Ongoing digitisation obviously offers considerable benefits for all professionals, not least those in real estate. But with remote working on the increase and buildings integrating more and more technology, we must all develop a greater understanding of cyber security.
With this in mind, RICS proptech analyst Andrew Knight recently talked online with Marie-Noëlle Brisson FRICS and Michael Savoie, founders of RICS Tech Partners CyberReady. He asked them about how their experience has shaped the advice they give real-estate professionals who must prepare for digital threats.
Brisson explained that, having worked in asset management, underwriting and investment in Europe and the US, the need for data piqued her interest in the digital aspect of real estate. Savoie meanwhile was an IT specialist with a government services background who then started a business offering various digital services, including cyber security.
When the two met, the idea of CyberReady was born. Its aim is to help businesses understand and be prepared for the digital threats they may encounter.
"You can get hacked just about anywhere by just about anyone," warned Savoie. A business does not have to be large or significant to attract the attention of hackers, whether they are ransom-hunters, state-backed agents or simply in it for kicks, he said.
Attack points have multiplied as buildings adopt more interconnected devices, Brisson pointed out. She added that vulnerabilities have increased with hybrid working, which entails more employees working on domestic or even public networks.
Remote meetings on screen can present another weak link in security – for example, an employee's background on a video call could reveal passwords or other sensitive information in their surroundings. Altogether, this makes controlling data a much harder job for businesses.
Both Brisson and Savoie were keen to emphasise that security is all about the so-called ecosystem of technology, people, clients and suppliers. "The vulnerability is in the weakest link of the ecosystem," Savoie advised. That link could be a person, a smart meter, or even a networked vending machine. "So now you have to be proactive," he cautioned.
It is critical that all departments and all levels are involved in combatting cyber risks – it is "everyone's job", Savoie added. CyberReady always make it clear to clients that this goes far beyond just the IT team. The whole organisation needs training on good security, from managing passwords to taking care about what is visible around desks during video calls.
There are various cyber insurance products on the market, but the problem cannot generally be dealt with only by taking out such policies. These will not cover, for example, harm from state-backed hacking or, in some cases, from ransomware attacks.
It is also still relatively early days for this type of insurance. Questionnaires from insurers are not standardised, and questions may not match the actual policies and procedures of businesses. Coverage can even be refused because questionnaires can't reflect actual business practice. For example, they may not ask for proof that a business has a proper plan for recovery from cyber attack.
Savoie suggested that insurers are clear with clients as to what policies and procedures must be in place if the client wants to take up cyber risk insurance; for example, a business continuity plan might be required.
Brisson also felt that there has been no conversation on cyber security and valuation. Should the risk profile of a building form an aspect of its valuation, considering how this affects marketability? Should valuers be looking at what the lease has to say about digital risk? She proposed a framework for cyber values that could be incorporated into valuation assumptions.
In her work in real estate Brisson has noted how, when it comes to data governance, businesses with the most robust policies and procedures have been the most successful.
Businesses today are starting to understand data as a corporate resource, but they don't think of it as having a life cycle. This would involve considering how data is created, who owns it, who uses it and why, how it's deleted, and so on.
Data governance, a business continuity plan and training for all are the foundations of good data risk management, she added. The first of these is about layers of security – including passwords, levels of access and back-up – and ensuring these arrangements are communicated to employees, clients and suppliers.
Business continuity should focus on minimising downtime, and disaster recovery on what everyone needs to do in a worst-case scenario. Brisson recommended carrying out drills so that everyone is prepared. Having an effective plan that has been rehearsed is key when plugging the hole created by a data breach. So is contacting everyone affected or whose services will be required, such as legal professionals, as soon as possible.
Training should be undertaken from the top to the bottom of the organisation, being clear that this is not just an issue for IT. Everyone should remember the ABC of cyber security: awareness, behaviour and capacity.
Silos and confusions about responsibilities can hamper all of the above, as can lagging behind the pace of change. CyberReady advises that businesses should aim for more than compliance and avoiding penalties: being proactive is the best way to combat threats.
Savoie emphasised that cyber attacks are a business risk, not a tech problem. Businesses must prepare with that in mind, and assess risk on an ongoing basis.
The full discussion is available online:
Chris Jofeh 02 June 2023
Jen Lemen FRICS 29 May 2023
Ben Willis 26 May 2023