Internet of Things creates new risks for Commercial Real Estate
Cybersecurity is an “ongoing and developing conundrum,” said John B. Nicholas, professor of computer information systems at the University of Akron. Cyberattacks continue to evolve. As one vulnerability gets resolved, hackers and other actors look for another way to get that data.
And one of the biggest vulnerabilities Nicholas sees in the cybersecurity space today is the Internet of Things (IoT), the term describing the network of physical products, like appliances, being connected to the internet. Consumers can buy inexpensive, internet-connected doorbells and security systems, but they need to be properly secured from a software perspective to be safe.
“Meaning that the actual physical security that you’re putting into your buildings or into your homes or whatever is actually, kind of, the weakest link to cybersecurity,” Nicholas said.
One sector where this might be particularly relevant is commercial real estate, where the data being handled isn’t just the commercial real estate company’s. It’s that of their customers, as well.
“Any device that’s connected to your network anywhere on that system is a potential vulnerability, if it’s not secured right,” Nicholas said.
A 2015 report from Deloitte on cyber risk in the commercial real estate industry noted that most in the sector, at that time, considered themselves “relatively less at risk from a potential cyberattack,” because they don’t host much personal customer data on their own systems. But the report highlighted that tenants are exposed to cyber risk at a variety of points within a physical building.
“CRE companies are stepping up their use of new technologies such as cloud, mobile, and social media to drive tenant engagement and operational efficiency. In addition, they are implementing increasingly sophisticated technology solutions for building management,” the report stated.
That might make life easier in some regards, but it also “exposes information and data through multiple channels,” the report noted. Notably, the report mentions the 2013 Target data breach, which used the system of the retailer’s HVAC contractor to steal customer information.
The liability of a landlord to its tenants varies by state, but in Ohio, the state has the Ohio Data Protection Act, Nicholas said. Under the act, parties need to follow certain guidelines if they don’t want to be held accountable for breaches.
Curtis Merriweather Jr., a design and innovation Ph.D. fellow at Case Western Reserve University, said the first step in any cybersecurity plan needs to be an assessment to identify vulnerabilities. In real estate, use of IoT technology gives companies more exposures for potential attacks.
Merriweather, whose background prior to Case Western Reserve was in cybersecurity via government contract work, doesn’t think small real estate holders, like small landlords with a few buildings, are at much risk for cyberattacks. The return for the work isn’t high. But large real estate holding companies and REITs might be. There are more assets at play, and the chance that hacking into one facility at a large company gives the bad actor access to all is pretty high.
But it’s impossible to eliminate all risks. The aim, Merriweather said, is to prioritize what most needs protection and find a plan that fits the company’s budget and goals.
Commercially available security products increase the “potential for attacks,” Merriweather said, because people are familiar with the products. Proprietary products are more of a deterrent to hackers.
And there are simple steps companies and individuals can take to protect themselves, like using VPNs and strong passwords. It’s about creating barriers, so your company isn’t an easy target, Merriweather said.
Nicholas said if he were leasing a building to customers, he’d want to make sure there was a “cyber defense” mechanism in place, implementing hardware or software intrusion detection and intrusion prevention systems. Specifically, Nicholas said he’d set up a “subnet” to tightly secure the building’s IoT systems, like security systems or automated heating and cooling, away from other internet uses. Cybersecurity is largely about “mitigating risk,” he said, keeping potential attacks as contained and limited as possible.
“Sometimes the big picture here is just finding ways to contain the hackers if they do get in, so they can’t get out and go to other places,” he said.
And cybersecurity needs to be an ongoing consideration. These are systems that need to be updated regularly, as threats — and customer needs — change frequently, he said.
Author: Rachel Abbey McCafferty
Contributor: Curtis A. Merriweather, Jr.
Originally published at https://www.crainscleveland.com on July 22, 2022
