Complacency – the biggest cyber risk to Real Estate

News stories of cyber attacks invariably cover anarchist groups, techies or geeks holed up in their parents’ lofts, motivated by their moral or political views. Successful attacks cannot happen without these geeks and technology, but the threats faced by corporates are often largely for financial gain and not always in a form you may expect. Organisations of all sizes should take a fresh look at their cyber- vulnerabilities and assess whether they might be a victim or bystander, says Peter Armstrong of Willis.

Open Access Property?

As property becomes more open – in terms of the footfall, how operations work and the transactions within buildings – risks are created. Cyber-attacks vary widely and are not always ‘data leaks’; at every boundary (for instance, security doors), there are different vulnerabilities. In addition, with much talk about the ‘internet of things’ – the means by which all manner of everyday devices are controllable through wireless and other networks – companies need to remember that they are only as resilient as the weakest link and that may be in their supply chain.

The prevalence and the increased adoption of building information modelling (BIM), particularly in the context of the construction and renewal of buildings, represents a very rich source of information for those who might want to attack. A recognition of how the infrastructure hangs together is all that is required. It does not matter if the main database is tightly controlled if the third-tier contractor responsible for the air conditioning has not updated its default password. Motivated hackers can get in through the slightest crack and the results can be devastating; when reflecting on what constitutes threat and vulnerability, the viable processes through which the attackers can get access are critical.

Could you be a bystander victim?

Another important concept to understand is that a company can be a victim without being the target. Consider a scenario where an organisation has an incumbent third party facilities management provider. The contract is coming up for renewal and they have decided to run a competitive bid process. A competitor to the service provider could choose to attack the organisation receiving the services through a channel for which the incumbent has responsibility, the purpose being to destroy the reputation of the incumbent and to give the competitor a better chance of winning. Under these circumstances, the organisation tendering the contract becomes the victim, whereas the target is the incumbent service provider.

When considering the level of threat posed to an organisation it is dangerous to assume that the attackers will always be targeting an organisation specifically and directly. A variation of this is what happened in late 2013 to Target, the US retailer, hackers attacked the third party air conditioning contractor in order to get access to Target’s systems. You may not be the target, but may well be the victim and bear the cost in legal, financial and reputational terms.

Real estate vulnerabilities

The issue with cyber vulnerabilities in the context of real estate, is broadly less about the technology and more about the environment in which that technology is deployed, as well as recognising and understanding the various ways in which people can take advantage of it.

Where a shopping mall or office block has thousands of people inside it, anyone could become a target. In coffee shops or public Wi-Fi hotspots, where around 40%

of people conduct public mobile banking, a simple $350 application bought on the dark web could capture the user credentials of the devices of everyone who logs on. This gives criminals all they require to conduct mobile banking transactions with an individual’s bank account.

With an increasing focus on mixed-use schemes, where retail landlords are including more leisure amenities and promoting public Wi-Fi, these threats have to be seriously considered as part of the total exposure.

The Quantification Challenge

For every other risk in a portfolio, first the exposure is quantified before making an informed decisions about the best deployment of capital to balance risk mitigation, retention and transfer of risk, for cyber this isn’t the case. Instead a ton of money is spent on consultants and technology, at the end of which the Financial Director still can’t quantify the residual cyber-exposure. The probability of someone falling off a building can be modelled with a mathematical programme, however the difficulty with cyber is that there is a strand of intent that overlays the probability model; that part of the challenge requires meaningful vulnerability scenarios.

Avoid Complacency

Companies must not get complacent - even the most secure in the business are still losing out to cyber-crime, as retail banks demonstrate every day. And being a small company or non-consumer facing does not preclude businesses from being a target – they may well be a route into something more attractive.

Working through the risks up front, quantifying their impact on the total exposure and, crucially, having a point of authority on the board to oversee these processes, can at least inform the risk affordability balance or total cost of risk (TCOR) decisions. However, the biggest risk companies with real estate face in relation to cyber risk is complacency.

Peter Armstrong is Executive Director Cyber, Willis Group, peter.armstrong@willis.com

Peter Armstrong - Willis