In the wake of the recent CrowdStrike outage taking businesses around the world offline, real estate companies big and small are looking at their cybersecurity systems with a renewed focus.
Last time we spoke with Marcum, the leading accounting firm showed us how their latest AI tool keeps their clients ahead of the game. In our latest conversation, Marcum Assurance Services’ Saud Khan and Steve Fischer shared the types of threats they see on a daily basis and how they advise clients to protect themselves from fallout caused by everything from bad actors to simple software failures.
Cybersecurity Threats Big and Small
Not every cybersecurity threat is a major failure that takes down global air travel like the CrowdStrike outage. In fact, as Khan, who runs the Information Technology Assurance Team within Marcum’s Assurance Services, points out, small RE firms with just a couple of holdings can be more vulnerable to attacks from bad actors than major companies.
“The bad actor’s fundamental goal is to get a return on their investment,” explains Khan. “So they’re going to go after the easy target.”
Like a lion hunting gazelle on the Serengeti, bad actors go after the weakest prey instead of the bull. When it comes to cybersecurity, larger organizations often have the resources to implement more complex tools and perform frequent recovery exercises that insulate and prepare them from attack, while smaller ones might not even realize that they’re vulnerable in the first place.
“Those smaller family offices will look at their brick and mortar holdings and ask, ‘Where’s the IT risk?’” says Fischer, Partner-in-Charge of Real Estate Assurance Practice at Marcum. “In our audit processes, we try to show them how there’s still exposure here that they need to be mindful of.”
Khan and Fischer grouped the most common vulnerabilities they see with RE clients into two broad categories: dependency on third parties and employees. They gave us some insight into how they help clients identify these risk areas and put systems in place to help protect their businesses.
Dependency on Third Parties
In the RE industry, relying on third parties for vital services is often a necessary evil.
“You can protect your own house,” says Khan. “However, because of dependency on someone else to support your infrastructure, your house now opens up to vulnerabilities at the third parties.”
This is exactly what happened with the Crowdstrike outage: everyone from airlines to retail to healthcare relied on Crowdstrike, which in turn relied on Microsoft, and one system update created a cascade of failures downstream at an individual user level.
“Let me give you an example specific to real estate,” says Khan. “With all the technology that goes into buildings now, the industrial control systems like your elevator systems and your basic access management system, it’s all provided by third parties.”
While third-party vendors often tout their security protocols, if they get hacked or exploited, “all of a sudden the bad actor can infiltrate your environment, not only from a logical perspective but ultimately from a physical access perspective as well.” The most common version of this is a bad actor taking over something like a reservations system, locking out the owner, and then demanding a ransom for the return of control over the system, wreaking havoc with day-to-day operations.
When working as an external auditor, Marcum will identify these types of vulnerabilities or lack of controls in the client’s environment.
“From an assurance perspective, Steve and I will go in and evaluate your control environment,” explains Khan. “Upon completion of our audits, we will provide our clients results of any or all applicable gaps or deficiencies.”
When working in an advisory capacity, Marcum will help clients put into place a governance structure that can protect them from suffering major consequences if a single system should fail. This involves going through a client’s list of assets and ranking them by risk to their organization, then shoring up any significant gaps with the appropriate control. That might be as simple as installing a failsafe in a critical system that prevents a bad actor from doing too much damage should the system become compromised, or as complex as instituting an entire redundant system.
The Threat Is Coming from Inside the House
While relying on third parties opens up cybersecurity risk, the other major area of danger is much closer to home.
“I’ve seen this a lot with smaller family offices,” says Khan. “There are so many people who still continue to click on bad links, and that will single-handedly take down your organization.”
Even a good control like requiring manual approval for a payment falls apart when employees aren’t on the lookout for warning signs. As Khan puts it, “You need to protect your in-house and get proper training.”
Fischer emphasizes the importance not only of cybersecurity training, but also of documenting these policies along the way. “Sometimes organizations do have the proper controls and processes in place,” he says, “but they don’t have it formally documented, and that can lead to them not following them, which is in and of itself a risk.”
Be Proactive, Not Reactive
Marcum LLP’s tech-forward approach to assurance and advising gives clients the tools to prevent the worst from happening instead of cleaning up after a breach causes major damage. This has become increasingly important as more and more elements of the RE industry rely on technology. Simply put, real estate firms, big and small, no longer have the luxury of focusing on physical security to the exclusion of cybersecurity. That’s why many are turning to Marcum for assurance and advisory services.
“We focus on making sure our clients have the proper controls in place,” says Fischer. “They rely on us to be the experts.”
To learn more about how Marcum LLP can shore up your cybersecurity protocols, reach out today.