Dot Property Malaysia

Cybersecurity and real estate

Is it their problem, your problem or our problem?

Hacktivism has now reached unprecedented levels. Major organisations and corporates are rarely out of the news from compromises by nation states, organised crime, competitors and individuals. With relative ease, an invisible enemy can find its way into a rich trove of trade strategy documents, IP related to product design, and large volumes of consumer data that can be exploited, sold or used for economic or military gain.

It is, however, our employees who remain the most cited culprits of incidents from loss of devices, poor device protection or falling victim to phishing and become unintended accomplices.

The theme of insider threat emerged very strongly at CoreNet Global Summit’s panel debate. Daniel Cuthbert, the COO of Sensepost, a global security firm that specialises in ethical security testing, used his software to demonstrate device vulnerability amongst CoreNet’s audience.


The level and extent of vulnerability was astonishing.

Cuthbert explained that whilst firms can protect their architecture and data with malware detection, vulnerability scanning tools and other types of controls and encryption, we leave ourselves exposed from two major threat sources; Bring Your Own Device policies and free wifi.

Both provide easy gateways. For him, the answer to the question lies with you and me and a basic duty of care. But it became clear in the debate that real estate also needs to transform its awareness on the topic, and understand where it fits as well.

Erwin Franz-Schultz, IT architect and Technical Head of IBM’s Energy & Utilities sector, outlined the vulnerabilities of enterprise networks, IP and software which are now commonly used in the built environment to control services, safety systems and plant. As a leading expert in smart grids and cyber security, he expressed the view that cyber attacks are no different to any other risk faced in scenario testing and disaster recovery planning. It simply happens to be a different type of threat which needs its own assessment and mitigation plan.

Brian Lord, an expert in national intelligence and cyber operations, now with PGI Cyber following a career with GCHQ as Deputy Director reinforced this by urging the audience to normalise the threat. By this he meant, understand the incident, and in simple risk management terms understand the risk severity and probability of occurrence.

He also meant remove the emotion of the media. Most cyber attacks would be described as theft, blackmail, vandalism or anti-social behaviour if reported in the non-Cyber world.

Despite the pragmatism, he did underline Cuthbert’s view about personal responsibility and outlined how responsible organisations implement and maintain systems for storage and transfer of sensitive information and why disciplines around encryption remain highly effective.

Lord flagged up the role of property and its advisors in supply chains. In an outsourced world with complex supply chains, we are reliant on information security arrangements from multiple providers, and in turn hold data on behalf of other parties reliant on the rigour of our own information security.

Yes, Codes of Practice for Cyber Security in the Built Environment and International Standards for Information Security Management Systems, but the question remains whether we know yet what good looks like, or indeed how to answer any procurement teams questions properly ourselves. With new EU General Data Protection Regulations proposing fines of up to 5 percent of global turnover for data protection penalties, answers to these questions need to be found quickly.

Here are some simple tips that everyone in the property and real estate industry can implement.