Portfolio Security: Cyber Risks in Real Estate
Cyber threats are reshaping the real estate industry. As properties become more connected through smart systems, IoT devices, and digital platforms, the risks to sensitive data and building operations grow. From ransomware attacks to phishing schemes, these threats impact tenant trust, financial stability, and portfolio value.
Key takeaways:
- Phishing attacks drive 85% of breaches, often targeting employee errors.
- Ransomware incidents disrupt systems like HVAC and security, with costs exceeding $100M in cases like MGM Resorts (2023).
- Real estate firms face vulnerabilities in third-party supply chains and outdated systems, exposing them to risks.
- 43% of UK businesses faced cyberattacks in 2025, highlighting the growing threat.
To protect portfolios, firms must prioritize cybersecurity with measures like multi-factor authentication, employee training, encrypted communication, and incident response plans. Centralized platforms and AI-driven tools can further enhance system security, reducing exposure to breaches. Cybersecurity isn't just an IT issue - it's critical to safeguarding operations and maintaining investor trust.
Cyber Threats in Real Estate: Key Statistics and Vulnerabilities
The Cyber Threat Landscape in Real Estate
Common Threats Targeting Real Estate Portfolios
Real estate firms are increasingly vulnerable to a wide range of cyber threats that exploit both technology and human error. Phishing and social engineering attacks top the list, impacting 85% of breached organizations [6]. In these schemes, attackers pose as trusted vendors, tenants, or colleagues, tricking employees into sharing sensitive login details or redirecting wire transfers to fraudulent accounts.
Ransomware has become another major concern, with cybercriminals locking down essential property management systems and tenant portals. Many now use "double extortion" tactics - demanding payment not only to decrypt files but also to prevent the public release of sensitive data. Funds transfer fraud is another pressing issue, as attackers infiltrate email conversations about property sales or vendor payments to reroute large sums of money to their own accounts.
The adoption of smart building technologies has introduced new risks as well. IoT-enabled systems controlling HVAC, lighting, elevators, and access controls often rely on poorly secured Wi-Fi or Bluetooth connections, leaving them open to remote attacks. Sharat Kumar, Principal in Managed IT Services at RSM US, highlights this shift:
"Historically, cybersecurity efforts in the real estate and construction industry focused on traditional IT infrastructure, but the rapid expansion of IoT devices... has introduced new vulnerabilities." [12]
Data breaches targeting personally identifiable information (PII) are another significant challenge. Real estate firms handle a wealth of sensitive data, from banking details and lease agreements to social security numbers, making them prime targets for identity theft. Alarmingly, 83% of compromised data in real estate breaches involves personal information [13]. Web application attacks are also common, particularly when firms neglect safeguards like multi-factor authentication (MFA) for property management software and email systems.
These threats not only compromise sensitive data but also cause serious financial and operational disruptions, as detailed below.
Financial and Operational Impact of Cyber Attacks
The financial fallout from cyberattacks often goes well beyond the immediate ransom demands. Stolen funds, legal fines, credit monitoring for affected tenants, and extended business interruptions are just the tip of the iceberg.
Operational disruptions can be equally severe. Ransomware attacks can lock property management portals, cutting off access to essential records, bylaws, and legal documents needed to finalize property sales. When smart building systems are breached, hackers can take control of elevators, HVAC, and security systems, leading to physical disruptions that require costly emergency repairs and tenant compensation.
"CRE companies may be uniquely vulnerable to treasury management cyber risk, given the significant amounts of cash maintained on the balance sheet as well as large dollar transactions related to acquisitions, dispositions and financing of real estate properties."
Beyond the direct financial strain, cyberattacks can undermine tenant trust and reduce portfolio value. Regulatory challenges arise when breaches involve tenant PII, triggering privacy law compliance obligations, legal fees, and credit monitoring expenses. The reputational damage can drive tenant turnover and make it harder to attract new investors. For portfolios managing interconnected systems across multiple properties, a single breach can ripple through the network, magnifying both financial and operational damage. Addressing these vulnerabilities is critical for developing effective defenses.
Identifying Vulnerabilities in Real Estate Operations
Technology Gaps and Outdated Systems
Many real estate firms rely on a patchwork of outdated and disconnected technologies, leaving their operations exposed to risks. A lack of coordination between IT and operational technology (OT) teams often creates security gaps. For instance, only 43% of organizations report that senior management fully understands the cyber risks tied to industrial control systems [4]. This disconnect can leave critical building automation systems - like those controlling HVAC, elevators, fire alarms, and smart meters - vulnerable to attacks through unsecured internet, Bluetooth, or Wi-Fi connections [3][2][6].
Legacy PropTech systems and scattered data across multiple platforms further increase exposure to known vulnerabilities. Public networks and bring-your-own-device (BYOD) policies add to the problem by introducing unmonitored access points [6][5][12].
Matt Riccio, Real Estate Senior Analyst at RSM US LLP, highlights the scope of the issue:
"Global operations, mobile workforce, active sites and disconnected systems create exposure of a broader attack surface" [12].
Despite these challenges, many firms neglect basic cybersecurity measures like multi-factor authentication, session timeouts, and VPN encryption [6]. These internal weaknesses set the stage for external threats, which are discussed in the next section on third-party risks.
Third-Party and Supply Chain Risks
The real estate industry's fragmented structure creates a tangled web of vulnerabilities, making compliance and security a challenge. Each transaction involves various players - contractors, subcontractors, service providers, lawyers, brokers, and title companies - all of whom could serve as entry points for cyberattacks. Between 2015 and 2017, the sector saw a staggering 1,110% increase in email account compromise attacks, with reported monetary losses skyrocketing by 2,200% [4].
But the risks don’t stop with direct vendors. As EY Americas points out:
"Cyber risks extend well beyond third parties to fourth and even fifth parties. The more you know about that value chain, the better prepared your organization will be to stop risks as they emerge" [2].
The rapid adoption of third-party PropTech and IoT devices has introduced new, often unmonitored, digital vulnerabilities. Data breaches in the real estate sector are frequently caused by misconfigurations or misdelivered documents, which account for 18% of such incidents [13].
Marie-Noëlle Brisson, CRE, warns about the broader implications:
"The third party operational risk can very well be the tip of the data breach iceberg" [3].
Many mid-market real estate firms lack in-house cybersecurity expertise and depend heavily on third-party managed IT providers. In Canada, for example, 94% of organizations either use or plan to use managed services [1]. These external dependencies, combined with technological and human vulnerabilities, make the industry particularly susceptible to risk.
Human Error and Social Engineering
Human error remains the leading cause of data breaches in the real estate industry [3]. The sector’s susceptibility is amplified by high-value transactions, significant cash reserves, and the involvement of multiple parties at every stage [5]. Phishing attacks and mistakes by employees often lead to stolen credentials or even business failures. Attackers frequently exploit this by using email addresses that closely mimic trusted sources, tricking staff into transferring funds or sharing sensitive information [6].
Marie-Noëlle Brisson, CRE, underscores the importance of employee training:
"Human error is the number one reason for release of sensitive data. Properly training employees will do more to minimize the improper release of data than any technology upgrade" [3].
The rapid shift toward PropTech, virtual open houses, and digital payment systems has created additional security gaps. Many employees are not yet adequately trained to manage these new tools securely [1]. Ed Powers, National Managing Principal of Cyber Risk Services at Deloitte & Touche LLP, emphasizes the role of leadership in addressing these challenges:
"It is critical that CRE C-suite leadership and the board acknowledge cyber risk and cyberthreats as a strategic issue rather than as an IT or operational issue" [5].
Strategies to Reduce Cyber Risks in Real Estate
Core Cybersecurity Best Practices
Tackling vulnerabilities in the real estate sector requires more than just a strong IT system - it demands a shift in mindset. Cybersecurity must be seen as a strategic business priority, not just an operational or IT concern. As Ed Powers, National Managing Principal of Cyber Risk Services at Deloitte & Touche LLP, highlights:
"It is critical that CRE C-suite leadership and the board acknowledge cyber risk and cyberthreats as a strategic issue rather than as an IT or operational issue." [5]
A foundational step is implementing multi-factor authentication (MFA) across all systems, from tenant portals to financial platforms. MFA acts as a key defense against password-cracking attempts [6]. Combine this with strong, unique passwords managed through password managers, and avoid reusing passwords across platforms [6] [14].
Data encryption is another must-have. Encrypt sensitive communications, such as emails and financial transactions, to protect critical documents like leases. Using Virtual Private Networks (VPNs) adds another layer of security by masking IP addresses and creating encrypted tunnels for internet traffic [6] [14]. Regularly updating systems is equally important to address vulnerabilities before they can be exploited [6] [14].
Employee training plays a crucial role in strengthening defenses. With phishing responsible for 85% of breaches [6], regular fraud awareness sessions can help employees recognize social engineering and impersonation attempts. Additionally, incorporating cybersecurity responsibilities into tenant leases can clarify the roles of property owners and tenants, especially when managing building systems [5].
Of course, prevention is only part of the equation. Being prepared to respond quickly to incidents is just as vital.
Creating an Incident Response Plan
No matter how strong your defenses are, breaches can still happen. That’s why having a clear incident response plan is essential - it minimizes disruption and reduces damage. Consider this: 60% of small businesses that experience a cyberattack shut down within six months [4]. A solid response plan should include five key phases:
- Immediate containment: Quickly isolate affected systems, such as tenant portals or building management platforms.
- Assessment: Determine the scope of the breach and which data or systems were impacted.
- Transparent communication: Notify tenants and regulators promptly and honestly.
- Restoration: Recover operations using verified, uncompromised backups.
- Post-incident review: Identify and address vulnerabilities to prevent future incidents [6].
Effective incident response requires input from multiple stakeholders, including senior leadership, CFOs, and legal teams, to ensure informed and timely decisions during a crisis [5]. Developing specific playbooks tailored to different types of attacks - like ransomware versus data breaches - can streamline the recovery process.
The Department of Homeland Security stresses the importance of defining clear roles in cyber incidents:
"Leases are the primary mechanism for defining what duties facility owners and operators are required to execute versus the obligations of the building tenants." [5]
To prepare effectively, start with a gap analysis using frameworks like the NIST Cybersecurity Framework (CSF) 2.0 to identify vulnerabilities before an incident occurs [15] [5]. Regular penetration testing of platforms like tenant portals and rent collection systems can expose weaknesses that need immediate attention [6] [16]. Additionally, maintain verified backups stored offline to ensure ransomware attacks can’t compromise them [6] [14]. Finally, test your incident response plan through business continuity drills to ensure your team is ready to act when every second matters [4] [5].
sbb-itb-99d029f
Using Technology for Portfolio-Wide Security
SaaS Platforms for Secure Data Management
Technology plays a crucial role in strengthening cybersecurity across portfolios by bringing essential systems together. A well-designed SaaS platform enhances security by centralizing threat detection, enabling quicker identification of potential cyber risks.
Key measures like multi-factor authentication (MFA) and encryption are essential to safeguard sensitive data. These tools ensure that only authorized personnel can access critical information, such as tenant records, financial data, and lease agreements. This is particularly vital given the alarming statistic that real estate monetary losses from email account compromise attacks skyrocketed by 2,200% between 2015 and 2017 [4].
Platforms like CoreCast (https://corecastre.com) address these security demands while also improving operational efficiency. By integrating functions such as underwriting, pipeline tracking, portfolio analysis, and stakeholder reporting into one system, firms reduce the number of platforms that need security oversight. Fewer systems mean fewer vulnerabilities, enhancing the overall resilience of the portfolio. CoreCast also connects seamlessly with third-party tools, creating a unified security framework rather than multiple weak points. This approach aligns with concerns raised by Intelligent Buildings, who describe the industry's "systemic, embedded soft underbelly from 40 years of digital systems being designed, installed, and maintained by a value chain devoid of IT and cybersecurity expertise" [9].
Real-time monitoring across properties and IoT devices adds another layer of protection, allowing for early detection of breaches [10]. This is especially important in managing smart building systems like HVAC, lighting, and access control, which increasingly rely on interconnected networks. By combining IT and operational technology (OT), these platforms close critical gaps that could otherwise be exploited. Without this integration, building systems risk becoming entry points for attackers. The rise of "smart building hacks", where criminals seize control of heating or security systems for ransom, highlights the urgency of this issue [7][8].
This comprehensive approach also lays the foundation for leveraging AI in cybersecurity.
AI and Automation in Cybersecurity
AI is transforming cybersecurity by speeding up the detection and response to threats. Automated systems can identify and counteract sophisticated attacks much faster than human teams. Naomi Palmer, Divisional Director of Real Estate Practice at WTW, emphasizes the importance of such tools:
"You can also invest in automated threat detection systems to reduce detection and response to sophisticated cyber intrusions" [6].
With continuous 24/7 monitoring, these systems can block unauthorized access instantly, ensuring uninterrupted operations while protecting sensitive resident data [1][6]. This capability is becoming increasingly vital as ransomware attacks are projected to occur every two seconds by 2031 [11].
AI tools are also adept at spotting deceptive email patterns more efficiently than humans. With 47% of Canadian CEOs identifying cybersecurity as their top concern and 69% planning to increase long-term investments in this area [1], automation is clearly a growing priority. Automated incident response systems further enhance resilience by quickly addressing attacks and restoring operations with minimal disruption [5]. This is crucial, especially when considering that 60% of small businesses that experience a cyberattack shut down within six months [4].
What Are Biggest Data Security Risks For Real Estate Agents?
Conclusion
Cyber threats are no longer abstract risks - they're directly targeting real estate portfolios through smart systems, third-party vendors, and phishing attacks. The numbers tell a grim story: small businesses often fail after breaches, and monetary losses in this sector have surged dramatically. These aren't just IT challenges; they're strategic risks that threaten asset values, tenant trust, and operational stability. In today's landscape, cybersecurity must be treated as a core business priority.
This shift starts at the top. As Bob O'Brien, Global and U.S. Real Estate Leader at Deloitte & Touche LLP, highlights:
"Strategic and business performance objectives should take cybersecurity into account, with the goal of making the company secure, vigilant and resilient" [5].
To achieve this, companies need to adopt proactive measures: multi-factor authentication, regular security audits, employee training to spot phishing attempts, and well-practiced incident response plans. These steps form the backbone of a solid defense strategy.
Streamlining operations into secure, unified platforms like CoreCast (https://corecastre.com) also plays a critical role. By reducing the number of systems, companies minimize potential vulnerabilities while gaining real-time monitoring and automated threat detection. Encryption and other advanced defenses further bolster security.
The real estate industry must rethink its identity in the digital age. As Marie-Noëlle Brisson of SONRO Real Estate Services LLC aptly puts it:
"We must consider ourselves IT companies that do real estate, rather than real estate companies that handle sensitive information" [3].
This isn't just a mindset shift - it's a necessity. With 69% of CEOs planning to increase cybersecurity investments [1], it's clear that digital trust is now a cornerstone of property value in a world where real estate and technology are inseparably linked.
FAQs
What steps can real estate firms take to protect their portfolios from ransomware attacks?
Ransomware poses a serious risk to real estate firms, as it encrypts files and demands payment for their release. These businesses are particularly attractive targets due to the sensitive data they handle, including tenant information, lease agreements, and financial records. Many firms lack dedicated IT security teams, leaving them exposed to common attack methods like phishing emails and weak password practices. Successful attacks can disrupt critical operations, such as accounting systems or even smart-building controls.
To reduce the risk of ransomware attacks, firms should focus on the following measures:
- Pinpoint critical assets and vulnerabilities: Conduct a detailed risk assessment to identify key systems and prioritize their protection.
- Enhance access controls: Implement multi-factor authentication, restrict user permissions, and segment networks to contain potential breaches.
- Maintain offline backups: Regularly back up essential data and test recovery processes to ensure they work when needed.
- Educate employees: Provide training to help staff spot phishing attempts and practice safe email habits.
- Stay current with software updates: Quickly address known vulnerabilities by keeping systems updated and deploying necessary tools.
Leveraging platforms like CoreCast can further bolster cybersecurity efforts. These tools integrate risk data, automate compliance reporting, and deliver real-time alerts, enabling firms to respond quickly and effectively to emerging threats.
How does employee training help reduce cyber risks in real estate?
Employee training plays a vital role in shielding real estate firms from cyber threats. Regular, role-focused sessions equip staff to recognize and counter common attacks, such as phishing - one of the top causes of data breaches. By learning how to spot suspicious emails, confirm sensitive data requests, and adopt secure password habits, employees can help prevent incidents like ransomware attacks or data theft.
Training goes beyond simply raising awareness. It reinforces compliance with industry regulations and internal policies, fostering a sense of accountability. When employees grasp the potential consequences - like the loss of client data or millions in revenue - they’re more likely to adhere to cybersecurity best practices and report anything unusual without hesitation. In many cases, a well-prepared team serves as the first and most effective defense against ever-changing cyber risks.
Why is multi-factor authentication important for protecting real estate data?
Multi-factor authentication (MFA) plays a key role in protecting sensitive real estate data by adding an extra layer of security beyond just relying on passwords. Here's why it matters: even if a password falls into the wrong hands - say, through a phishing scam - MFA steps in as a safeguard. It requires an additional verification step, like entering a code sent to a trusted device, making unauthorized access much harder.
This extra security measure helps protect critical information like tenant details, financial records, and other valuable assets. It not only reduces the chances of costly data breaches but also helps ensure compliance with modern cybersecurity standards. Implementing MFA is a simple yet effective way to strengthen the security of your real estate portfolio.