Skip navigation

Vigilance, Not Just Systems, Is Key to Adequate Cybersecurity in CRE

How can property managers protect their companies’ and clients’ data?

Don’t look now, but someone’s watching. We don’t know them, and worse, we can’t see them. Sound a touch paranoid? Well, it gets worse. There are few protections against their intrusions that they can’t breach. Of course, I’m talking about computer hackers.

Most sobering of all, as Gregory Stein, vice chair of the data privacy and information security group at the law firm Ulmer & Berne LLP, told NREI last year: “Unlike for banks and hospitals, there’s no federal law requiring real estate businesses to implement security programs to protect information and systems. That’s led to real estate businesses having vulnerable systems and being the focus of potential attacks. Criminals are using a wide variety of attacks that threaten real estate businesses.”

In fact, quoting KPMG research, Stein revealed that fully 50 percent of surveyed real estate companies believed that they “weren’t adequately prepared to prevent or mitigate a cyberattack.” Further, Forbes estimates that cybercrime costs roughly $6 trillion a year. It goes on to show that 85 percent of business assets are in digital form. That’s a lot of exposure.

The way I see it, there are two problems with implementing a bulletproof cybersecurity system. First is cost and second is understanding. Figures I’ve seen put the first-year cost of network security software at around $1400—not bad, but not surprisingly, that’s for a basic, no-frills package, adequate for only the smallest of organizations. Obviously, prices balloon up from there. And those prices don’t include the costs, much higher still, of a person to navigate that system and respond to new hacker threats, preferably before they appear.

Which brings us to the second issue—understanding. We’re property management people. Even if there’s an inclination to solve the issue ourselves, it is best left at the doorstep of a professional, be it an in-house IT expert or a consultant.

As Jeremy Rasmussen, chief technology officer at Abacode, said at IREM’s recent Global Summit, “While legal, insurance and IT all play a part, you really need to engage with a cybersecurity specialist to provide a holistic view and proper governance/checks and balances. The entire organization must be involved.”

And whether it’s done in-house or through a consultant, Rasmussen provided a five-point plan for laying the groundwork of a cybersecurity strategy:

  1. Inventory all systems in your environment to understand what data you possess, the type of data it is and where it’s stored. (Note that he used the following examples as types of data: PII, PCI, PHI. And that’s why you need an expert);
  2. Assess systems externally and internally; verify proper security controls vs. a cybersecurity framework (or relevant compliance doctrine);
  3. Address gaps through policies, procedures, processes, people and layered security controls;
  4. Monitor the situation continuously and respond to incidents in real time to contain threats; and
  5. Empower employees to be the first and last lines of defense.

IREM is also tackling the issue head-on with our recently formed Technology Advisory Board, whose mission is multifold: To determine IREM’s strategy for addressing pertinent technology issues, including data security and cybersecurity; to identify and recommend critical topics and subject matter experts for editorial content, research and knowledge products, such as webinars, courses and seminars, white papers, JPM articles, conference sessions and blog entries; and to provide guidance in identifying and implementing technology projects, collaborations and partnerships.

In many respects, cyber-hackers are like a virulent strain of virus that can grow beyond our attempts at immunity. As Jeremy Rasmussen indicated, vigilance is a keyword in the prevention of cyber-loss, and everyone on the team has to get involved. Only through such vigilance can we ensure some degree of protection.

Sometimes, a touch of paranoia can be a healthy thing. After all, someone is always watching.

Don Wilkerson is 2018/2019 president of the Institute of Real Estate Management. In addition, he serves as president and CEO of Gaston and Wilkerson Management in Reno, Nev.

TAGS: Commentary
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.