the investment will fare for the business in the longterm. We encourage clients to look at different models and find which one works best.”
This feature was produced in collaboration between Bisnow Branded Content and Baker Tilly. Bisnow news staff was not involved in the production of this content.
