It's time for the Real Estate & Construction sector to wake up to cyber risk!
In 2016 cybercrime cost the global economy over $450 billion; over two billion personal records were stolen and, in the US alone, more than 100 million people had their medical records stolen. The Hiscox Cyber Readiness Report 2017 surveyed 3,000 companies across all sectors in the US, UK and Germany, to assess their readiness to deal with cybercrime: the report found that less than half of the businesses were prepared to deal with cyber-attacks.
This relaxed attitude to cyber security is a real concern because all businesses are vulnerable to cyber attack. Perhaps most at risk are the industries least concerned about cyber issues - the real estate and construction (REC) sector considers itself immune from hacking as, traditionally, it is not a digital industry.
However, the increased use of digital technologies exposes supposedly secure information and data through multiple channels: web-based transactions, the use of cloud services, smartphones and social media all represent access points, through which hackers can access and leverage sensitive information. So, with each new digital exchange or action, data protection becomes increasingly complex and the reality of cyber-attack grows more likely. The REC sector holds significant value for cyber attackers and its minimal cyber defences make it vulnerable.
So, what are the threats and what can REC businesses do to protect themselves?
All REC companies are in possession of sensitive data, whether it is in the form of building blueprints, infrastructure designs, client information or financials. Real estate companies regularly handle significant funds, which make them ideal targets for hackers, and many REC companies have expressed concern about potential cyber vulnerabilities in wire transfer processes associated with these big-ticket transactions.
For this reason, BDO Global advises its REC clients to regularly check their communication channels to ensure that they are secure. Avoid online messaging apps and be cautious about opening suspect emails or attachments. Company-wide training on identifying online risk would also help to prevent breaches in cyber security.
Check your comms
Secure communications channels are vital. REC businesses will store details of high-profile tenders, perhaps including information on highly-lucrative government contracts. Without proper cyber security, corporate espionage is a real risk: it would be in the interests of a company to find out what their competitors’ bids look like, and to undercut them.
Similarly, real estate companies are often backed by one or two high net worth individuals, working from small or home offices, which are vulnerable to small scale or targeted attacks. The more senior people within a company are most at risk of corporate espionage and sensitive information can easily be used as leverage. So, smartphones, tablets and laptops should be regularly screened to make sure messages, calls and emails are only seen or heard by their intended recipient.
Smart cities represent significant risk: any internet-connected device is in danger of being hacked and in a smart city, these devices are numerous and vital – for example CCTV, traffic controls, and infrastructure systems, such as sewage and drainage.
Similarly, smart buildings, and the use of devises equipped with increasing interconnectivity, put personal data and physical safety in jeopardy. For example, building management systems (BMS) handle everything from air conditioning to television, lighting and locks. Though once kept on separate systems, today, BMS are often internet enabled, leaving them open to the same threats as conventional IT systems. Building management systems are also open to abuse because their networks tend to be managed by facilities managers or security guards, often with little background in IT. So, in smart buildings, the threat to physical safety is very real – imagine a hijacked lift or heating system, or perhaps the blueprints of a building falling in to the wrong hands. What is more, the long-term impact of a cyber-attack is later felt by the company that is obliged to compensate tenants, resulting in loss of revenue and brand reparation.
Risk to reputation due to regulation
Reputational and financial damage is one of the key risks for businesses. With many countries implementing new regulation to protect consumers against hacking, companies risk their reputation by not scaling up cyber security to adhere to new laws.
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for all individuals within the EU. The primary objectives of the GDPR are to give citizens back control of their personal data. When the GDPR takes effect, any company that does not have its cyber security up to scratch will face significant fines of up to 5% of global annual turnover. As well as financial penalties, this regulation poses a more general risk to reputation of real estate companies. If their data breached, or if an executive's reputation is smeared through a social media campaign, they run the risk of being dropped by business partners and clients.
As these regulations are finalised, many REC companies are yet to scope out and bring their IT and data processing systems up to scratch. Regulators in the EU and UK have stated that there will be no extension to implementation timelines, and ignorance of new legislations will merely demonstrate a breakdown in corporate governance. Failing to assess cyber security therefore puts company reputation and financials at risk, not to mention huge data breaches.
If you’re interested in learning more about cyber risk, please visit BDO’s cyber risk advisory practice at https://www.bdo.global/en-gb/services/advisory/risk-advisory-services