Intelligent buildings mean the opportunity for cyber-attacks in the real estate industry has grown.

High-profile corporate attacks have hit the headlines in recent months, exposing the ways in which the property industry is vulnerable to security breaches through everyday systems such as air con and CCTV. And the Internet of Things (IoT) is creating more opportunities for hackers.

The Internet of Things will hit the mainstream by 2020.
Image: Statista

Fishing, vishing, crypto-viruses and ransomware – these all pose huge threats to corporate security if they’re not adequately secured and professionally managed, says JLL EMEA’s Chief Information Officer, Chris Zissis.

“I believe cyber-crime will focus more and more on IoT because it’s a lot more accessible than say SAP or other technical systems. The challenge for IoT security is the same as for any web-enabled technology, such as a smartphone,” says Zissis.

“Property owners and their tenants must do three things: understand the sort of data IoT generates while it monitors and safeguards buildings, work out which data is of value, and get solutions put in by leading security experts to secure that data.”

When security is breached, it’s costly. IBM’s 2015 study on how much a single data breach costs a company put the figure at US$4 million on average per company. And these costs are likely to increase with many more countries adopting statutory requirements for remediation if data protection is deemed inadequate. Where property portfolios are spread across several countries, corporate real estate (CRE) may find it has to comply with multiple mandates.

Then there’s regulatory liability. Not only can hackers steal financial data, but they can steal other kinds of data as well—including consumer’s personal information. In the United States, for example, theft of medical information means the property owner could face a HIPAA (Health Insurance Portability and Accountability Act) violation if a medical office or health insurance tenant is compromised through the building system.

“Laws are becoming much stricter with regards to how companies protect consumer information,” says Edward Wagoner, Chief Information Officer, JLL Americas. “In some countries, your name, email, phone number and physical address are all considered private information and any unauthorized release of this data is against the law.”

Building management systems

Like Cloud, web and mobile, IoT generates both a lot of data and a lot of access. Through its everyday use in intelligent buildings, it merges technical and physical security.

No longer are building management systems segregated from conventional IT networks, such as servers, customer relationship management and online payment systems.

Consequently, systems controlling air con and heating, CCTV and fire alarms, can be hacked to provide entry to data and sensitive information. And vice versa, email or mobile phones can infiltrate the programming of a building’s locking and lighting systems.

Moreover, when hackers attack multiple systems interconnected across several properties, they can gain entry to a host of locations and data.

“CRE needs to realise cyber security is not just an issue for the IT department,” adds Zissis. “It’s not just about safeguarding ‘the perimeter’, as I call it. Everyone needs to be accountable for cyber security. “How people use technology, manage individual buildings and manage investment portfolios directly affects the levels of risk to businesses.”

Reasons behind risks

Potential causes of IoT security breaches point to where education and due diligence are acutely needed.

For instance, facilities managers rarely come from an IT background. Systems themselves have often been designed, supplied and maintained under commercial contracts without cybersecurity protection ever being a top consideration.

Vendors and products are not continually assessed on their cybersecurity. Landlords often fail to fully examine buildings management systems contracts to check who can access data generated, possibly resulting in data breaches that contravene commercial agreements with tenants. Instead technical functionality is often considered the most important criterion.

In addition, often systems operate on legacy technology and the information about how they run is open-source and easy for anyone to access.

Zissis believes real estate firms and CIOs need to put massive education campaigns in place. “Reaction and speed of reaction to any security breach is really important so you need awareness upfront,” he says.

“People need to be able to interpret tell-tale signs that something may be wrong and immediately shut down avenues of entry. This applies to both mobile phones and IoT in the exactly same way.”