Understanding cyber risks in real estate

While the real estate industry has self-admittedly been slow to embrace technology, this is changing quickly. Our Emerging Trends in Real Estate 2021 report found the pandemic has forced the industry to embrace technology solutions, from collaboration tools and virtual open houses to digital payments and property technology (proptech) to ensure business continuity.

Protecting data in a virtual world

Proptech tools, smart buildings and other technologies have significant benefits, but they also create new risks and vulnerabilities. Prior to the pandemic, many real estate companies lacked a comprehensive information technology strategy and weren’t using the full capabilities of the tools they did have in place. With the expanded use of existing tools and accelerated adoption of new ones, they’re now facing additional gaps in security.

Real estate companies should consider how they’re going to protect their organizations in an increasingly virtual world. Our 24th CEO Survey found cybersecurity was the top concern of Canadian CEOs—even more so than the pandemic itself—with 47% of respondents saying they’re extremely concerned about cyber threats. To support this, 69% of Canadian CEOs plan to increase their long-term investments in cybersecurity and data privacy over the next three years.

How to approach cybersecurity

As real estate organizations continue to digitize their businesses, cybersecurity needs to be part of their risk management. To effectively prepare for and respond to cybersecurity threats, real estate companies should think about the following measures and best practices:

1. Understand your risks: Conduct an assessment to see where you’re at and where any security gaps exist. From there, you can develop a road map. This road map should be practical, adapted to your business and focused on areas where you’ll get the best bang for your buck. You can start small and grow from there.
   
2. Start prioritizing: Once you understand your risks, you can better understand which ones to prioritize. There are a number of cybersecurity frameworks that provide guidelines and best practices, such as the NIST Cyber Security Framework and CIS Critical Security Controls. The framework you adopt should be based on the maturity of your cyber program.
   
3. Do your due diligence: Perform adequate due diligence before introducing any new technologies. This could include performing a risk assessment, architecture review or penetration test. If you’re working with cloud providers or managed service providers, make sure you have a way to evaluate the ongoing security posture of those providers.
   
4. Monitor risk exposure: Define and implement clear processes for monitoring your overall risk exposure on an ongoing basis. For example, third-party risk exposure changes over time.
   
5. Monitor malicious activity: Monitor your technology environment for signs of malicious activity at all times.
   
6. Ensure business continuity: Prepare a robust incident response and crisis management plan so if something does go wrong, you’re prepared. For example, your team should know what steps to follow if there’s a ransomware attack.