Real Estate Companies Are Sitting Ducks

With countless attack vectors, real estate (a goldmine of financial transactions and data) is not prepared for what's to come

Real Estate Cybersecurity

More proof that no industry can elude cyberattacks: one-third of real estate companies claim they’ve experienced a hack in the past two year. According to research by KPMG, an audit and advisory corporation, one-half of real-estate organizations also feel ill-prepared for an attack.

Thus far, real estate enterprises have been perceived as non-targets, since they deal with less sensitive data than, say, the finance or healthcare sectors. A handful of recent wake-up calls has cast aside that assumption. Among them, BNP Paribas Real Estate, boasting $27.3 billion in assets under management, which was hit by Petya ransomware earlier this summer. On the other end of the financial spectrum, a Washington D.C. couple lost $1.5 million this month when a hacker used their information—stolen from the Federal Title and Escrow Company (which was selling the home)—to phish money from them.

Real estate breaches are growing in popularity, because they offer both money and sensitive information. Law360 reports that multitenant, senior-housing, and hotel properties seem to build the most data over time, making them attractive targets. The connectivity between a real estate company’s online building-management system (BMS) and its clients’ bank information is particularly appealing to thieves.

Commercial Real Estate Cyber Threat Landscape (chart courtesy of Deloitte)

These “smart” systems, many with remote access, can also centralize utilities, heat/cooling systems, security access and surveillance, as well as safety devices such as fire alarms. An increasing number of buildings use SCADA systems, which have proven a formidable cybersecurity challenge for the energy sector.

As with many other industries, numerous touchpoints (managers, developers, appraisers) create several security gaps. A Deloitte report points out that, in the 2013 Target data breach, thieves navigated through a HVAC contractor’s systems to steal 110 million customers’ credit-card information and other personal data. Deloitte also quotes a study finding that 37% of data breaches in real estate are inside jobs.

With so many attack vectors, real estate desperately needs enterprise-wide visibility. The technology exists; they just need to deploy it. With security analytics, they could palpably diminish attack surfaces, while bolstering risk-management. This type of platform would radically accelerates threat detection, while triangulating the who-what-where-when of an attack.

The combination of detection speed and threat context are incredibly valuable. The Deloitte report cites a 2014 breach of an unnamed real estate investment trust. (REIT, being a trillion-dollar industry, is the ultimate prize for hackers.) It took the company at least half a year to realize that a hacker had compromised its systems, stealing personally identifiable information (PII) and enterprise secrets. Meanwhile, three years later, the company is still paying forensics experts to piece together this crime that they never saw coming.