Understanding cyber risks in real estate

May 12, 2021

https://www.pwc.com/ca/en/industries/real-estate/understanding-cyber-risks-in-real-estate.html

While the real estate industry has self-admittedly been slow to embrace technology, this is changing quickly. Our Emerging Trends in Real Estate 2021 report found the pandemic has forced the industry to embrace technology solutions, from collaboration tools and virtual open houses to digital payments and property technology (proptech) to ensure business continuity.

尽管房地产行业接受技术的步伐缓慢，但这种情况正在迅速改变。 我们的《2021 年房地产新兴趋势》报告发现，疫情迫使该行业采用技术解决方案，从协作工具和虚拟开放日到数字支付和房地产技术 (proptech)，以确保业务连续性。

Protecting data in a virtual world

Proptech tools, smart buildings and other technologies have significant benefits, but they also create new risks and vulnerabilities. Prior to the pandemic, many real estate companies lacked a comprehensive information technology strategy and weren’t using the full capabilities of the tools they did have in place. With the expanded use of existing tools and accelerated adoption of new ones, they’re now facing additional gaps in security.

Real estate companies should consider how they’re going to protect their organizations in an increasingly virtual world. Our 24th CEO Survey found cybersecurity was the top concern of Canadian CEOs—even more so than the pandemic itself—with 47% of respondents saying they’re extremely concerned about cyber threats. To support this, 69% of Canadian CEOs plan to increase their long-term investments in cybersecurity and data privacy over the next three years.

保护虚拟世界中的数据 房地产科技工具、智能建筑和其他技术具有显着的好处，但它们也带来了新的风险和漏洞。 在疫情爆发之前，许多房地产公司缺乏全面的信息技术战略，也没有充分利用现有工具的全部功能。 随着现有工具的扩大使用和新工具的加速采用，他们现在面临着额外的安全漏洞。

房地产公司应该考虑如何在日益虚拟的世界中保护自己的组织。 我们的第 24 次首席执行官调查发现，网络安全是加拿大首席执行官最关心的问题，甚至比大流行本身还要严重，47% 的受访者表示他们非常担心网络威胁。 为了支持这一目标，69% 的加拿大首席执行官计划在未来三年内增加对网络安全和数据隐私的长期投资。

How to approach cybersecurity

As real estate organizations continue to digitize their businesses, cybersecurity needs to be part of their risk management. To effectively prepare for and respond to cybersecurity threats, real estate companies should think about the following measures and best practices:

1. Understand your risks: Conduct an assessment to see where you’re at and where any security gaps exist. From there, you can develop a road map. This road map should be practical, adapted to your business and focused on areas where you’ll get the best bang for your buck. You can start small and grow from there.
2. Start prioritizing: Once you understand your risks, you can better understand which ones to prioritize. There are a number of cybersecurity frameworks that provide guidelines and best practices, such as the NIST Cyber Security Framework and CIS Critical Security Controls. The framework you adopt should be based on the maturity of your cyber program.
3. Do your due diligence: Perform adequate due diligence before introducing any new technologies. This could include performing a risk assessment, architecture review or penetration test. If you’re working with cloud providers or managed service providers, make sure you have a way to evaluate the ongoing security posture of those providers.
4. Monitor risk exposure: Define and implement clear processes for monitoring your overall risk exposure on an ongoing basis. For example, third-party risk exposure changes over time.
5. Monitor malicious activity: Monitor your technology environment for signs of malicious activity at all times.
6. Ensure business continuity: Prepare a robust incident response and crisis management plan so if something does go wrong, you’re prepared. For example, your team should know what steps to follow if there’s a ransomware attack.

如何处理网络安全 随着房地产组织不断实现业务数字化，网络安全需要成为其风险管理的一部分。 为了有效准备和应对网络安全威胁，房地产公司应考虑以下措施和最佳实践：

了解您的风险：进行评估以了解您所处的位置以及存在的安全漏洞。 从那里，您可以制定路线图。 该路线图应该实用、适合您的业务，并重点关注能让您获得最大收益的领域。 您可以从小事做起，然后不断成长。 开始确定优先级：一旦了解了风险，您就可以更好地了解要优先考虑哪些风险。 有许多网络安全框架提供了指南和最佳实践，例如 NIST 网络安全框架和 CIS 关键安全控制。 您采用的框架应基于您的网络计划的成熟度。 尽职调查：在引入任何新技术之前进行充分的尽职调查。 这可能包括执行风险评估、架构审查或渗透测试。 如果您与云提供商或托管服务提供商合作，请确保您有办法评估这些提供商的持续安全状况。 监控风险暴露：定义并实施清晰的流程，持续监控整体风险暴露。 例如，第三方风险暴露随着时间的推移而变化。 监控恶意活动：始终监控您的技术环境中是否存在恶意活动迹象。 确保业务连续性：准备强大的事件响应和危机管理计划，以便在出现问题时也能做好准备。 例如，您的团队应该知道如果发生勒索软件攻击应采取哪些步骤。