In the last few years, real estate and construction leaders have made great strides to implement new technologies into their regular practices. While these advances have uncovered additional efficiencies, their adoption has created a critical vulnerability: data security.
Cyberattacks are on the rise, with a 22% increase in major attacks year over year, according to the Verizon Mobile Security Index 2022. Given the wealth of personal information they hold, real estate and construction companies are particularly attractive targets for these attacks and should take steps to safeguard their data. Whether training its workforce to follow data management and cybersecurity best practices, improving security software, or establishing data backup plans, each measure assists in building a more secure digital environment for a company's data and may help safeguard its reputation and the safety of its customers, employees, and residents.
Cybercriminals Threaten an Industry's Safety and Success
Construction companies have been particularly susceptible to cyberattacks, in large part because cybercriminals are aware the industry is under-protected. This is supported by a 2022 study by KnowBe4 which used simulated phishing techniques to demonstrate that wide-net cyberattacks like email phishing scams have been particularly effective in targeting the construction industry. As a whole, construction views cybersecurity as a lesser business priority: Just 64% say it's a high priority versus 77% of businesses overall, according to the KnowBe4 study.
The real estate and construction industries are not unlike others in that the COVID-19 pandemic forced them to replace in-person tasks with their virtual equivalents. Unlike other industries, however, construction has had more ground to cover to catch up - it is widely understood to be a laggard in terms of digital transformation. The adoption of new technologies has helped companies achieve higher productivity by automating time-consuming administrative processes, simplifying communications, and streamlining data management. To remain competitive, real estate and construction companies will need to continue to utilize these technological advances.
However, these new advances often come with more interconnectivity. Unfortunately, the more connected devices and software a company relies on, the more access points hackers can use to infiltrate that company's cybersecurity system. Many industry leaders are concerned that mounting attacks are not being met with adequate security measures. According to a study by Venafi, 82% of CIOs believe that their software chains are vulnerable to cyberattacks.
Don't Dismiss Due Diligence For Your Third Parties
In addition to potential vulnerabilities arising from software interconnectivity, external vendors or third parties may add new cyber risks. Whether hiring a contractor, a new vendor or working with a new client, companies should thoroughly assess each third party's own cybersecurity measures, as they could by extension be inadvertently exposed to vulnerabilities. Some considerations include:
- Requesting an Internal Report - Determine whether a third party has undertaken its own cyber security measures by requesting it produce an internal report. For example, the third party can undergo audits regarding the secure management of data by producing an SOC2 report, which assesses five "trust service principles": security, availability, processing integrity, confidentiality, and privacy.
- Assessing Cybersecurity Measures - Determine whether a third party independently tests its operations, holds insurance against cyberattacks, and follows best security practices, such as multi-factor verification and unique login identification.
When working with a third-party cybersecurity provider, having established roles and responsibilities is paramount. If an organization is a victim of cybercrime, for instance, determining whether data backup will be performed in-house or outsourced to a security provider can speed up the recovery process.
Protecting Your Organization Against "Cyber Threats"
Many cyber criminals develop attacks by testing for weaknesses in software programs designed to protect against cyberattacks. The more outdated cybersecurity software is, the more time cybercriminals have had to find vulnerabilities. Having a dedicated IT team to help regularly monitor and update cybersecurity software systems can help organizations stay ahead of cybercriminals. If an in-house IT team is not feasible, having a dedicated vendor can also help facilitate and maintain a company's cybersecurity program.
Simple measures — including two- or multi-factor authentication, unique login identifications or virtual private networks (VPNs) — can protect companies substantially against cyber criminals. Once such practices have been established, it is important to prepare an incident response and backup plan. By having professionals simulate attacks to test for vulnerabilities, penetration and vulnerability testing can help strengthen these plans. When developing a backup plan, it is important to:
- Have a dedicated professional available to determine what kind of breach occurred and the extent of the damage.
- Make sure the legal team is involved and frequently consulted.
- Establish who should be notified of a cyberattack and in which cases.
- Prepare for additional monitoring of possible cybersecurity breaches to identify ongoing, unusual activity.
Having cyber insurance as part of the overall incident response and backup plan is a consideration, as well. While insurance does not cover all possible costs, it can help an organization bridge the gap should a cyber event occur.
A robust cybersecurity program is essential for real estate and construction companies' long-term viability. As technology evolves, companies should be prepared to handle increasingly sophisticated cyberattacks by keeping high-security standards for themselves and others. Training employees in cybersecurity practices, investing in reliable software, and building and testing backup plans can help maintain an organization's data, reputation, and safety.
For more information about the above article or other business advisory services, contact Jessica L. Pagan, CPA by calling (334) 887-7022 or by leaving us a message below.