EY real estate: five ways to safeguard buildings against cyber risk

What’s the business case for doubling down on cyber risks now? 

Physical safety has always been top of mind for real estate developers and organizations. Whether securing office towers in a downtown core, shopping centres in suburban areas or condo buildings in growing neighbourhoods: spaces must be fundamentally safe for people to make the very most of them. That said, as people — and the physical buildings where we interact — rely more and more on virtual technologies, the threats real estate leaders face are becoming invisible.

Imagine hackers breaking into the networks that drive elevators, fire alarms or just about anything else that serves customers and employees in a shopping centre. Picture bad actors working their way into high-tech smart homes, only to wreak havoc by stealing personal data from a new homeowner. These risks become increasingly relevant as the technology we use to reimagine real estate creates new vulnerabilities.

This reality is absolutely challenging. Still, it’s not all doom and gloom. Like any problem, stakeholders ultimately remember how you rise to a challenge. Doing it well can strengthen consumer trust and bolster corporate brands.

We know that putting customers at the centre of an operating model that’s grounded in digital trust tends to give people the confidence to visit, interact and share data with businesses more willingly. That fuels a real estate organization’s ability to gain the deep human understanding that drives better customer experiences. It also allows a business to create the kind of long-term value that many stakeholders — from customers to investors to regulators — have come to expect from the brands and organizations they choose to work with.

Going even further to mitigate or eliminate risks before they do any damage can change the consumer narrative altogether. It’s all about perspective.

How can real estate organizations get ahead of cyber risk? 

1. Identify critical assets early and often. Mitigating cyber risk effectively begins by understanding where and how you are exposed. Real estate organizations need updated inventories of which assets are critical. And they need to refresh those lists regularly as projects evolve, buildings open and new technology comes into play. Include any asset that is critical to the function of the space itself. This framework then becomes your guide to strengthening priority areas against potential cyber hacks.
2. Align assets and operations in a seamlessly integrated plan. Join up critical asset maps with insight into who owns those respective areas. Be sure to highlight the links between operational and IT tools and teams so everyone understands who is responsible for what, where, when and how. This insight empowers the entire organization to maintain a proactive cybersecurity approach, as well as crisis plans that can be enacted quickly to resolve issues as they arise.
3. Weave cybersecurity into enterprise risk management. In the past, operations teams determined what was important from the risk perspective. But cybersecurity can’t live in a silo. Technology — and the threats it brings — are changing too quickly for that to work. Instead, weave cybersecurity into the organization’s broader enterprise risk management system and processes. It must live there in the framework to ensure everyone understands what’s happening and can mitigate vulnerabilities accordingly. This is how you start to embed shared responsibility for cybersecurity in the fabric of the organization and its physical assets to embrace a true security-by-design approach.
4. Set clear controls. Regulatory changes are an important trigger for updating controls. Still, real estate organizations must maintain an ongoing focus on controls, even when nothing new is happening from a regulatory standpoint. Build in processes to gut check which controls are working, and which ones may need additional tweaks, on a regular basis.
5. Double down on due diligence. Cyber risks extend well beyond third parties to fourth and even fifth parties. The more you know about that value chain, the better prepared your organization will be to stop risks as they emerge. Real estate companies need to expand due diligence processes in light of emerging cyber risks. Obligations should be translated out across all contractors and subcontractors. Checks should be carried out on a continuing basis. That brings the need for greater interaction between HR and IT procurement systems. Look into this now. The greatest threat you have is always the one you never knew existed.