The recent cybersecurity attack on logistics giant Toll puts the issue front of mind for business across the board. So severe was the havoc created by the ransomware attack, it wouldn’t be surprising if many companies now felt compelled to make cybersecurity their top priority - thinking if it can happen to an enormous entity like Toll it can happen to anyone.

The hacker’s concept was simple enough – cause maximum distress by locking up Toll’s files and systems then demand a ransom for their release. Toll was forced to dismantle its delivery and tracking systems and unable to inform customers where parcels were, creating a lengthy and widespread period of disruption.

The case has highlighted existing concerns about the preparedness of industry in general. Cyber experts have been warning almost all sectors lag behind in building sufficient barriers against cyberattack – commercial real estate (CRE) organisations included. Legacy systems run on old tech are a big part of the problem, and while most companies are in the process of modernising their IT, they still make easy pickings for highly skilled cyber criminals. When the attackers hit Toll, for example, it was amid a $400 million two-year transformation of its tech involving the consolidation of up to 600 systems under a sole Oracle platform.  

 Heed the warnings

CRE organisations are being warned to take heed. Deloitte consulting listed prioritisation of cybersecurity one of the five major trends affecting the industry in its 2020 forecast, driven by the fact CRE companies have access to more information and data than ever but haven’t kept pace with ensuring its security.

Those CRE executives surveyed by Deloitte across the globe (including Australia) considered a decline in company/property valuation, tenant relationship damage, and theft of personally identified information (PII) as the top three potential impacts of a data breach. Smart buildings were also singled out as particularly vulnerable. “…perpetrators can also attack different building systems such as security; life safety; and heating, ventilation, and air conditioning (HVAC), which would be well-integrated in smart buildings” Deloitte found.

Chris McLaughlin, Australian director of cyber solutions for global professional and risk management services firm Aon, is not alone in expressing the urgent need for CRE to wake up to cyber threats.

On the plus side CRE organisations are increasingly employing chief information security officers (CIOs) which indicates a more serious approach to implementing a proper cyber security strategy.

But there is a long way to go.

“In our experience both here and internationally a lot of CRE leaders don’t have a great handle on the internal IT environment and everything that digitisation is bringing their way,” Mr McLaughlin says.

“There has been a historic lack of investment in cyber security and many CRE organisations are still playing catch up with this entire issue. We see many that are relatively early in their strategies and probably doing it ad hoc through IT, not formalised cyber security programs. But it’s particularly important for them to do so as for instance a lot of the technology that is going into the newer smart buildings is relatively complex.”

 Major shift

Aged care facilities are one area becoming more of a problem for CRE organisations, Aon has found. “Health care records which are considered valuable data on the black market and within these aged care facilities there are patrons with superannuation funds and potentially healthy bank balances which makes them a target for cyber criminals. Adequate security needs to be in place as if there isn’t the time between a fraud being committed and detected can be quite a while.”

Commercial property developers are also increasingly being asked by government to meet benchmark standards of care in managing cyber security effectively. “We’re seeing contractual requirements to meet a baseline level of security,” Mr McLaughlin says.

Slow as it may be there are signs of a major shift. Among them is news of The Australian Prudential Regulation Authority this month informing banks they should be prepared for future stress testing exercises to include cyber hacking alongside scenarios of climate change and the more traditional macroeconomic shocks. Stress tests, to become an annual exercise, could model the impact of a major cyber attack or an environmental disaster, as well as severe recession and economic downturns.

Aon advises continually, rather than periodically, reviewing of IT systems for organisations to be in the strongest possible position to assess what they have at stake and their level of cyber exposure.

“Cyber exposure isn’t a concept which only applies to the big end of town,” Mr McLaughlin points out. “Small and medium-sized businesses also need to embrace it and not only for their own benefit – they don’t want to be the weakest link in the supply chain which sees other businesses compromised.”