Cyberattacks on CRE: Real and inevitable

[Inga Goddijn <inga () riskbasedsecurity com>]

http://rew-online.com/2015/10/07/cyberattacks-on-cre-real-and-inevitable/

It is a common and dangerous misconception that cyberattacks happen to
others — giant retailers, government agencies — but not to real estate
companies.

You might be lulled into this belief because your company doesn’t house
much in the way of consumer information or intellectual property. So, why
would you even be a target? In fact, there are many reasons.

Hackers recognize that, more and more, all businesses including real estate
are interconnected. IT systems, the cloud, mobile devices, and social media
are just some of the points of contact and connection with outside third
parties.

Where once there were no technological connections, we now see highly
sophisticated technology controlling building access systems. It has been
reported that in the recent cyberassault on Target, the initial intrusion
came about using network credentials stolen from a provider of HVAC systems.

Transactions between owners, tenants, and vendors are now almost always
carried out electronically — inviting a cyberassault. Open Wi-Fi networks
also increase data breach vulnerability.

The problem goes well beyond theft of information. The intrusions of
cybercriminals, hackivists, and the like can cause physical damage with the
resulting costs impacting your productivity, your wallet, and your bottom
line.

State disclosure laws vary and may mandate that a cyberattack incident is
made public, resulting in issues with confidence in your security measures
and damage to your reputation that may be irreparable and weaken your
position in the marketplace.

Perhaps most disturbing is the fact that often there is a substantial lag
time between the breach by the cybercriminal and the discovery by the
victim and any remediation. During that lag, all sorts of damage can be
inflicted.

Clearly, any threat with the potential to be massive, financially
debilitating, and damaging to the longevity, stability, and reputation of
your company requires a comprehensive cyber risk management strategy.

Here are some points to consider:

Size Doesn’t Matter: Smaller organizations mistakenly think that they can
pass under the radar as a target too small for a cyberattack. That is
simply not true. Equally dangerous, small organizations often don’t invest
in IT professionals capable of setting up a defense and educating the team.
In both cases, you are inviting danger.

Prepare From the Top Down: Companies should recognize that cybersecurity is
not just an issue for the IT and operations people. Senior management needs
to take a leadership role in determining who is accountable for cyber risk
management.

To be effective, at least one senior-level executive should be responsible,
for this task, lead a team, and be the go-to individual in a crisis.
Stepping beyond your doors and remembering what happened to Target, you
should also try to assess the readiness or vulnerability of your vendors.

Fortify Your Existing Technology: Assess what you have right now. Many real
estate companies have insufficient password policies or are not current on
vendor updates and patches resulting in outdated antivirus and anti-malware
programs. These can only serve to heighten your risk of attack.

As you continue to increase your use of technology to stay competitive,
improve efficiency, and grow, ongoing attention to data protection and
security must be part of the process. See to it that you have people in
your organization who have a sound understanding of the threat environment,
available controls, industry standards, and regulations.

Address Your Greatest Vulnerabilities First and Develop Your Policies:
Working with your chief information officer or senior IT professional,
develop an understanding of the cyberthreat environment you are facing and
learn about the various approaches cybercriminals might take.

Consider performing a risk assessment to determine where you are most
vulnerable and what areas of the business you will address first.

Once you know where you are, you can prioritize and develop policies and
procedures to get you where you need to be. Of course, senior management
must fully support the cybersecurity policies and frameworks you suggest.

As this will involve financial investment, the company must set appropriate
risk tolerance levels and weigh options in the face of the real or
perceived threats to assets.

Invest in Awareness: Your own people can be your weakest link and your
first and best line of defense, so it is prudent to invest in an awareness
program for all levels that includes training on all new policies and
procedures — with explanations as to why they are important.

So that the importance really hits home, demonstrate how a cyberattack can
impact the lives and jobs of your employees. Recognize those within your
organization who demonstrate an enthusiasm for this initiative and reward
anyone who comes up with policy suggestions that may improve your security.

Test Your Crisis Management Processes: In war time, the words “battle
stations” are heard many times before actual combat so that a crew can be
prepared when the time come.

The same applies to your cybersecurity measures. You may already have a
physical disaster recovery program in place; cyberattacks can be treated in
much the same way.

Run through a simulated attack to see how well your systems and processes
respond and amend any that fail or present weakness. Appoint a crisis
management team whose task is to help restore operations with the minimum
amount of down time and work disruption.

Detection: The Earlier, the Better: We mentioned that often there is a
considerable lag between the breach and the discovery. It is possible to
reduce that lag time.

Financial services firms have learned this “time is money” lesson, and real
estate companies can take their cue and set up incident detection systems
and monitoring procedures.

Today, companies recognize that maintaining a firewall is a basic form of
technology security; however, many do not regularly assess whether the
firewall continues to be configured properly. In addition, many companies
do not take the next step by monitoring the activity logged on the firewall
for any anomalies that should be investigated in real time.

These systems can be automated to correlate and analyze large amounts of
data and red flag threat indicators.

The threat of cyberattack is simply a permanent part of modern life and
real estate organizations are not immune. It is only a question of when a
cybercriminal will get around to you.

The best defense is to take the offense and prepare a powerful and
adaptable cybersecurity policy that gives you the best chance of repelling
or blunting the impact of an attack. The cost must be measured against what
you are willing to lose.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!