The Cybersecurity Risks in Commercial Real Estate

Nate Hoelzen
President, Arizona School of Real Estate & Business (ASREB)


The commercial real estate (CRE) industry may not appear as susceptible to cyberattacks as other industries. This could be because CRE companies maintain less personal information within their technology network. However, let’s explore the current state of cybersecurity, and the potential risks, in this industry, and the potential blind spots therein.

The fact of the matter is this: your company and your clients’ info are potential targets for hackers. These hackers could access personal data via several entry points, or individuals, while the victims are completely unaware of the breach. This has been made easy for hackers because of the interconnected technology that agents and clients use to do business.

This interconnectedness through digital technology is what allows hackers to access information through multiple channels. Everything from using cloud services and web-based transactions to personal and company-issued smartphones and tablets can create access points for these hackers (see graphic below). The company’s networks, HVAC systems, and open Wi-Fi networks also contribute to this vulnerability. And it impacts more than just the company: these building systems tend to interconnect with tenant systems, which leads to the possibility of exposure within tenant systems as well.

Considering the financial security risks, CRE companies are vulnerable because of the amounts of cash on hand for large transactions and financing of real estate properties. These companies express concern over wire transfers facilitating large transactions. In this case, organized criminals, as well as insiders, could be the most likely potential threat. Overall, these attacks could contribute to major financial data exposure, revenue loss, and personal data exposure.

The prevention of these attacks starts at the company level. CRE companies must consider a multilayer approach to decrease their risk of cyberattacks. In this day and age, cyberattacks are inevitable and can vary in intensity based on the level of exposure.

Having a technology-protective mindset starts at the C-suite of any company. Executives need to first raise cybersecurity as a strategic tactic. This tactic, and its execution, demands the attention of the board and the involvement of senior executive leadership rather than the IT staff exclusively.

These companies must work toward a detailed defensive strategy that addresses current and potential threats. This includes several security layers and redundancies to slow the progression of or prevent attacks. Being able to detect these attacks early on and signaling their occurrence is paramount to a company’s security. CRE companies need to have reporting systems in place that can automate and analyze their business data and threat indicators through the entire enterprise.

At an employee level, developing policies and frameworks can set the direction and purpose of these cybersecurity tactics. From the top down, emphasis should be made to illustrate the scope of these threats, the company’s tactics, and possible entry points for an attacker. The employees must feel empowered to make informed decisions concerning the company’s risk management and be able to identify threat-reducing tactics. It takes an entire organization to defend from hackers.