Ghosts in the machine? How can property companies deal with the threat of cyber security?

By Taylor Wessing   With the proliferation of proptech, demands on ESG data collection and the increasing operationalisation of bricks and mortar, today's real estate companies are dealing with more data than they ever have before. So far so good, but what happens when there are ghosts in the machines? How many in our sector are confidently addressing the risks and devising robust strategies to cope when the worst happens? A Taylor Wessing breakfast seminar hosted in London on 12 December, in association with UKPA, walked clients through the stages of a cyberbreach to help them avoid the jump scares. Cybercrime is a big part of all our lives, and our sector is far from immune. A recent report from auditing firm Grant Thornton found that nearly half of property companies in Germany have been attacked by cybercriminals in the last year. It seems that the risk of being targeted is a case of when, not if, and yet many, many firms on either side of the Channel are believed to be unprepared to deal with an attack. The stark reality is that companies well versed in bricks and mortar are only just beginning to get to grips with their new vulnerabilities as they pivot into data rich, technology enabled businesses.   Types of cyber crime First, it does well to ensure we are all on the same page when it comes to the smorgasbord of cybercrimes. The most common events involve:

1. Malware – this is an umbrella term for when malicious software steals your data, hijacks your systems or even damages your network equipment;
2. Denial-of-Service (DoS) attacks – when the victim's computer system is overwhelmed so normal traffic cannot be processed, resulting in denial-of-service to users;
3. Phishing - when scam emails, text messages or phone calls are used to trick victims ultimately to download a virus, or reveal bank details or other personal information;
4. Spoofing - when the criminal hoaxes a well-known individual to gain access to systems, steal data, or spread malware; and
5. Identity-Based Attacks – this crime basically involves stealing or faking login credentials.

Of course, in practice, cyber risk is multi-layered and any singular attack is likely to involve any number of the above strategies. The criminals will often attack service or support functions like building security, things that seem non-core to the actual business of property investment or management for example, until they stop working. Multi-layer attacks, with combinations of the above tactics, may be difficult to unpick, but preparation is in many ways the best form of defence.   Creating a plan to deal with a cyber attack It is a positive, if complex, message, if, or when, the worst happens. But as the forensic experts get to grips with the mechanics of how an actual or even a potential attack is underway, there is actually plenty the property company can do to actively manage the risks to its operation and reputation. Building the right response team is key here. It should be consciously multi-disciplinary, with tech, communications and PR experts, expert counsel and perhaps even professional negotiators to liaise with the criminals given the high chances they will be demanding a random payment. Companies need to harness those who fully understand all their vulnerabilities – the demands of data protection law, for example, or the requirements of their business continuity insurance policies. These people will be just as important as those able to point to the potential impact on the company's other day-to-day contractual obligations, as well as on its ongoing operations. Being equipped to control the narrative and immediate impact of the breach is vital. And of course, the response needs to be speedy as well as well thought out, as the company takes control of its response. Clients at the recent breakfast seminar were able to walk through the stages of a live and unfolding cyberattack, and consider with the experts their ideal response at every stage.   With live and engaging sessions like this one, the hope is that the sector will continue to invest in technology, confident that they are able to move quickly and conclusively to exorcise the demons when they attack.