As budget season is in session for most Real Estate companies, Cyber Awareness and Assessment should be in the forefront of Business leadership minds. Many real estate companies consider Cyber subject matter the responsibility of Information Services and Technology leaders. It is not. It is a shared responsibility that requires collaboration between all parties to ensure user education and company policy address the subject and sets your company’s expectation of Cyber Awareness and Effectiveness for both employees and 3rd Party partners.
As budgets develop, the following items should be considered and included to enhance and solidify your company’s Cyber posture:
Cyber Awareness Education – If a Cyber Awareness Education program is not implemented in your organization, establish a budget for adopting a service that provides an education platform. If already using a Cyber Awareness Education program, most companies are only performing education and testing once a year. Consensus industry opinion is Education and Assessment of retention of the Education should occur at least quarterly based upon the ever-increasing threats and complexity of threats. Consider increasing the budget to perform quarterly campaigns. An aware and engaged workforce is the best ROI in any cyber budget.
Policy Development – Most Real Estate Owner/Operators/Managers do not have formal policies and procedures focused on Cyber Awareness/Education or Cyber Response/Remediation., especially at the property level. The following are essential policy and procedure documents that are assessed and expected by insurers, investors, and government agencies (State and Federal)
o Incident Response Plan
o Written Information Security Plan
Cyber Maturity Assessment – Assessments are now a requested and expected element of a company's control and governance platform. Auditors, insurers, and investors (private and public) are increasingly requesting proof of Cyber Maturity based on NIST (National Institute of Standards and Technology) or CIS (Center for Internet Security) standards. These standards are considered the benchmark for comparing Cyber maturity across industry members.
Building System Technology Assessment – Operational Technologies (OT) are the most vulnerable and least considered systems as being accessed and controlled by Cyber actors. Every day, threat actors are looking for these vulnerabilities to exploit which can and do place the safety of tenants and residents in danger. Access to OT systems impacts Fire and Life Safety, Elevators, Lighting Controls, HVAC (Heating and Cooling) Systems, Cameras, and Access Controls. Any breach of these systems could effectively shut down the property for an undetermined amount of time.
Virtual Chief Security Officer (vCISO) – Whether you have a dedicated CISO role or not, all companies can benefit from the advice of an outside expert. A trusted partner with a vCISO offering provides expertise, leadership, and partnership for your organization to establish a relevant Cybersecurity program.
Security Operations Center (SOC) – Most real estate companies are not staffed to deal with the enormous amount of threat intelligence, much less investigate every potential threat. A SOC service provides preemptive and continuous monitoring of your company’s core and building networks to further protect against threats. Providing around-the-clock detection, response, and containment services helps lower your overall risk profile.
Again, the development of the Cyber Awareness and Assessment budget should be a collaborative effort amongst business and technology leaders. Trying to save a few thousand dollars on cyber initiatives could result in losing millions of dollars through a cyber incident. Further, reputational risk, both tangible and intangible, is an aspect of cyber security that is often overlooked. Value engineering cyber out of the annual budget is akin to excluding security systems from the core building specifications. 5Q’s cyber expertise helps identify programs for all elements of Cyber Awareness and Assessments.