A modern IT infrastructure for commercial real estate is more important than ever. According to a study*, 44 percent of the security professionals surveyed say that cyber incidents are the biggest business risk worldwide. At the same time, 80 percent of companies do not have a strategy to protect their property from cyberattacks! Especially due to the advancing digitization of real estate, for example through smart building technologies or IoT technologies, the building itself is increasingly becoming the focus of attackers. Smart building technologies include, for example, electronic access systems, smart meters, internet-based room automation and charging stations.
The approaches used by attackers to carry out cyberattacks on operators are diverse. For example, there is the well-known phishing to obtain sensitive data, denial-of-service attacks (DoS) to overload and paralyze IT systems in a targeted manner, the active exploitation of vulnerabilities in software applications or CEO fraud, in which criminals pretend to be members of the management board in order to initiate payments or capture data. The targets of criminals are as diverse as the attacks. While many attacks are purely financially motivated, others are driven by geopolitical interests or pursue activist goals.
Of course, there are a number of security measures and best practices that can be used to increase the security of the commercial property. These include:
Regular training and awareness of the team
Unfortunately, it is the case that people pose the greatest IT risk. A false attachment, the entry of data on supposedly genuine pages – and the gateway is already open for criminals. With the help of workshops and regular information about current criminal procedures, awareness of attack attempts can be increased within the team. There are numerous external service providers that can support companies in developing an awareness strategy.
Inclusion of IT security already in project planning
Regardless of whether it is a conversion, relocation or new construction, the inclusion of IT security should always be given. Do we need a redundant media supply in order to be able to continue to act in the event of a crisis? Can an attacker gain undetected access to the company network via an open LAN port? These questions must be answered individually during project planning. It is also advisable to create and maintain a register for digital installations in order to have an overview of all building components relevant to cyber security. On this basis, the most suitable protective measures can be designed and rolled out.
Conducting tours with subject matter experts
Just as fire protection relies on expertise, tours with experts in digital infrastructure are also recommended. These can help to discover operational blind spots, such as unprotected yet critical infrastructure or outdated security architecture.
A regular review of access and rights of service providers
Just as a register for installations relevant to cyber security is recommended, it is advisable to regularly track, check and, in case of doubt, restrict access and rights of external service providers. This also includes active password management in the sense of regular changes.
Regular tests to uncover possible vulnerabilities
Regular vulnerability analyses and penetration tests help to keep security measures up to date. In the vulnerability analysis, the IT system is scanned in its entirety and checked for known security vulnerabilities. In the penetration test (pentest), a cyber attack on the property is simulated, usually by an external service provider. In this way, an attempt is made to detect and exploit safety-critical points in the system. Pentests differ in their scope and aggressiveness.
*Sources: Allianz Risk Barometer, KPMG Cybersecurity Study / Webinar “IT Security in Commercial Real Estate”, conducted by OHB Digital and Peper & Söhne
