United States

Real estate companies are a new target as cyberthreats grow


By now, most commercial real estate executives know that they can fall prey to a cyberattack, and many companies have already taken precautions to safeguard their transactions, data and privacy.

But with the number of data breaches growing, those precautions may not be enough to secure CRE companies—even small ones—against ransomware, malware and phishing attacks. Worse, executives’ confidence in their companies’ preparation might be blinding them to glaring vulnerabilities.

According to RSM’s 2019 Special Report on Cybersecurity, middle market companies have become more popular prey for hackers, phishers and other malicious actors looking to steal valuable information and make a quick dollar at their victims’ expense.

 “The second you are small enough to convince yourself that you don’t matter, you’re the key demographic,” RSM principal Daemon Geopfert said.

RSM’s study, which surveyed 404 business executives at midsize companies, found that 15% of middle market companies reported experiencing a data breach within the last 12 months. That is triple the percentage from just four years ago and up 2% from last year. Large enterprises are no longer the only targets that hackers are pursuing.

Despite the growing prevalence of attacks on these smaller companies, confidence remains very high. The overwhelming majority—93%—of middle market executives said that they are secure in their companies’ abilities to protect sensitive customer data. 

While that number may sound encouraging, the report cautioned that this overconfidence could mask potential vulnerabilities. Executives may think that they are already covered; however, maintaining cybersecurity is a constant struggle. Companies’ IT teams may also not be giving their executives a full enough picture of the landscape of cyberthreats.

“Executives may have a false sense of security, seeing their peers falling victim to attacks but fully believing that ‘it can’t happen to us,’” the report stated.

But for these companies, attacks are becoming a matter of when, not if. Among respondents, 43% said that malicious actors have attempted to manipulate their employees by pretending to be trusted third parties or company executives. These low-tech attacks—known as business takeover threats—can come through emails, phone calls and even in-person meetings.

Business takeover threats are especially common in CRE. According to the FBI, there was a 110% rise from 2015 to 2017 in the number of business email compromise cybercrimes in the real estate sector.

Ransomware attacks, while less common, are often more costly. When asked if they knew someone who had suffered a ransomware attack, 35% of respondents said yes, while 20% said their own companies were affected by a ransomware attack.

While email phishing remains the most common source of ransomware in real estate, internet-enabled physical devices, like smart locks and smart lighting, can also open gateways to ransomware attacks. In 2017, attackers held an Austrian hotel network for ransom, demanding a reward to unlock the network. Among other things, the attack took down the system of smart locks on the doors of the hotel's rooms.

In order to defray the cost of a potential cyberattack, many companies are now purchasing cyber insurance. RSM’s survey found that 57% of respondents’ companies had invested in such a policy. 

These policies can fill in the gaps left by general liability insurance, and rescue middle market companies from financial ruin: on average, a data breach costs $604,000. But Geopfert cautioned that companies need to know exactly what their insurance policy stipulates. 

“Ensure your policy has specific requirements for penetration testing and security monitoring and confirm you are meeting those obligations,” Geopfert said. “If you violate the requirements of the policy, the insurer can claim that the policy is not in effect.”

Ken Stasiak, another principal at RSM, suggested that reviewing a policy with a cybersecurity adviser before purchasing insurance can make sure that companies don’t end up in the lurch. 

“Cyber insurance is only as good as the application or questionnaire you fill out,” Stasiak said. 

Working with an outside advisor can also help companies make the most of their cybersecurity purchases. Most security tools are only so useful out of the box, the report stated, and they can require extensive tailoring to each organization. A consultant can validate that a company has the major parts of a security program in place. 

The bottom line of the report suggests that protecting companies from cyberattacks has to be an ongoing project. While there are hundreds of steps that companies can take to make themselves less attractive targets for cyberattacks, their digital footprint may never be completely invisible. 

“You can’t hide your assets any more than you can hide your house,” Geopfert said. “That said, you know where your important belongings are. Do what you can to lock them down.”

This article was originally published in Bisnow.

additional insights

RSM US Middle Market Business Index Cybersecurity Special Report

RSM US Middle Market Business Index Cybersecurity Special Report

In the past, midsize companies felt too small for cyber attacks. RSM's cybersecurity survey shows these companies are often a prime target.

Migrating to the cloud

Migrating to the cloud

Many middle market companies are moving data to the cloud for increased efficiency and access, but also greater security.

Subscribe to Real Estate Insights

Get in touch with our real estate professionals