Cybersecurity has quickly become one of the biggest issues facing business. From hospitals to legal firms, government departments and television networks, cyber criminals are hitting a wide range of targets large and small, crippling many for months.
Last year broke all records for cybercrime. The onset of the pandemic and remote workforces dovetailed with the rise in emerging technologies like artificial intelligence and machine learning to create a perfect storm for cyber criminals. According to cybersecurity technology company Crowdstrike just over two thirds of Australian organisations succumbed to ransomware attacks in 2020 which was 10% above the global average (57%). Of those that fell victim to ransomware attacks, a third paid the ransom, costing each an average $1.25 million. These statistics were higher than any other Asia Pacific region country. (Rate of ransomware attacks in Australia well above global average — report (securitybrief.com.au))
Commercial real estate is no less an attractive target than any other thanks to the enormous amount of data and transactions involved. The trouble is, CRE firms along with many others lack sufficient expertise to safeguard IT systems, leaving them vulnerable to a breach said KordaMentha Partner and cybersecurity consultant Brendan Read.
“The commercial real estate industry is no different to any other industry that might be targeted by cyber criminals,” Mr Read said. “Any organisation that doesn’t implement appropriate mitigation strategies can become a target.”
Fears that an expensive system overhaul is the only solution often hinders companies from putting adequate cybersecurity in place Mr Read said. But such reservations are unwarranted: while a system upgrade may be required, strengthening cybersecurity involves not one single fix but a multi-pronged approach covering numerous factors from staff training to external and internal security as well as tech.
“The key is not to rely solely on technology as a means of protecting your vital company data and systems,” Mr Read said. “Instead, the answer lies in creating a layered defence to your organisation’s security framework. I strongly advise companies not to rely on a single solution – as that solution could become the single point of failure for the organisation – and something as simple as a user opening a malicious attachment or clicking on an embedded link can lead to a major cyber incident.”
Another common belief is that cyberattacks are based only on monetary gain. The majority certainly are, yet some can be motivated by causing reputational damage or disruption to operations. “Organisations need to establish their current cyber risk position and move towards developing a robust cyber response plan to ensure that if a cyber incident occurs they are ready to respond quickly to minimise exposure,” Mr Read said.
Cybersecurity analysts consistently warn of the risks of not establishing even basic strategies:
Should your company data be hacked, every client and business partner may need to be notified. There are also mandatory requirements on organisations to report cyber breaches that meet the notifiable data breaches criteria https://www.oaic.gov.au/privacy/notifiable-data-breaches/when-to-report-a-data-breach/
Goes hand-in-hand with the above. Even if in the case of a breach data is kept confidential, the company concerned could still be tarred by the perception that its own negligence allowed the incident to occur in the first place. Every business partnership from that with investors to tenants is jeopardised and the likelihood of being recommended as a trusted business significantly diminished.
This almost goes without saying. Should your CRE business be immobilised by a cyberattack it will take time to resurrect your IT systems, restore services and normalise day to day operations – all time that could have been spent running your business.
Significant expense to restore systems
Adding to productivity losses will often be significant costs in restoring data and usually hardware as well.
Another very real consideration is being hit with a lawsuit. If a business partner considers a cyberattack to have breached privacy and that of their own clients’ data, then heavy fines can ensue - and standard insurance policies do not normally cover such incidents.
Ransomware developed by cybercriminals is now so sophisticated it has been used to extort the likes of global conglomerates such as Apple. In April this year ransomware was used to break into one of Apple’s third-party providers and steal data about unreleased products and schematics, followed by a threat to publicise information about yet-to-be-released MacBook Pros if an eye-watering $50 million ransom was not paid.
The rise in incidents, not to mention the sensitive nature of data held by commercial real estate agencies, makes the threat of an attack on an agency - no matter its size - a real proposition, Mr Read said. “It is vital for companies to conduct regular health check assessments of their potential exposure,” Mr Read said. “By doing so it increases their ability to identify any high-risk areas and gives them more time to develop appropriate plans to mitigate those risks.”