For every new technology designed to simplify lives, there’s a potential risk or ramification.
And the increasingly tech-forward and connected world of real estate is no exception.
According to new research from KPMG in Canada, real estate companies are seriously lacking in the cybersecurity department. Nearly 80% of the country’s real estate companies don’t monitor technologies that support critical building operations to ensure these systems can’t be hacked. Yikes.
The alarming research comes at a time when most real estate companies now build smart tech into their buildings to monitor, manage, and maintain everything from heating and lighting, to elevators, power metres, and fire alarm systems.
A survey of 17 of Canada's biggest publicly traded and privately owned real estate organizations, representing more than $160B in real estate assets, revealed the staggering figure -- 78% of these companies don’t proactively monitor their operational-technology (OT) network or devices for cybersecurity threats or vulnerabilities.
Furthermore, half (50%) don’t have an inventory of their OT assets, and about a quarter (22%) have an inventory that’s incomplete or not updated regularly, according to the research. Meanwhile, 22% have only inventoried critical OT assets and the remaining 6% have catalogued them for procurement purposes only.
Patches -- a key control to resolve new vulnerability -- are rarely done and usually in ad hoc manner. Of those surveyed, 72% apply OT patches in an ad hoc manner (50%) or have never applied them at all (22%). What’s more, 89% don’t regularly report to the board the cybersecurity readiness of operational technology; 83% have segregated their information-and operational-technology networks; 66% have cyber insurance to support recovery efforts; and 50% haven’t tested or are only in the planning stages of testing their overall cyber incident response capabilities.
"Smart or intelligent building technology is commonplace in the industry today and holds many benefits, but it also comes with risks that could result in significant health and safety issues," says Tom Rothfischer, Partner and National Industry Leader for KPMG in Canada's Building, Construction, and Real Estate practice. "It is critical that these measures are built into their systems right up front. But the reality is that most companies now find they are playing catch-up to seal the security gaps."
The research found that most real estate companies have a cybersecurity program, with the majority having very small in-house teams responsible for key cybersecurity activities. However, their roles and responsibilities aren't clearly defined. And, while the board is regularly informed on the organization's information-technology posture (that is, the ability to predict, prevent, and respond to cyber threats or attacks), they are not kept up to date on the OT posture.
In fact, only about 10% of companies report on their OT security posture or OT readiness.
On the bright side, the research revealed that the majority (83%) have segregated their information and operational technology networks, reducing the risk of cyber attackers moving between networks.
"This is an important first step, but it can't be the only step," says KPMG's John Heaton, a cybersecurity partner. "OT and IT networks typically do not have the same protection mechanisms. As well, many OT devices run on older versions of software that are no longer supported. The last thing you want is for attackers to infiltrate and insert malicious code into your systems to modify or take over the controls and cause a malfunction.”
According to KPMG, real estate organizations should expand their IT cyber posture to include operational-technology risks, add board members with IT or cybersecurity experience, and clearly define and implement internal and outsourced cybersecurity roles and responsibilities. These companies should also incorporate OT into cybersecurity programs, including identifying critical assets, regular reporting on threats and vulnerabilities and actions taken, and define roles and responsibilities between cyber and OT operations teams.
They should also take inventory of all information-and operational-technology assets to monitor and identify cybersecurity vulnerabilities and patching. According to KPMG, it’s essential to monitor IT and OT networks, devices, and assets for cyber threats or attacks, particularly where vendors do not provide regular patches or updates for cybersecurity vulnerabilities. Finally, Canada’s real estate companies should perform regular cybersecurity tabletop exercises, including for ransomware and phishing emails, to validate incident-response processes and accountabilities and ensure they are clearly understood.
The bottom line is that the industry-changing technology isn't going to go anywhere. So, it only makes sense to proactively adapt and put property security systems in place before it's too late. The real estate industry is dramatic enough without adding hackers to the equation.