GDPR turned one at the end of May! Its introduction forced companies to consider data, privacy and security issues as part of their daily operations rather than as a nuisance or an afterthought. There is a strong incentive to do so – noncompliance doesn’t just entail potential reputational damage, but also colossal financial punishments (of four percent of an organization’s global turnover or £17.5m, whichever is greater). Despite the positive changes that were forced by GDPR, there is one area that companies, especially those within real estate, are still not giving enough attention: cybersecurity.
A recent study by IBM put the average value of a single data breach at $3.86 million per company.
With huge fund transfers happening on a daily basis in real estate, the sector has always been a lucrative target, especially due to its relative technological unsophistication. PropTech has seen massive growth in recent years, engendering radical innovation in real estate… but it has also provided fertile ground so for ill-intentioned hackers. One area that is potentially at great risk is that of “smart everything”, with IoT enabled devices connecting HVAC systems, alarms, and even trash cans. The Mirai malware attack in 2016 is an example of the enormous scale of the problem. In this case, insecure IoT devices were targeted, and this caused a massive internet outage on the East Coast of America.
According to Deloitte, real estate companies are struggling to even “have full visibility of all of their connected devices”, let alone think about securing them.
Though the news has regular coverage of cyber attacks disrupting major companies across diverse sectors (such DLA Piper and Under Armour), it would be an error to think that, within real estate, this is just an issue for the IT departments of large corporates. Start-ups are at the forefront of the PropTech movement, and so they need to strongly consider both their own internal security measures, as well as their products’ vulnerabilities. This is more than just good business practice, it’s about survival. According to the National Cyber Security Alliance, 60% of small and midsized companies that are hacked go out of business within six months.
So, what do real estate companies and start-ups have to watch out for?
Amongst the most prevalent hacks are BEC (business email compromise) attacks, also known as whaling, spear-phishing or CEO fraud. These attacks use “social engineering” to impersonate a senior figure within an organization, tricking victims to urgently transfer funds in transactions that appear to be routine (such as paying a supplier). According to an FBI public announcement, between 2015 and 2017 “there was an over 1100% rise in the number of BEC/EAC victims” and an almost “2200% rise in the reported monetary loss” in the real estate sector. And there doesn’t seem to be an end in sight, as last year’s figures show that “May 2018 reported the highest number of BEC/EAC real estate victims since 2015”.
I had a chat on the topic with Kevin O’Brien, co-founder, and CEO of Great Horn, a venture-backed cybersecurity company based in Boston. The company has grown rapidly since its launch in 2016, now boasting triple-digit revenue growth.
O’Brien explained to me that email security has had to adapt to changing technology (70% of current email usage is now cloud-based versus only 20% in 2015), and the continued presence of new threats. Previous email security systems focused on tackling spam, malware, and viruses; with the new breed of BEC attacks not containing any malware they can bypass traditional triggers, making them especially dangerous.
Companies such as Great Horn claim to have the solution to this problem. It is a cloud-native email security platform designed to help Office 365 and G Suite users protect themselves. Using machine learning and data from billions of previously scanned emails, it looks for patterns in order to identify fraudulent attempts. For example, attackers are now able to simulate bank login pages, but Great Horn’s platform claims to automatically compare these with legitimate pages, blocking access to the fraudulent site instantaneously. In a recent phishing attack on a Fortune 500 biopharma company GreatHorn claims to have intercepted the threat in 5 minutes when it normally would have taken several months.
As well as BECs, there are countless other threats at large such as DDoS (distributed denial of service, where a malicious attack attempts to make a server or a network resource unavailable), MITM (man-in-the-middle, where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other) and 0-day attacks (zero-day is the threat of an unknown security vulnerability in a computer software).
Awareness of the array of threats currently in existence is the first step in protecting one’s company against cyber attack. To tackle these threats, experts agree that a multipronged approach is needed. Thus, companies must train their personnel on the topic of cybersecurity and responses, document robust operational processes, and also invest in technology such as access control, antivirus, and other cybersecurity services. As the real estate industry starts to embrace tech as part of its daily operations, the security element cannot be ignored.