Cybercrime, CRE companies and practical steps to take

Globally, cybercrime is predicted to cost more than $6 trillion annually by 2021 – so it is little wonder it is a major concern in the commercial real estate industry.

Cybercrime is a threat to every company

In fact, cybercrime is the greatest threat to every company in the world, states the 2019 Official Annual Cybercrime report, by the Herjavec Group.

Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property and also theft of personal and financial data, post-attack disruption to the normal course of business, reputational harm, and more.

“This dramatic rise (in damage costs) only reinforces the sharp increase in the number of organizations unprepared for a cyber attack,” says Robert Herjavec, Founder and CEO of Herjavec Group.

In Europe, Malta is at the biggest risk of cybercrime, followed by Greece, Romania, Slovakia and also Spain, according to the WebsiteBuilderExpert website.

The countries with the lowest risk are Finland, Estonia and Germany.

Malta is vulnerable due to its high percentage of exposed internet connections (73%), lack of cyber security legislation and poor international co-operation. Even though it sees fewer attacks on average than other European countries, it is at far more risk in the long run, as there are few protective or preventative measures in place.

Cybercrime is worsening in Europe

Across Europe, cybercrime is getting worse, according to almost half of developers, investors and also financial professionals who took part in the 2019 Emerging Trends in Real Estate Europe survey.

The issue is explored in more depth in the 2019 Commercial Real Estate Outlook from global financial services company, Deloitte.

The biggest impacts of cyber security breaches that CRE firms face are damage to reputation (41%), financial theft/fraud (37%), theft of personally identifiable information or PII (35%) as well as business disruption (34%), it says.

Many CRE companies, however, seem to be struggling to find the right balance of investments and efforts to handle such cyber attacks.

Nearly two-thirds of survey respondents are somewhat satisfied and only a quarter are very satisfied with their company’s efforts.

The biggest challenges are rapid IT changes and rising complexities (53%), a lack of detailed response by management of CRE companies (38%), and ineffective security solutions due to functionality and interoperability issues (37%).

The questions CRE companies should ask

Commercial real estate companies who want to address the issue should ask themselves these questions, the Deloitte report suggests.

“Are you broadening the risk management agenda to include cyber risk? Are the CRE board and senior management ready to assume responsibility and accountability for managing these new risks? Are you considering a centralized or hybrid approach to managing cyber risks?”

They should also start implementing a cyber risk management strategy. “What is your proposed approach to develop the cyber risk governance framework, policies, and guidelines? Do you have the processes to conduct periodic cyber risk assessments? Are you considering the expectations of investors and other stakeholders? Are you evaluating the appropriate people, process, and technology to execute your cyber risk management agenda? How are you creating awareness about emerging cyber risks? How are you informing investors and other stakeholders about your cyber risk mitigation strategy?”

CRE companies who want to be more secure, vigilant, and resilient, should take action, says the report.

“It is incumbent upon CRE companies to take a proactive, rather than reactive, approach to managing cyber risks, given the growing business and IT complexities.”

10 practical steps to take

Here are 10 practical steps to take:

The CRE board and senior management should assume responsibility and accountability for cyber risk governance and also oversight. They should also be involved in developing policies, frameworks, and roles and responsibilities; assigning budgets; and tracking overall progress.  

They should also consider investor expectations regarding cyber risk preparedness and reporting.

The board and senior management should then discuss the organization’s risk priorities with functional leads, who should be held accountable for designing, executing, and aligning their risk strategy with the central mandate.

The CRE board and senior management should work together, rather than in units. There should be frequent communications between senior leadership about emerging risks from increased digitization.

A detailed scenario planning and cyber risk assessment allows companies to evaluate susceptibility to cyber attacks and to also identify appropriate responses.

Companies should develop a cyber risk assessment framework that evaluates threats and also suggests appropriate resources to manage the risk.

As it is not possible to totally eliminate risks, CRE companies should potentially use advanced detection technologies such as artificial intelligence to sense potential threats and analytics to devise appropriate response management tactics.

CRE companies should evaluate employees for their exposure to cyber risks.  Employees should undergo training to understand the potential threat and implications of various types of risks, especially cyber crimes.

CRE companies may also need to train or hire appropriate cyber risk talent in their IT organization.

Companies should drive behavioral change to instill the responsibility and accountability for risk management among all employees.

Other reports indicate that 16% of European companies received failing grades for their implementations of SSL/TLS encryption and also that 30% are not compliant with GDPR (General Data Protection Regulation).