Are your company systems and data secure? Don’t be so sure. Any organization can—and probably will be—hacked, it’s just a matter of when and how. This is just one of the insights presented at The Counselors of Real Estate’s (CRE) recent annual convention in Montreal by cyber security legal expert Dr. Sunny Handa, Partner, Blake, Cassels & Graydon LLP (Blakes), who teaches at McGill University.
Quoting the former CEO of Cisco, John Chambers, Dr. Handa said, “There are two kinds of companies–those that were hacked, and those that don’t yet know they were hacked.”
With the global hacker economy three to five times the size of the security industry, he urged all business owners and real estate practitioners–regardless of the size of the company–to proactively take steps to secure their company from the financial and reputational damage cyber attacks can cause.
According to CRE’s 2017-18 Top Ten Issues Affecting Real Estate, technology has revolutionized the property industry, with an unprecedented wave of innovation changing the way real estate is bought, sold, and managed. The pervasiveness of hackers–and the threat that internet intrusion presents to businesses, product functionality and homes–makes cybersecurity a top priority for real estate business owners and practitioners.
Cyber Attack Or Data Breach?
Cyber attacks are targeted intrusions into a company’s computer systems. A data breach involves unauthorized access to, use, or disclosure of personal information. Both types of attacks make headlines in the news on a daily basis, most notably when a department store, corporation, online company, or most recently, a credit bureau, has been breached.
Dr. Handa urged the audience of commercial real estate advisors to be aware of the types of IT attacks they or their clients could encounter, including viruses, “Trojan horses,” ransomware, password attacks, phishing, and denial of service attacks–caused when outside entities bombard a company’s server with emails or requests for information, causing system overload, thereby preventing legitimate contacts from reaching the company to conduct business.
Tech Convenience vs. Security
If devices in your company, office building or home are interconnected through a device (“the Internet of Things” or “IoT”), Dr. Handa advises caution. He explained there were more than six billion interconnected “things” in use in 2016–such as lighting systems, company computers and printers, HVAC, even medical devices. Intrusions are much more frequent than expected: an interconnected-device attack takes place every two minutes. This pits convenience against security–95 percent of large companies have been targeted by malicious traffic, and 65 percent of organizations that were attacked say the attackers evaded existing preventative security tools in place.
The cost of NOT preventing a data breach? It’s not just financial:
- 33 percent of companies take more than two years to discover a breach;
- 54 percent of breaches remain undiscovered for months;
- 55 percent of companies are unable to determine the cause of a breach; and
- It takes an average of 66 days to resolve a cyber attack.
How To Prevent A Cyber Attack
While hackers are continuing to develop more sophisticated attack methodologies, real estate practitioners can better protect themselves and their clients if they take precautions–many of which are basic in nature. It isn’t necessary to be a security expert to enact better controls at any size of company. If security expertise does not exist within the company itself, Dr. Handa strongly recommended hiring an expert or a firm that specializes in protecting systems, and ultimately your reputation. The basic elements of a proactive plan include:
- Establishing a company-wide information security team
- Preparing a data map and data risk analysis
- Providing cybersecurity training for employees
- Developing a strict vendor management program
- Creating a specific plan to enact if there is an attack—and practicing it
- Considering appropriate cyber liability insurance
Successful security strategies include developing clear policies for company computer use, data use and passwords—and monitoring and enforcing the policies once they have been put in place. If all precautions fail and an attack occurs, it’s important to be prepared to act quickly.
Dr. Handa said company executives must consider notification obligations and risks, ensure communications strategy minimizes litigation risks, and manage employee communications carefully. Employees are not only on the front line with customers and vendors, they will be asked about the breach by friends and family – so carefully controlling communications could help reduce the risk of misinformation, which could cause more disruption and reputational damage.