As Technologies Let Buildings Speak, Owners Wonder: ‘Who Else Is Listening?’
Security systems. Connected sensors. Biometric devices. Building owners are racing to implement new technologies that can optimize their properties and bring their occupants a more connected experience.
While tools like virtual assistants and digital heating systems promise energy savings, operational efficiency, tenant satisfaction and financial optimization, they also come with a set of concerns around privacy infringement and cyber risks.
“Hyper-connectivity is a double-edged sword,” said Shahryar Shaghaghi, who leads the cybersecurity and privacy practices at CohnReznick. “A lot of these devices are capturing information — some of which is very personal — and sending it to owners and trusted third parties. But there’s a risk that the same data could be transmitted to unknown locations, without alerting anyone in the network.”
Most of the smart technologies changing the face of commercial real estate are point solutions: technologies that solve only one problem. Because the market for smart devices is still immature, Shaghaghi said, there is little standardization. These point solutions are built to function independently, often on their own dedicated WiFi networks, rather than as a cohesive whole.
As a result, building owners may have a dozen unsecured devices at a single property, each of which shares information and could open a vulnerable back door for hackers to slip in and begin collecting information for themselves.
“As it stands, each of these devices may be its own black box,” Shaghaghi said. “The network protocols are not standard, so owners can’t see what is actually happening with their data.”
A data breach might not initially seem like a big issue. After all, hackers probably can’t do much with detailed information about heating and cooling in a multifamily building. But this entry point could lead to a path of more personal information, such as Social Security numbers and occupant birthdates. If such a data breach came to light, it could damage a building’s reputation and tenant retention.
“Imagine you have a virtual assistant in your home, and you’ve used it to call a ride-share somewhere, or book a vacation,” Shaghaghi said. “Threat actors, which are mostly individual hackers in this case, could take that information and sell it to advertisers to cross-sell you different products.”
This sort of data breach is exactly what new privacy regulations are working to prevent. The European Union’s General Data Protection Regulation, which went into effect in May 2018, requires companies to take greater care in collecting and protecting user information. A bill with similar provisions, the California Consumer Privacy Act of 2018, which goes into effect in January 2020, will have ramifications for all companies that do business in California.
Owners need to examine how their data collection maps against existing privacy laws, Shaghaghi said, then take reasonable steps to safeguard user data, based on their business models. If companies fail to comply with new privacy regulations, they could face severe fines.
Yet the risks of a data breach and the complexities of privacy regulations should not discourage building owners from embracing new technologies. Rather, companies should make it a priority to develop a data privacy program that can help implement the technology, processes and people skills to comply with privacy regulations and safeguard against cyberthreats.
“Your building’s revenue is tied to how you attract and retain occupants, so you can’t fall behind,” Shaghaghi said. “These devices and solutions can differentiate you from your neighbors.”
When choosing smart solutions for their buildings, owners need to do their due diligence by selecting reputable vendors that have invested in data security. Owners should also examine exactly what each solution accomplishes and how it will affect the security environment of the building as a whole.
The best solution, Shaghaghi said, will probably be to build a single gate that controls all of the data that flows in and out of a building. But as a building’s data environment grows, that gate will have to adapt and grow with it. Some vendors provide this sort of gate, known as middleware, in a secured cloud environment today. Shaghaghi said an entire building's data traffic must be designed within a context of a secure enterprise-level solutions architecture model, including risk-based segmentation of the network.
Owners are coming to understand that cybersecurity is not a one-time investment, Shaghaghi said, while solution providers are also taking more care to ensure that their products are able to adapt to the growing and changing landscape of cyber threats.
“These smart technologies are not just shiny objects that building owners embed in their buildings,” Shaghaghi said. “Each device comes with its own value and its own risk. Building owners and operators need to implement tailored solutions for cybersecurity and privacy, which weigh these benefits against the risks.”
This feature was produced by Bisnow Branded Content in collaboration with CohnReznick. Bisnow news staff was not involved in the production of this content.