3 Ways CRE Companies Are Taking Cybersecurity Into Their Own Hands
Last month, Facebook CEO Mark Zuckerberg traveled from his home in Palo Alto, California, to Washington, D.C. The 34-year-old entrepreneur’s journey across the country was prompted by the Cambridge Analytica data scandal, where data from millions of Facebook users was leaked to the public. Zuckerberg testified before half the U.S. Senate for over five hours.
For those who understand cyber risk, this data scandal proved frightening, but unsurprising. In 2017, there were 1,579 publicly disclosed data breaches, and business organizations accounted for 55% of the breaches. As information becomes more readily available, businesses must now prioritize data security.
RSM US LLP, in partnership with the U.S. Chamber of Commerce, recently reported that middle-market leaders recognize they are a growing target for cybercrime, but might not be investing enough to protect themselves against potential attacks. The number of middle-market companies reporting breaches has nearly tripled in the last three years, yet most executives remain confident in their existing data security measures and investments.
Here are three things commercial real estate businesses can do to prevent a data breach from happening.
1. Protect your data
When it comes to data, words matter. Data security and data privacy are terms often used interchangeably, but they are not synonymous.
“Security refers to the act of designing and implementing governance and technological controls around the confidential information and assets that your organization values most,” RSM U.S. Director of Southeast Security and Privacy Charles Barley Jr. said. “Data privacy, on the other hand, are the rights and obligations of individuals and organizations with respect to the collection, use, disclosure and retention of personally identifiable information (PII). These terms are intertwined, but they are not the same.”
Barley leads RSM’s Southeast region Security, Privacy and Risk practice, where he and his team assist organizations with defining and implementing an information security program based on their internal requirements. RSM also advises data-rich organizations on designing a data privacy information handling practice that adheres to domestic and international regulatory expectations.
In April 2016, the European Union introduced the General Data Protection Regulation, aimed at harmonizing data privacy practices for each of the 28 member nations. This legislation requires global companies to take additional measures to design a privacy governance structure and corresponding controls to protect PII belonging to EU residents.
“We likely will not see the United States define a domestic version of GDPR anytime soon, but several commercial real estate companies will be impacted,” Barley said. “Any U.S. or global company that processes, stores or transmits PII of its EU residents that are customers or employees will eventually need to comply with this regulation.”
2. Focus on mobile security and vendor management
Commercial real estate has invested in new property technology over the past few years, and that means more user data may reside off-premise and with a cloud service provider. To streamline the leasing process, emerging property technology platforms offer tenants an opportunity to pay rent or sign a lease online or through a mobile app.
Some property managers have also introduced tenant engagement platforms like Skyrise to help tenants make the most of their space. This new technology allows property managers to share specific documents or files, chat with tenants and create property-specific events. These apps hold the key to confidential tenant information, so it is important for property owners and managers to understand the security risks at stake.
“The moment you extend your environment to a connected device or third party is the moment you extend where your information is held, so you need to understand how to monitor this data effectively,” Barley said. “In order to ensure this information is secure, owners and managers must also focus on protecting the physical environment and defining proper vendor management practices.”
Several companies within the hospitality sector have brought their physical security systems into the digital space. Many leading global hospitality companies like Marriott and Hilton, for instance, now allow guests to check in via a mobile app and use their iPads or mobile devices to access their rooms. While this concept provides a simplified alternative to a standard key, it can also present a security risk should guests lose their devices. This means a criminal can gain access to not only a guest’s phone, but also other physical belongings in the room, if effective information security controls have not been deployed.
To mitigate this issue, Barley recommends implementing additional processes that put boundaries around the physical and digital environment.
“Property managers and companies need to figure out what assets their tenants and customers hold dear,” Barley said. “Once they understand these needs, they can implement the necessary security systems.”
3. Invest in additional resources
To implement systems that make data more secure, commercial real estate companies have begun introducing a new role into their C-suite. For many CEOs, chief operating officers and chief financial officers, security can seem like a foreign language. A chief information security officer, or CISO, leads information security risk management efforts to help a company identify protection goals and manage the implementation of its security requirements. The CISO is primarily responsible for protecting a company’s information and information assets.
While CISOs can add value to a company, they will not solve the company’s security problems without executive-level support and employee accountability. All employees have a responsibility to be aware of and protect against these threats. One mistake can cost a company its reputation and its clients.
This feature was produced in collaboration between Bisnow Branded Content and RSM US LLP. Bisnow editorial staff was not involved in the creation of this content.