SAN FRANCISCO—The commercial real estate (CRE) industry is in the midst of a transformation. The influx of big data and the ubiquity of information have contributed to the rapid adoption of CRE software services. According to Deloitte, investment in real estate tech startups recently hit $33.7 billion, up from $2.4 billion in 2008. Yet with more data—and more value at stake—comes new risks.
Critical deal information, financial models, tenant information and proprietary research are valuable resources in the CRE industry. Everything from a simple oversight to a sophisticated malware exploit could prove costly. BNP Real Estate, for instance, recently got hit by a particularly virulent strain of ransomware that caused significant downtime.
Whether it be from careless handling of data or malicious activity, these risks can compromise transactions, or worse, irreparably harm the company's returns and reputation as a professional and trustworthy fiduciary.
To protect data assets and deliver the enterprise risk management that modern institutional investment requires, these 10 items should be top-of-mind:
- Establish appropriate access rights
Access privileges should be clear, standardized, and managed intentionally. Privileges beyond the purview of an employee's function and responsibilities introduce risk. To benefit from collaboration without sacrificing security, you should put careful thought into how access rights will be granted and maintained.
- Enforce proper authentication protocols
In order to help ensure that people are who they are, and that corporate access is up to date, there should be a strict user authentication process in place. In particular, two-factor authentication, strong passwords and single sign-on (SSO) are effective and best practices. These protocols are a crucial line of defense against malicious actors attempting to access sensitive data and unintentional delays in updating systems to reflect corporate changes.
- Maintain an audit log
Even with the appropriate access rights and a robust authentication system, the accountability of knowing who did what, and when, is a valuable tool. Accidental changes, purposeful transmissions, and regular operating activities are all captured, thereby reducing moral hazard, enabling better identification, and improving remediation protocols.
- Keep diligent records with a data retention policy
Whether you're subject to FINRA compliance or not, data storage is cheap and historical information can be very valuable in a variety of common situations. Create a data retention policy and enforce it or risk hefty fines, disciplinary actions, missed insights, and lost value.
- Have a documented disaster recovery plan
Companies need to equip themselves with a recovery plan in the event of a data breach or critical data loss. To take a proactive stance, automated system availability, network monitoring, incident response protocols, and communication procedures should all be in place – well before they're needed.
- Leverage redundancy in data centers
Distributed data centers across multiple regions allow firms to remain resilient in the face of system failures, natural disasters, or other worst-case-scenarios. By outsourcing to professionally maintained and distributed data centers, firms can protect their data without having to worry about the logistics, like system maintenance and compliance with location-specific requirements like the EU Data Privacy Directive.
- Secure physical locations of data centers
As more companies move their data to the cloud, it's allowed us to take advantage of secure data centers rather than on-premise server rooms. The physical access to these data centers should be strictly controlled, with a professional security staff, video surveillance, and intrusion detection systems. Other considerations, like climate control and two-factor authentication for staff, should be accounted for as well.
- Encrypt data at rest
Encrypting data at rest is a critical aspect of a comprehensive enterprise security strategy. A secure data storage provider should have SOC compliance and meet industry standards with 256-bit (bank grade) encryption.
- Encrypt data in transit
Data being transmitted across the internet or a local network must also be encrypted at all times. Industry best practices recommend that all data in motion be encrypted via 256 bit (SHA2) TLS certificates and the connection itself should be encrypted via HTTPS, SSL or FTPS. In addition, companies should implement network security controls such as firewalls and endpoint solutions to protect data in motion from malware and exploit kits.
- Conduct regular reviews of data services and security policies
Data services and security policies aren't meant to be static. They need to be reviewed, updated and modified as your company and its data evolve. A regular review of current procedures should be at the core of any sound information and data security strategy.
While the proliferation of data in the CRE industry has unlocked substantial value, it has also created an urgent need: how to structure, secure and maintain a vast amount of data in an industry that historically hasn't had to invest in data risk management and cybersecurity. But with a centralized data management platform, intentional access controls, and robust encryption, CRE firms can mitigate risks and maximize the benefits of their data assets.
Mike Sroka is the co-founder and CEO of Dealpath, a deal management platform designed specifically for commercial real estate investment firms. The views expressed here are the author's own.
Want to continue reading?
Become a Free ALM Digital Reader.
Once you are an ALM Digital Member, you’ll receive:
- Breaking commercial real estate news and analysis, on-site and via our newsletters and custom alerts
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the property casualty insurance and financial advisory markets on our other ALM sites, PropertyCasualty360 and ThinkAdvisor
Already have an account? Sign In Now
*May exclude premium content© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.