How to navigate cyber security

The commercial property sector is on the brink of a thrilling yet challenging digital age. The escalating issue of cyber security isn’t merely a theoretical discussion. It embodies real threats to the sector, such as ransomware attacks, smart building breaches, and subtle but potent methods of phishing and social engineering. These cyber threats are shaking the very core of the industry, leaving many unprepared. However, by comprehending, preparing and innovating, you can turn these threats into catalysts, driving you towards resilience and growth. Top cyber threats Over the years, the usual suspects of cyber threats have remained largely unchanged. Password stuffing Imagine a burglar trying every key on a massive keychain to open a door. That is password stuffing in a nutshell. It is a cyber attack that uses automated software to try thousands of username and password combinations on online login pages. The combinations come from lists of previously hacked databases, and it works when people reuse passwords across different sites. It’s estimated that 16.5% of all logins are from password-stuffing attacks. In one instance, hackers used this technique to break into 55,000 US Ring accounts, costing Amazon a whopping $5.8m (£4.6m) in a settlement. Phishing & fraud e-mails These social engineering scams aim to trick individuals into revealing sensitive information, like passwords and financial details, or into making payments. For property transactions, this type of attack is often referred to as “Friday afternoon fraud”. In these attacks, cyber criminals compromise the e-mail accounts of either the conveyancing firm or the client – possibly via a password stuffing or phishing attack – and then read and modify correspondence about property purchases. To cash in on the attack, they request a last-minute bank account change to steal the money. UK Finance states that fraudsters stole more than £1.2bn from UK consumers in 2022 . Cloud misconfiguration As businesses migrate to the cloud – eg Microsoft Azure, Amazon Web Services, Google Cloud, etc –misconfigured or weak security settings present a significant and growing risk. Weak authentication, errors or gaps in the configuration of cloud services, applications or infrastructure can expose sensitive data, grant excessive privileges, or create weaknesses that can be exploited by cyber criminals. Storing data in cloud storage buckets without proper encryption, access control, or logging could lead to data leakage or tampering. Granting more permissions than needed to cloud users increases the attack surface. Cloud misconfiguration can have serious consequences, such as data breaches, service outages, compliance violations or reputational damage. In the 2019 Capital One data breach, cloud misconfiguration issues allowed an attacker to access and steal personal information of more than 100m customers from an Amazon Web Services bucket. Software vulnerabilities Software vulnerabilities are defects in software that could allow cyber attackers to gain control of a system. Attackers can exploit software vulnerabilities to plant malware such as viruses or spyware, to steal or manipulate data, or even to join a system to a botnet that can then be used to attack other systems. Ransomware is often the malware of choice for cyber criminals exploiting software vulnerabilities. In 2021, a cyber-crime group called DarkSide used ransomware to attack a company called Colonial Pipeline. Initial losses were $4.4m and caused a shortage of gasoline across southeastern US. Supply chain compromise This complex threat involves cyber criminals infiltrating their real target by first breaching a third-party supplier as a proxy to their target. An attacker could breach a software developer, manufacturer or distributor to modify their products to include malicious code. Or they could insert a physical component into hardware to alter its functionality. Such attacks can be difficult to detect and remove, and can affect large numbers of customers indiscriminately, not just the targets. In 2020, SolarWinds, a software company, was breached as part of a sophisticated cyber-espionage campaign. The altered software affected multiple customers, including government agencies and tech firms, and was used to steal sensitive information. The attack was so advanced it took months to fully uncover the extent of the breach. The impacts Despite these most common attack types, the biggest impacts to businesses mainly come from two types, ransomware and phishing attacks. Ransomware Ransomware is malicious software that encrypts data and holds it hostage until a ransom is paid. Typically, cyber criminals also steal data from the target to coerce them into paying up. Ransomware attacks can not only disrupt operations by shutting down IT devices, they can also have direct financial losses, result in confidential data being made public, and can tarnish hard-earned reputations. Security company Sophos reports that the average ransom payment was $1.54m in 2023 – almost double the 2022 figure. Phishing Phishing e-mails are a cheap and easy attack to carry out. Furthermore, in the era of generative artificial intelligence, with tools such as ChatGPT anyone can make their e-mails sound more professional and can add some deepfake videos to boot. As phishing is often used to trick victims into urgently transferring money, it may be no surprise that losses from this cyber crime continue to dwarf all other cyber-crime losses. The term “business e-mail compromise” is used to describe phishing emails that target businesses from a financial perspective. In these scams, attackers impersonate company executives or trusted vendors to trick employees into transferring money or revealing sensitive data. It is estimated global businesses lost $11bn from BEC attacks in 2022. This contrasts with ransomware, with global ransom payments totalling $457m in 2022, although this doesn’t take into account the losses from lost business and recovery costs. Smart building hacks The global smart building market is predicted to grow to $127.09bn by 2027, according to the World Economic Forum. While this is encouraging for automation and efficiency, there are significant cyber-security threats faced by smart buildings. Any IT device directly connected to the internet can be found by cyber criminals, scanned and, if it contains weaknesses, exploited. Intelligent systems that govern functions such as HVAC, lighting, security and fire alarms are just as much a target, and could be exploited to launch ransomware attacks on the rest of a network. In 2017, hackers stole a huge amount of data from a North American casino after they had hacked into an internet-connected fish tank. Non-cyber breach risk In addition to cyber threats, non-cyber data breach risks also need consideration. Data being e-mailed to incorrect recipients is frequently the most common incident reported to the UK’s Information Commissioner’s Office, amounting to 18% of ICO reports in 2022, whereas 8% of reports were due to ransomware. Such non-cyber breaches can also be damaging to businesses from a reputational perspective as well as from the risk of fines from the regulator. Proactive mitigation In the face of these escalating cyber threats, complacency is a luxury we can no longer afford. A proactive, comprehensive approach towards cyber security isn’t a choice but a necessity. A useful methodology is the “lead, identify, protect, detect, respond, recover and learn” framework. Start with lead, by appointing a leader to own, develop and implement a risk-based security framework to protect your organisation against threats. Then identify the risks faced by gaining thorough visibility of your digital assets, data and suppliers, and their vulnerabilities – this is a continuous process. Next, protect your organisation from cyber attacks and breaches by implementing proportional security controls throughout your business, using people, process, and technology. Then continuously detect weaknesses and security events by deploying an automated system to monitor your digital assets and services. Have a team and processes to respond and recover promptly to contain and manage incidents, minimising the impacts should the worst happen. Ending with learn, promote a good culture of security across your business through training, awareness and by keeping up to date with the right skills and knowledge. The benefits of achieving true cyber resilience extend beyond mere cost avoidance and smooth-running operations. They encompass improved customer or client satisfaction and retention, securing more business and gaining a competitive edge over less secure competitors. Towards a more secure future The future of the commercial property sector is intertwined with the digital realm, and with that comes the challenge of cyber security. The enormity of the cyber-security challenge cannot be downplayed. It is a complex business risk that affects all organisations of any size and any location. Addressing it isn’t just vital, it’s obligatory. By adopting a comprehensive and proactive approach, you can change the narrative on cyber threats and pave the way towards a more secure, resilient commercial real estate industry. The survival of your business depends on it. Graham Thomson is the chief information security officer at Irwin Mitchell Image © Pawel Nolbert/Unsplash