The Hidden Cybercrime Threat CRE Businesses Must Understand
Owners and operators can’t simply wish or insure the problem away.
Commercial real estate companies are not typically on the forefront of using technology. Last year, it was clear they weren’t leaders in cybersecurity either. Attackers had already been targeting real estate companies for at least a few years and many continue to be unprepared.
According to JLL’s property management group, Red Bison Technology Group, and Aon, there are three areas where building owners frequently have misperceptions. “[T]hey must fully understand the risk of Information Technology and Operational Technology (IT/OT) threats, why comprehensive cyber insurance is necessary to protect against catastrophic loss and how to meet minimum compliance and cyber insurance requirements,” the companies said.
IT threats are found on computer systems and networks. Servers, desktops, storage, and the networks the connect them all are included. OT threats, however, are those that endanger the operational areas of a building: HVAC and other energy systems, lighting, controllers in all sorts of devices, and the building network—in other words, the building and its systems, including any smart building technology.
The big problem: attackers can often break into a building’s systems and then move from there into the IT systems. “I frequently have conversations with building owners who remain confused about the risk of OT threats and what is or is not covered,” said Jason Lund, leader of technology infrastructure at JLL, in a press release. “In the past, this lack of understanding was not researched sufficiently by the owner. Unfortunately, the problem has now become too great to ignore.”
At issue is not only how a company can protect its buildings. Many cybersecurity experts lack the necessary experience in the building systems in question. Finding the right consultants and staff that can consider how OT and IT can interact and what security steps are necessary is important.
Also critical is to understand is how OT relates to cybersecurity insurance. This type of insurance has grown in popularity as cyberthreats have become everyday occurrences, not an anomaly that periodically appears in the news. Insurers have restructured underwriting requirements, excluding types of events. “This investigative work can result in insufficient coverage capacity for a buyer if sufficient cyber security protocols are not in place,” the release quoted Joanne Quintal, cyber solutions team managing director at insurance broker Aon.
Depending on the particulars of coverage, policies can have gaps that can leave a company unprotected depending on how the origination of the attack and the nature and extent of implemented protection.