In 2021, there were two well-publicized ransomware attacks in the U.S.: a breach in May on the Colonial Pipeline, an American oil pipeline system, and a June attack on JBS S.A., a Brazil-based meat processing company. Held hostage by the cyberattacks, both firms were forced to give in and pay the multimillion-dollar ransom demands in order to restore their systems. These events brought national attention to the threat of cybercriminals scheming to hold major firms’ business operations for ransom.
Real estate managers may not see a strong resemblance between large industrial or agricultural businesses and their areas of day-to-day responsibility, but the danger of a cyberattack is no longer something that can be ignored. Cyberattacks pose serious financial, reputational, and property risks that should be addressed—no matter the size of the individual property or company portfolio.
Jeremy Rasmussen, chief technology officer for Abacode, a cybersecurity firm based in Tampa Bay, Florida, offers an unflinching description of the cybercriminal enterprise. “I gave a talk at a conference recently about the Conti ransomware group, which is one of the most active groups and operates out of Russia,” Rasmussen says.
“They collected about $180 million in ransoms from companies last year. Many of these ransomware groups say, ‘We’re just going to attack these greedy U.S. corporations,’ but the guys in Conti have no ethics, if you will. They go after hospitals, they go after nonprofits, they go after schools. They go after first responders. Conti even recently affected the entire country of Costa Rica when it was transitioning between governments after an election. They slowed down the transfer of power for months because they had the entire governmental communication system locked up.”
Rasmussen reports that some of Conti’s internal workings were revealed because of geopolitical dissension within the group related to the Russian invasion of Ukraine. These hackers “posted Conti’s private chat communications, tools, and everything else they could to the internet,” Rasmussen says. “So, over the last few months, we’ve been studying the inner workings of one of these criminal ransomware groups, and we’ve seen exactly how they operate. It’s just like a business. They have labor, management, researchers, engineering, marketing, sales—they even have ‘employee of the month’ awards.”
Property managers need to work closely with their information technology (IT) professionals to understand where weaknesses might be found in their digital systems. The most obvious place to start is with computers and networks used for facility, tenant, or client management. Managers must also evaluate any smart building systems that are running, such as HVAC, lighting, building security, and others. Any hardware or application used by a computer, laptop, tablet, or phone can offer an entry point for hackers.
Charles Meyers is executive director of the Real Estate Cyber Consortium (RECC), a nonprofit that advises real estate owners and managers on cybersecurity preparedness. He offers a bit of historical context on how computer systems management was once handled in real estate.
“Ten to 15 years ago, it was a badge of honor to run systems that were out of warranty,” Meyers says. “There was almost a sense, from a property or facilities standpoint, that doing so was a part of managing costs effectively, because you no longer had to pay for warranties. That worked until those apps running on Windows 7 or Windows XP were out of compliance, as those basic operating systems could then no longer be patched.”
The problem became more involved as physical devices and software systems approached their end of life, says Meyers. If a program was out of compliance or could no longer receive routine maintenance, all systems to which it had been connected also had to be replaced or upgraded.
In the years since, many property management companies have tightened up some of these obvious lapses, but there are still gaps that can be exploited.
The way in
Olive Morris, federal technology policy representative for the National Association of REALTORS® (NAR), heads the 40-member NAR Technology Policy Committee, which covers federal public policy related to technology. She agrees that the threat to properties large and small is concerning. “While most data breaches you hear about in the news are of large companies, small companies are still at risk,” Morris says. “Cybercriminals see small businesses as easy targets that are less likely to have comprehensive cybersecurity protections.” She points out that businesses with fewer than 100 employees are three times more likely to be targeted by cybercriminals than larger companies, according to a 2022 report from the cloud security company Barracuda.
“The majority of breaches that occur are related to phishing exercises,” Morris says. “The classic example is someone within the company clicking on a text link, an email link, or even a website that will embed some kind of vulnerability in their systems. Any click from your desktop can open a hole in your corporate network, enabling a criminal to gain access.”
Once cybercriminals establish a foothold, they can open a back door to their command center, scan and assess your network for vulnerabilities, and then determine how to move laterally among your systems seeking to exfiltrate and encrypt valuable data, Meyers continues. “So, it’s not just that your building management system (BMS) could be breached or taken down, but there could now be an opening into your HR system or your corporate network,” Meyers says. “You may think your building or system is too obscure to be of value to a criminal, but that foothold has value.”
For many organizations, adjustments made in response to the COVID-19 pandemic have had unforeseen repercussions. As Rasmussen points out, cybercriminals can exploit incorrect settings in remote access software that managers and staff use to connect to their work desktops from home, pointing to an example from 2021 in Tampa Bay. “Somebody at the Oldsmar water plant saw the cursor on their screen start moving in the middle of the night,” Rasmussen says. “A hacker had come in and was changing the sodium hydroxide levels of the water supply to 100 times normal; they were poisoning the water supply. The company was able to rectify that change quickly. But they later figured out the hacker had gained access through misconfigured remote access software.”
Understanding the risks
“For example, a few months ago, Weichert Co. was fined $1.2 million by the state of New Jersey for failing to provide ‘adequate cybersecurity safeguards,’ which resulted in unauthorized access to its network,” Morris says. “The company was also required to implement new security protocols and retain a third-party cybersecurity auditor to ensure compliance. In their lawsuit, the state of New Jersey cited the lack of antivirus software and multifactor authentication as breaking the state requirements for adequate cybersecurity.”
Morris adds that laws in each state vary widely as to what liability a company could face if it fails to protect sensitive data, such as tenant financials and social security numbers, which, if compromised, could expose an individual to significant harm. (See box below for additional information.)
Like the other systems a property manager is responsible for, cybersecurity is now a big item on everyone’s plate. Managers new to taking on this responsibility should work as closely as possible with IT and operations personnel at the site level.
- Study and implement best practices. There are excellent resources available for best practices around cybersecurity. The federal body establishing standards in this area is the Cybersecurity and Infrastructure Security Agency, or CISA. Their website has a guide for those who want to understand how to approach their organization’s cyber hygiene. Also, check the cybersecurity framework from the National Institute of Standards and Technology (NIST). For something tailored to real estate property management, check out the best practices guides from the Real Estate Cyber Consortium.
- Hire a third-party firm. Even though your IT team may be doing a great job, it’s best to have someone outside your company independently verify that everything is secure. Rasmussen, who is also an adjunct professor at the University of South Florida, puts it this way: “I don’t let the students grade their own papers.” Look for a firm familiar with real estate and property management, so they will understand the kinds of systems you should have in place.
- Check any alerts and respond quickly. If you’ve installed a security system, such as a security information and event management (SIEM) or extended detection response (XDR), it is vital to check it continuously—not just during normal working hours. Then make sure that any security patches are up-to-date.
- Train all users and staff on security protocols. Because antivirus software doesn’t protect against phishing, all users on a system must be trained to spot fraudulent texts and emails that could expose your system to malware.