Russian Aggression Could Mean Cyberattacks on CRE Firms

Many firms aren’t normally prepared to deal with malware, and this could be worse.

Before the Russian troops and tanks moved into Ukraine, Microsoft got alerts for new malware aimed at government systems in the besieged Eastern European nation, according to the New York Times.

But to assume that cyberattacks will direct themselves only to government systems and not to companies located in countries that have attracted Putinian ire would be foolish. 

“Overall, real estate companies are maintaining sound cybersecurity practices in the case of traditional systems and data,” Tom Shircliff, a member of The Counselors of Real Estate global real estate group and co-founder and principal of Intelligent Buildings, LLC, tells GlobeSt.com.

But overall isn’t necessarily enough. Last year ransomware attacks threatened CRE businesses, and some examples show the existence of CRE firms that don’t learn. Like the one that fell prey to three different ransomware attacks. 

Shircliff says that Russian cyberattacks have previously aimed at “critical infrastructure, including dams, manufacturing and oil and gas facilities.” Given steps that governments and corporations have taken to isolate the country, a much wider set of targets could come under attack.

Even those that do have reasonable cybersecurity systems may have troubles.

“Real estate companies not only have the vulnerability of back-office data like all organizations but the additional vulnerability of all of the physical systems that control the conditions in the buildings,” Tom Shircliff, a member of The Counselors of Real Estate global real estate group and co-founder and principal of Intelligent Buildings, LLC, tells GlobeSt.com. “The largest vulnerabilities for real estate companies are systems such as HVAC, elevators, lighting, metering, parking, and physical access control. The problem has been building since the 1980s when all these systems transitioned to digital and Web-based systems since this was done by a value chain devoid of IT and cybersecurity skill sets.”

The so-called industrial controllers as well as Internet of Things devices intended to provide status information and receive instructions over an Internet connection weren’t originally designed with security in mind. Some may be particularly vulnerable.

With physical systems potentially vulnerable, the risk profile changes for the worse. “Problems can include issues such as life safety, financial loss, insurance gaps, network hopping, equipment damage, all which can be devastating to a company’s brand and reputation,” Shircliff says. “As to the insurance, building system cybersecurity is generally excluded in property and casualty, general liability and cyber riders.”

A CRE company should consider an immediate cybersecurity assessment and then undertake necessary remedial steps, although the process can take significant time to put into place.