Is the real estate industry safe from cyberattacks?

No. Although not traditionally associated with high-risk industries like finance, healthcare, or manufacturing, real estate still sees its fair share of cybercrime. Considering the large amounts of money and personal data involved with many real estate transactions, it’s easy to see how real estate companies could become easy targets.

How much risk is presented and whether a successful cyberattack happens depends on many factors, including the level – or lack of – preparedness. During Cybersecurity Awareness Month, real estate companies should take a step back to evaluate where risk comes from and how to prevent it.

Top Cyber Risks for Real Estate

Social engineering attacks are the biggest collective cybersecurity risk for real estate companies. This grouping includes data wire transfers, CEO fraud, and phishing emails or calls. A hacker may pose as a trusted but unknown person, like a vendor or new employee, to gain access to company credentials. Or the perpetrator may impersonate a company leader and send a fraudulent email to request access to payroll records, for example.

Business email compromise (BEC) attacks are another form of cyber-crime to be on the lookout for as bad actors who successfully hack into a corporate email will imitate the owner’s identity in order to defraud the company and its employees, customers or partners. From Forbes: “According to an FBI public announcement, between 2015 and 2017 “there was an over 1100% rise in the number of BEC/EAC victims” and an almost “2200% rise in the reported monetary loss in the real estate sector.”

Ransomware, when a hacker or hacker group gains access to a computer network or server and holds it hostage, can cause work stoppage, financial losses, and potential reputational damage. Ransomware attacks are ever evolving and are designed to either shut a company out of its system or threaten to release sensitive information to the public. Real estate companies need to be having internal conversations today about what your organization will do if hit by ransomware. Too often, organizations begin these conversations after they have been hit. Determine a ransomware response plan – today.

There are other risk factors, too. Take the cloud. COVID-19 pushed nearly every business to go remote or fold, and real estate was no exception. As transactions and internal data moved to the cloud, the rate of data breaches also increased, primarily due to misconfigurations or lack of cyber due diligence on newly leveraged third-party vendors. Companies without solid IT infrastructure and security awareness training, when employees began working from home, are at a higher risk of having unresolved vulnerabilities in company systems and human error exposed.

Third-party vendor risk is also a very real and persistent threat. Think about how many vendors and subcontractors are connected to real estate companies in some way. If a data breach occurs at one of those vendors, the real estate company could likely be at risk, too. Many real estate organizations do not perform sufficient due diligence on their vendors to ensure the vendors are maintaining minimum security requirements, which can be identified preferably through third-party SOC 1 and/or SOC 2 attestation reports, or at a minimum via IT questionnaires filled out annually. Other good questions to ask your vendor are if they have a cyber-insurance policy or if they have identified their top three vendors and asked their supply chain what they are doing about disaster recovery, minimum tolerable downtime, vendor management, and incident response.

In general, the more data – be it financial, personal, or business – that a real estate company stores, or its customer list, the higher its risk profile tends to be. Remember – they may not be after only you and it might not even be your data that the hacker wants access to. They may want to see what is there because they are data hungry. Or, they might just mine your data so they can jump to your customer list and then start attacking them. At the end of the day, your size simply does not matter. You might think you’re just too small of a fish for somebody to care about. But, you’re a prime target for them, so they can attack elsewhere.

Cost of Cyberattacks in Real Estate

Don’t underestimate the potential implications of a data breach. There are costly, many, and far-reaching consequences of a cyberattack, including but not limited to:

  • Loss of data – either company financial data, customer, and/or project information
  • Compromised employee information and payroll systems
  • System and/or server shutdown
  • Stolen intellectual property
  • Lawsuits stemming from the failure to protect certain types of data
  • Fees to get systems back online
  • Ransom paid to hacker groups
  • Regulatory fees/penalties
  • Reputational damage
  • Involuntary downtime

The ramifications of an attack extend far beyond the initial event. For smaller real estate companies, a well-executed cyberattack can even run the risk of putting them out of business. In fact, 60% of small businesses that suffer a cyber attack are out of business within six months.

Protecting Against Cybercrime

According to a KPMG survey, only half of real estate companies are adequately prepared to prevent or mitigate a cyber attack. The less prepared a company is, the more vulnerable it is to hackers and fraudsters.

It’s important to understand not only what the risks are but how to safeguard against them. Real estate companies don’t necessarily need a big budget to combat cyber attacks. Creating a culture of awareness and prioritizing data security simply requires a plan and a team of knowledgeable advisors.

One of the most impactful ways real estate companies can combat cybercrime is employee education. Teach employees to use better passwords. Show them how to recognize a phishing attack. Ensure they know what to do if they suspect a fraudulent email or link. Put a process in place to verify requests for sensitive information or wire transfers.

Third-party vendor management is critical in real estate. Companies need to perform a vendor risk assessment annually. During this exercise, document the controls and security protocol each vendor has in place. Outline the scope of services along with security commitments. Detail whether each vendor has cyber insurance and a SOC report.

An organization-wide cybersecurity policy is also necessary, especially in light of hybrid and remote working environments. Implement multi-factor authentication (MFA) when logging into work systems or accessing company software. Regularly back up data and systems. Scan and patch software vulnerabilities. Develop an incident response plan if a cyberattack occurs. Simple steps like these, when repeated and as part of a larger plan, can do a great deal to reduce a real estate company’s risk for cybercrime.

Examples of a cybersecurity program can be found in the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1.

Real estate companies also need to look at what their existing insurance policy covers before an attack. Often, they don’t understand the terms, or the current policy doesn’t fully apply. Cyber insurance covers financial losses in case of a breach and is a different type of risk. It’s usually not covered specifically by blanket business interruption insurance.

An unexpected but valuable cybersecurity resource for real estate companies is their CPA. This is one of the key roles that can help implement an organization-wide cybersecurity policy and review contracts and other documents like SOC reports. At PBMares, our Construction and Real Estate Team works closely with our Cybersecurity and Control Risk practice.

Prepare Your Organization for the Next Cyber Attack

For more insights on cybersecurity prevention, register to attend our live webinar, “What Can You Do to Prepare for the Next Cyber Attack?”, on October 13, 2021.