July 8, 2019

Digital By Default: Prioritizing Cybersecurity in Your Real Estate Business

Digital By Default: Prioritizing Cybersecurity in Your Real Estate Business Cybersecurity & Digital Forensics

As owners, managers and developers rapidly digitize their transactions and implement building automation systems (“BAS”) to stay ahead of evolving consumer demands, many are uncovering major gaps in their approach to data protection.

In one instance, a property management firm responsible for 20 buildings nationwide was targeted by IBM’s X-Force, the company’s ethical hacking team. The team was able to access one building’s BAS, giving them control of its air conditioning and heating units—with the potential to dismantle all of their servers.

Unfortunately, instances like this do not occur exclusively in the land of simulation. In 2018 alone, the FBI’s Internet Crime Complaint Center recorded 11,300 cybercrimes totaling nearly $150 million in losses due to real estate-related fraud. Last year, the second-largest data breach in history occurred when a cyberattack hacked a Marriott Hotels’ Starwood chain and exposed 500 million guests’ sensitive information.

Whether you’re considering cybersecurity for the first time or submerged in new challenges to your existing plan, consider these five cybersecurity strategies to help protect your facility, your tenants and your digital transactions from cyberattacks.

Protecting Home BAS.

While BAS may improve daily operations—from monitoring and servicing several systems remotely to reducing energy consumption—the more connected the building, the more susceptible it is to cyberattacks.

Before taking proper measures to protect your BAS, it’s important to understand potential system limitations. BAS cannot run antivirus software or host-based firewall because they do not have the computing resources. Also, security applications are prohibitive by design and could affect the systems’ operation. For example, imagine what would happen if a security application installed on a BAS prevented a notification to trigger a fire suppression system.

However, with adequate BAS cybersecurity in place, you can enjoy the benefits of smart building systems safely and effectively. Consider these four recommendations when establishing your tactical mitigation strategy:

  1. Identify all building automation systems withing the environment.
  2. Document, monitor and control access to all BAS.
  3. Enable security features, if supported.
  4. Segment building automation systems.

Hold Your Ground – Stay Uncompromised.

Currently, there is no federal law requiring real estate businesses to implement information security programs—leaving multi-party transactions, credit reports and leasing agreements vulnerable to attack.

The frequency of wire transfers in real estate the industry a particularly appealing target. However, a trained eye can spot fraudulent behavior a mile away. Look for small changes, such as different email addresses or signatures, illogical instructions, conflicting bank information, emails out of context or with poor writing. Be suspicious if a client can only be reached by email – cybercriminals can alter email addresses and compromise communication channels.

Implement policies with strict guidelines, such as never send a wire based solely on an email and request actual checks. Also, consider hiring a third party to perform a vulnerability or penetration test of your business systems to highlight vulnerabilities by scanning and testing databases and networks for weaknesses.

Call for Backup

Real estate is one of the industries most often attacked by malware accessed via email. Opening and clicking on an email containing malware can install key loggers, harvest sensitive information or spread ransomware which encrypts data on the computer and makes the data unavailable until a ransom is paid. Without adequate backups, you may be tempted to pay a ransom.

Backing up your systems allows you to quickly restore data and makes it easier to ignore ransom threats. As a best practice, keep your passwords unique. Use a password manager application such as lastpass or onepassword to keep track of your passwords.

Most hackers continue to rely on phishing to execute attacks. This includes using deceptive emails to convince unsuspecting users to click on links or open attachments that load malware onto computers.

Deploying “next-gen” endpoint solutions as part of your cybersecurity strategy can give you an added layer of heuristic-based software that not only blocks malicious processes, but allows cybersecurity professionals to detect and respond, should a user fall victim to clicking on a phishing email.

Training and simulations of spear phishing raise awareness and accountability. Teach your employees to be careful about opening and responding to emails, especially those with links, attachments, or wire transfer requests.

Stay Above the Cloud.

Real estate businesses are increasingly reliant on cloud computing applications, but system vendors also represent a cybersecurity vulnerability. Hackers pose a particularly dangerous problem for companies whose data resides in the cloud, because stolen credentials can allow hackers to access several features, including email, files, chats and calendars. If a cloud provider gets hacked, your real estate business may be liable.

Provisions in cloud computing agreements often provide minimal protection for cyberattacks. Ask your provider what techniques they use to secure your assets. Cloud providers can store sensitive information about projects and employees, so you should determine if it’s worth requesting additional notifications or boosting your security package.

Strength in Small Numbers.

According to a recent statistic, 61% of breaches occur in organizations with fewer than 1,000 employees. If your real estate business has limited resources or is unable to staff in-house security consultants, offloading your security challenges through a virtual security operations center (“VSOC”) can strengthen your small but mighty team. This cost-effective solution is based on security information and event management (“SIEM”) 2.0, which offers full network to endpoint visibility 24 hours a day.

If you’re new to cybersecurity, it may feel like you’ve struck a geyser—the further you dig, the more there is to manage. However, laying the foundation for a long-term strategy that speaks to the natural rhythms of your organization will protect your operations, employees and clients in the long run.

Marcum Technology provides a full cybersecurity service offering. If you need any help, from beginning a review of your security posture to investigating a cybersecurity incident, or even if you just want to ask for advice on a situation you are facing, please contact us at [email protected]. #AskMarcumTechnology


  • https://therealdeal.com/issues_articles/hack-attack/”>https://therealdeal.com
  • https://www.securityweek.com/hackers-target-real-estate-deals-devastating-impact”>https://www.securityweek.com
  • https://www.inman.com/2018/11/27/real-estate-companies-are-prime-targets-for-cyber-attacks/”>https://www.inman.com
  • https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf”>https://www.ic3.gov