Large multi-national corporations like Target, Home Depot and JPMorgan Chase were the recent victims of highly publicized data breaches aimed at lifting consumer information, but the threat is not limited to the retail and financial services industries.
The real estate industry is also at risk.
Rental applications, credit reports and leasing agreements are just a few of the types of documents stored and shared by property managers, brokers, developers and appraisers that contain the sort of information cyber criminals crave.
Access to this sensitive data, coupled with the industry’s increasing reliance on technology, such as landlords making portals available for rent payments, makes real estate players prime targets for hackers.
In September, for example, Essex Property Trust, a Palo Alto, California-based real estate investment trust that owns and operates multifamily properties on the West Coast, reported that its computer networks, containing personal and proprietary information, were compromised by a cyber intrusion.
And the security breach at Essex is just the tip of the iceberg, industry observers said. “It’s no longer a matter of if a company gets hacked, it’s only a matter of when,” said Mark Stamford, founder and CEO of OccamSec, a Manhattan-based company that specializes in computer and Internet security.
Cyber criminals can compromise an organization’s information in multiple ways, including loading spyware, crashing servers to cause data loss, hacking email accounts and hijacking business websites.
Companies are employing a number of strategies to try to ward off attacks.
“There’s no single solution,” said Ian Marlow, CEO of FITECH, a Manhattan real estate technology and consulting firm that counts Rudin Management Company, the LeFrak Organization, and the Silverman Group among its clients. “Each company will need to find its own configuration.”
Neil Rubler’s Candlebrook Properties hired technology consultants to create an encrypted cloud that could store the firm’s email and corporate data. Rubler says the hundreds of thousands of dollars it costs each year is money well spent.
“The lessons of 9/11 and the recent wave of hacking indicate that we need to be proactive in securing the confidential information we maintain,” said Rubler, whose firm, formerly known as Vantage Properties, manages seven residential properties in New York and New Jersey.
Some firms are trying to minimize the likelihood of data breaches by installing two types of protective software: a firewall that prevents outsiders from gaining access to private networks, and antivirus software to protect personal computers from malicious infections.
Daryle LaMonica, IT director for the Manhattan-based residential and commercial property firm TF Cornerstone, said viruses are his firm’s biggest concern, and in fact several have infected their computer systems in the past. “We caught them before any real damage was done, but now we are continually upgrading our software and all employees are warned against opening questionable emails,” said LaMonica. To reduce potential exposure, TF Cornerstone also contracts a third-party company with its own security system to collect online rent payments from tenants.
The effort to ward off cyber intruders has other firms going on the offensive, actually employing companies to hack into their systems and identify weaknesses before criminals can exploit them.
“Knowing your ‘black swans’ keeps you one step ahead of the attackers,” said Stamford, whose company has tested the systems of a number of property management companies using the same techniques he claims “the bad guys” would use.
Of course, nothing is foolproof and should a breach occur, the focus must shift to limiting liability and repairing damage. “Real estate companies can mitigate financial loss with cyber liability insurance coverage,” said Tim Plunkett, counsel with McKenna, Long & Aldridge, an international law firm with a number of real estate clients.
The fallout of a single data breach costs businesses an average of $5.4 million, according to a 2013 report by the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy. Included in this figure are the cost outlays for detection, notification and after-the-fact responses. New York State law requires all businesses to contact customers in the event of a breach. Insurance policies can defray these costs, along with legal fees should the company be sued.