Cybersecurity: Fortifying Commercial Real Estate for a Digital World

Cybersecurity vulnerabilities within commercial buildings include Wi-Fi networks, wireless peripherals, card-key access mechanisms, HVAC systems, power supply hardware and portfolio management software.

While the volume of IT-related breaches of buildings systems, such as phishing and malware attacks, remains relatively low, building technologies and systems are becoming more susceptible to hacking by bad actors seeking to shut down entire properties. This has far-reaching legal, reputational and financial consequences, including operational disruption to landlords and ransom demands to tenants.

The accelerated shift to the cloud and increase in remote working since the COVID-19 pandemic has added a new layer of complexity to cybersecurity and placed additional demands on companies seeking to safeguard against attacks.

In response, companies are investing heavily in new information security and risk management technology and services. Business consulting firm Gartner estimates that worldwide spending in these areas reached US$150.4 billion in 2021, an increase of 12.4% from 2020.

Commercial real estate decision-makers have historically regarded the risk of cyberattack as being low, since building systems do not typically host or manage valuable business or consumer data targeted by phishing or malware. However, as buildings incorporate more technology and get smarter, they are becoming more vulnerable to a wide range of cybersecurity threats related to data breaches and ransomware.

Due to the interconnectivity and interdependence of technology systems within the most modern commercial buildings, cybersecurity breaches can impact multiple if not all occupiers within a single property. While landlords usually take proactive measures to ensure buildings stay operational and occupiers are kept safe when systems are under attack, such safeguards may not be completely secure.

The fragmented nature of the commercial real estate industry also underscores the need for cybersecurity systems and polices. Building operations and management invariably involve multiple providers, such as hardware specialists who install and maintain heating, ventilation and air-conditioning (HVAC) systems, and other facilities management providers who may be replaced over the course of a building’s lifecycle.

A robust cybersecurity policy should be based on a thorough audit and assessment of these systems and provide ongoing testing and validation of the building’s security performance and risk profile.

This approach supports the effective lifecycle operations of a building and provides secure access to data and processing across a building’s infrastructure, technology, equipment and systems.

Such an approach involves undertaking a structured assessment of cybersecurity threats, starting by compiling an inventory of all systems and technologies in portfolios. Failing to do so can make it extremely difficult to secure a property and mitigate intrusions.

An unstructured approach to managing cybersecurity threats more than likely will result in cybersecurity breaches of the building and its networks. Having little or no knowledge of the differing levels of protection that are in place in a building across individual systems and pieces of hardware can create considerable risks and vulnerabilities.

The absence of structured cybersecurity policy and standards applied across all building systems leaves room for misinterpretation, increasing vulnerability and exposing undetected points of weakness to cybersecurity threats in both landlord and tenant networks.

By identifying and understanding potential threats and putting in place clear policies to manage building technologies and networks, landlords can reduce many of these vulnerabilities and risks and ensure their portfolios and buildings continue to operate efficiently.

The first stage in devising a cybersecurity policy is compiling an inventory of all building systems to create an asset register. This enables property managers to gain a thorough understanding of all technologies and hardware in an individual property and their potential exposure to external threats.

This process can have immense benefits not only for cybersecurity but also for overall building management and is rapidly becoming a bare minimum requirement for commercial real estate landlords, especially those with extensive portfolios and blue-chip tenants.

Property managers then compile a playbook on how various areas of cybersecurity are addressed across key hardware, such as internet networks, building systems, landlord integration networks and the building’s software system.

Other elements include regular risk assessments and testing. This typically involves creating schedules of when cybersecurity assessments will be undertaken across the smart systems of a building on a regular basis, along with previous reports of cybersecurity assessments that have occurred over the past 12 months.

Effective lifecycle management for hardware is essential, particularly when older legacy properties are involved. Property managers must have measures in place to address issues such as when to replace older hardware and software and the extent to which such actions can mitigate risks. System recovery procedures are also key.

As cybersecurity threats continue to evolve, creating a company culture around cybersecurity via education, training and demonstrating best practice is vital.

With real estate cybersecurity being a relatively nascent area of expertise, CBRE’s approach has been to appoint external cybersecurity assessors with the knowledge to assess buildings, understand threats, mitigate risks and perform remediation. When combined with CBRE Property Management’s expertise, this creates a knowledge base able to assist clients across the entire cybersecurity spectrum.

CBRE believes cybersecurity will play a key role as Environmental, Social and Governance (ESG) considerations are built into every stage of the property lifecycle, from due diligence to acquisitions and from leasing to asset management.

With companies mandating stricter corporate governance policies and reporting, cybersecurity will be a critical tool for companies to demonstrate they are effectively managing and safeguarding data. This will also impact the social element of ESG by providing building occupants with greater assurance that their personal data is protected.

Landlords will also need to improve cybersecurity-related cooperation with tenants as more companies strengthen their own cybersecurity policies to ward off potential threats. With some tenants wishing to capture and store data in the cloud and others wanting to do so on networks they control, this will increase challenges on landlords, such as requiring them to provide separate networks and Wi-Fi signals within individual buildings.

As the risks and complexities around cybersecurity continue to grow, landlords must ensure their buildings are cyber resilient. This will require better education, awareness and training for owners, occupiers and managers to ensure genuine durability against potential threats.

Finally, data likely will emerge as a key battleground in the coming years. This will require landlords introducing cybersecurity systems to ensure data management agreements are signed with occupiers, individuals and other building users.

With smart technologies generating and capturing a huge volume of data, such as internet protocol addresses and information related to people entering and exiting a building, this could potentially lead to disputes regarding ownership of such data, even if much of it is anonymous.

However, CBRE believes many of these risks can be mitigated by putting in place cybersecurity policies that consider governance aspects, such as information flows, and adhere to the relevant data protection laws.