United States

3 things real estate investors can do to prevent a data breach


Recently, Facebook CEO Mark Zuckerberg traveled from his home in Palo Alto, California, to Washington, D.C., prompted by outrage over a scandal where data from millions of Facebook users was leaked to Cambridge Analytica. Zuckerberg testified before the U.S. Senate for more than five hours.

For those who understand cyber-risk, this scandal proved concerning, but perhaps not surprising. In 2017, there were 1,579 publicly disclosed data breaches, and business organizations accounted for 55 percent of the breaches.1 As information becomes more readily accessible, businesses must prioritize data security.

According to the Cybersecurity Special Report produced by RSM US LLP in partnership with the U.S. Chamber of Commerce, middle market leaders recognize they are a growing target for cybercrime, but they might not be investing enough to protect themselves against potential attacks. The report found that the number of middle market companies reporting breaches has nearly tripled in the last three years, yet most executives remain confident in their existing data security measures and investments.

Here are three areas where commercial real estate businesses can help prevent a data breach from happening:

1. Protect the data

Data security and data privacy are terms often used interchangeably, but they are not synonymous.

“Security refers to the act of designing and implementing governance and technological controls around the confidential information and assets that your organizations values most,” says RSM US’s director of southeast security and privacy, Charles Barley Jr. “Data privacy, on the other hand, involves the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personally identifiable information. These terms are often intertwined, but they are not the same.”

Barley and his team assist organizations with defining and implementing an information security program based on their internal requirements. Additionally, they advise data-rich organizations on designing data privacy handling practices that adhere to domestic and international regulatory expectations.

In April 2016, the European Union introduced the General Data Protection Regulation (GDPR), which was intended to harmonize data privacy practices for each of the EU’s 28 member nations. This legislation requires global companies to take additional measures to design a privacy governance structure and corresponding controls to protect personally identifiable information (PII) belonging to EU residents.

“We likely will not see the United States define a domestic version of GDPR anytime soon, but several commercial real estate companies will be affected,” Barley said. “Any U.S. or global company that processes, stores or transmits the PII of its EU residents will eventually need to comply with this regulation.”

 2. Focus on mobile security

Commercial real estate has invested in new property technology over the past few years, and that means more user data may reside off site and with a cloud service provider. To streamline the leasing process, emerging property technology platforms offer tenants an opportunity to pay rent or sign a lease online or through a mobile app.

Some property managers have also introduced tenant engagement platforms like Skyrise to help tenants make the most of their space. This new technology allows property managers to share specific documents or files, chat with tenants and create property-specific events. These apps hold the key to confidential tenant information, so it is important for property owners and managers to understand the security risks at stake.

“The moment you extend your environment to a connected device or third party is the moment you extend where your information is held, so you need to understand how to monitor this data effectively,” Barley says. “In order to ensure this information is secure, owners and managers must also focus on protecting the physical environment and defining proper vendor management practices.”

Several companies within the hospitality sector have brought their physical security systems into the digital space. Many leading global hospitality chains such as Marriott and Hilton now allow guests to check-in and even to access their room via a mobile app. While this concept provides a simplified alternative to a standard key, it can also present a security risk should guests lose their devices. This means a criminal can gain access to not only the guest’s phone, but also other physical belongings in the room if effective information security controls have not been deployed.

To mitigate this issue, Barley recommends implementing additional processes that put boundaries around the physical and digital environment. “Property managers and companies need to figure out what assets their tenants and customers hold dear,” he said. “Once they understand these needs, they can implement the necessary security systems.”

3. Establish a new C-level role

To implement systems that make data more secure, commercial real estate companies have begun introducing a new role into their C-suite. For many CEOs, chief operating officers and chief financial officers, security can seem like a foreign language. A chief information security officer, or CISO, leads information security risk management efforts to help a company identify protection goals and manage the implementation of its security requirements. The CISO is primarily responsible for protecting a company’s information—including that of its employees and customers—and information assets.

While a CISO can add value to a company, the CISO will not solve the company’s security problems without executive-level support and employee accountability. All employees have a responsibility to be aware of and protect against these threats. One mistake can cost a company its reputation—and its clients.

1The ITRC Data Breach Report, (2017) Identity Theft Resource Center.
This article, authored by Tara Lerman, was originally published May 28, 2018 in 

To learn more about the state of cybersecurity in the middle market, download the RSM US Middle Market Business Index Cybersecurity Special Report today.


Digital transformation in commercial real estate


Digital transformation in commercial real estate

Digital transformation in the commercial real estate industry is immediately necessary, temporarily challenging and ultimately rewarding


Subscribe to Real Estate Insights

Get in touch with our real estate professionals