Stories of cyber attacks reported on television or in newspapers invariably point to anarchist groups, disgruntled techies or bored geeks, holed up in their parents’ lofts. Successful attacks cannot happen without geeks and technology, but the threats faced by corporates are focused mainly on financial gain.
As property opens up – in terms of the footfall of people within buildings, the way their operations work and the way transactions within them are carried out – more risk will be created. Wherever there is a value chain, for example someone paying for a product, at every boundary (for instance, security doors), there are different vulnerabilities.
With much talk about the ‘internet of things’ – the means by which all manner of everyday devices will be controllable through wireless networks – companies need to remember that they are only as resilient as their weakest link. It does not matter if your main database is tightly controlled if the third-tier contractor responsible for the air conditioning has not updated the default password. Hackers can get in through the slightest crack, and the results can be devastating.
Within the construction sector, each part of the value chain has a different role to play – from architects through to project engineers, prime contractors and casual contractors – and each carries different levels of threat and vulnerability with them.
The prevalence and the increased adoption of building information modelling (BIM), particularly in the context of the construction and renewal of buildings, represents a very rich source of benefit for those who might want to attack, whether they are competitors, governments or organised criminals.
A recognition of how the infrastructure hangs together is all that is required. That is a critical component when reflecting on what constitutes threat and vulnerability: the viable processes with which the attackers can get access.
There is an important concept to understand here. A company can be a victim, without being the target. Consider a scenario where an organisation uses a third-party facilities management provider. The provider’s competitor wants to wrest their contract from the organisation, so the competitor tries to destroy the provider’s reputation by attacking a channel of the organization for which the provider has responsibility. Under these circumstances, the organisation becomes the victim, whereas the target is the incumbent service provider.
This means that when considering the level of threat posed to an organisation, it is dangerous to assume that the attackers will always be targeting an organisation specifically and directly.
A variation of this is what happened in late 2013 to Target, the US retailer, where hackers attacked the third-party air conditioning contractor in order to get access to Target’s systems.
The issue with cyber vulnerabilities in the context of real estate, broadly, is less about the technology and more about the environment in which that technology is deployed, as well as recognising and understanding the various ways in which people can take advantage of it.
One of the most important things for organisations to reflect on is their thinking. A ‘why would they be interested in us?’ mentality implies they would be the target. That is not necessarily going to be the case as they could simply be a conduit and become a victim by enabling the attackers to get to someone else, as described above.
Where a shopping mall or office block has thousands of people inside it, anyone could become a target.
In coffee shops, where around 40% of people conduct public mobile banking when logging onto a public Wi-Fi hotspot, a simple $350 application bought on the dark Web could capture the user credentials of the devices of everyone who logs on. Once the device credentials are intercepted, this same application can monitor the banking application username and password before intercepting the SMS messages with the banking session code received by people’s phones. This gives criminals all they require to conduct mobile banking transactions with an individual’s bank account. What is more, from that point on, until the device password is changed, the criminals will have access to the device.
With an increasing focus on mixed-use schemes, where retail landlords are including more leisure amenities and promoting public Wi-Fi, these threats have to be seriously considered. While the retail landlord may not be the target, they may well bear the cost in legal, financial and reputational terms.
Whether an organisation owns shopping malls, offices, flats or warehouses, they will take a view of their portfolio of risk and the total exposure. The problem is that cyber vulnerabilities enable, accelerate or amplify existing risks in the portfolio. What organisations need to do, then, is to be able to quantify the impact cyber vulnerabilities have on the existing risks in their portfolio.
The approach we take at Willis is to reflect on how to quantify the impact that cyber vulnerabilities have on that total exposure in order to enable and inform decisions around mitigating these issues.
For instance, if a fund manager had known that their exposure was much bigger, they may have chosen to spend more to mitigate the risks upfront and/or retain less and transfer more risk. It is the same type of risk balance and affordability decision that they take for every other risk, but at the moment it is not informed to the same degree.
The probability of someone falling off a building can be modelled with a mathematical modelling programme. The problem with cyber is that there is a strand of intent that overlays the probability model, and that’s part of the challenge that requires meaningful vulnerability scenarios – ultimately this needs to be about the cost of capital. An organisation that has a lousy health and safety record ends up paying more for its insurance and investment capital. But that same organisation’s lousy cyber defence posture doesn’t usually affect the price of their insurance or their investment capital.
Yet even the best in the business are still losing out to cyber crime, as retail banks demonstrate every day. Many organisations are in the same situation, and being a small or non-consumer facing company does not preclude them from being a target – they may well be a route into something more attractive.
Working through the risks up front, quantifying their impact on the total exposure and, crucially, having a point of authority on the board to oversee these processes can at least inform the risk affordability balance decision so that choices are made with full knowledge.
However, the biggest risk companies in the real estate sector face in relation to cyber is complacency.
This article originally appeared on the Willis’ blog WillisWire. Peter Armstrong is Executive Director and Head of Cyber for Willis’ FINEX Global.