Richter > The Internet of Everything consumes both you and your real estate business

The Internet of Everything consumes both you and your real estate business

By: Bertrand Milot, CISM, CRISC, CRMP, CRMP-F, PCSM, C|CISO, ISO 27001 LA, C|BP,  Vice President, Risk, Performance and Technology Advisory Services

Fifteen years ago, the famous French entrepreneur Benjamin Sonntag surmised that ’if the service or product on the internet was free or almost free… you were the product’ being consumed. This maxim, and others like it, helped develop the concept of the “Internet of Everything”.

What do we mean by Internet of Everything (hereafter, IoE: going well beyond the “IoT” aka, the Internet of Things)?

Answer: anything that is “smart” and/or “connected”. The Global Standards Initiative on Internet of Things (IoT-GSI) has defined IoT as “the infrastructure of the information society.”

Now how is this connected to concrete structures and the real estate industry? In a recent Forbes article, Casey Talon noted: “Whatever business you are operating inside a commercial building, if you aren’t collecting, storing, using, and learning from data, then you are not doing your job”[1] – i.e. you are not fulfilling its true potential, effectiveness and return.

Lately this market has exploded with tools aimed at improving or connecting specific Building Management Systems (BMS) – everything from HVAC, lighting, and physical security, to Real Estate next-gen marketing (based on the neuro-science trend) to users, potential tenants, hotel guests, retail customers, etc.

The main focus thus far has been, as Talon pointed out, “Capitalizing on IoT for Fully Occupied, High Value Commercial Real Estate”.[2] The Commercial Real Estate industry (CRE) has developed new abilities and functionalities to keep up with the technological landscape and to remain competitive. Like any other advancement in technology, these advances were supposed to work in alignment with real estate business objectives and to expand revenue streams. For example, in LEED-certified buildings, a fully-connected building permits smart temperature adaptation by correlating real-time data on factors like: number of people present, sun rays and orientation, air flows, time of day and computers’ electrical consumption / heat production. Thanks, IoT! IoT can also ease CRE transactions to create more “pay-as-you-go” and “automatic-rent-out” type models, even for long-term rentals (with hoteling and flexible offices and related services). In fact, a 2017 report from IDC (International Data Corporation) estimated that IoT spending would reach $1.29 trillion by 2020.

Bigger investment for bigger revenue in smarter buildings is an ambitious and significant undertaking.  While it has its advantages, questions and concerns remain. Who, exactly, is consuming the personal data and monitoring privacy: the land lord, the IoE itself, or maybe a third party cloud services provider? Who is the real custodian of this privacy? Are landlords mature enough to handle and protect all this data? Would our CRE businesses suffer if our connected buildings are judged as real “cybersecurity strainers”? Ultimately, what happens if data is hacked, stolen or lost? No LEED certification or responsibility transfer to your IoT providers will help an owner or manager rebuild reputation and loss of trust.

These risks have necessitated obligatory cybersecurity audits, verifications and challenges, and consequential safeguard development. A global international airports cybersecurity benchmark in early 2016 shows that one of the key and most difficult challenges that airports were facing was the ability to ensure cybersecurity across industrial control systems technologies, as well as end-customer marketing and transaction systems (Duty Free shops, advertising technologies, etc.).

In February 2014, the Federal Trade Commission settled charges against a major IT network and security product vendor where connected security cameras, unsecured passwords, and unprotected surveillance feeds were negligently exposing vast amounts of customer data and thus violating customers’ expectation of privacy. In this case the property owner of a major commercial building who had selected, installed and operated this model of physical security equipment suffered immense reputational damage and litigation risks – this person was taking the real day-to-day hit for these customer data breaches.

Another risk has been the migration to cloud technologies, permitting the consolidation of business data and processes in a central point; through software suppliers who store data virtually. Your company’s confidential data could be sitting right next to your competitors’ data. Think about your leases, operating data, billings, tenant marketing and correspondence, broker agreements, etc. Do you know why it is called “cloud”? Because the concept is easy and cool to illustrate, but its functions, contractual clauses, controls and architecture are very nebulous.

Cloud software was meant to be more cost-effective and help eliminate duplication of internal, bulky IT services. But how do you change from one provider to another? Who accesses your data? Will you be warned if your cloud provider is under attack? Do you have the right to audit your provider? Is your cloud provider certified? How many layers of other cloud providers is your direct cloud provider using? It seems that only once data has moved to the cloud are these questions being raised. Were risk analyses, governance requirements and functional impacts ever considered?

Contractual clauses are not efficient or strong cybersecurity controls, as they only provide potential rights to claim financial compensation in case of an incident and/or litigation. Most cloud providers offer their services “as-is” and without any proper, tangible and measurable Service Level Agreements. To be more flexible and easy to deploy, major IoTs are functioning in conjunction with cloud or Software-as-a-Service solutions. So the questions remain: “Will YOU be able to detect a cyberattack?” and “will you let your customer data be ransomed or breached?”

Recent heavily-publicized cyberattacks undertaken by a variety of global actors have shown us that we are all targets and thus future victims. The only difference between two targets and two victims is the level of consciousness and preparedness. Victims chant a litany of: “my business, rents, tenants, leases are not big enough or interesting enough for a cyber-fraudster to select as the target of an attack”. This mistaken belief has been proven to be a very dangerous and erroneous assumption. Hackers love easy targets; any unsecured, immature or uncontrolled technological infrastructure is vulnerable and considered a good playground for a cyber-criminal. The objective of these fraudsters is to make money with user data, including rental to other fraudsters of hacked IT infrastructures, cloud applications and IoEs. Complexity and multiplication of IoTs in infrastructure are very plausible entry points for those fraudsters. How do they choose their victims? They choose the one with patch work IT systems involving many different kinds and generations of technological ecosystems, which are very difficult to systemically control and maintain. Thus, landlord and owner legacy systems with a variety of upgrades, modular add-ons, and/or third-party enhancements are (potentially) the most vulnerable ones.

If your next question is: “Why aren’t these cloud, IoT or IoE products more secure, if they are so critical to dealing with such sensitive data?”, the answer is easy: market pressure. Market pressure has engendered natural technological and security immaturity. Those technologies are sold “as-is” from a security stand point, the real data custodian, the user using the IoT platform or device, is responsible to secure its use.

With such “smart-everything-we-touch-and-use” things making their way into our everyday work and lives, our vigilance is slowly vanishing in a mindset of “no-other-choice” cognitive model or “evolve-or-die” decisional mechanics. All of the interconnected and converging real estate assets and “short-term” strategies are drastically increasing owners’, tenants’, lenders’ and managers’ cyber-risks.

Any solution? Yes. Like many information technology issues, the gap comes from an architectural problem. Of course, IoT and by extension IoE can reduce operating costs in areas such as energy, repairs, maintenance, waste, and administration, but as explained in the article, it will also extend your critical business and private data ecosystems. In order to properly safeguard these sensitive ecosystems, cybersecurity needs to be integrated into ALL technologies’ architecture, design and operation process AND into your company’s strategic plan. If this is not the case, it will need to be wrapped into or by a security service provider, like a CaSB (Cloud Access Security Broker). You cannot rely solely on easy and simplistic ad-hoc standalone security controls or measures integrated in each IoE dealing with your CRE data. It must be a holistic and coherent cybersecurity approach.

It is possible to safeguard this ecosystem, but this business critical information ecosystem needs to be well known and understood, in order to be properly secured. Otherwise: if you don’t know the critical data you are creating, storing, using, modifying and transmitting, how do you know that it’s safe? If you are not using it currently, does anyone else have access to it through its whole lifecycle? Best to leave IoT security questions to real cybersecurity architects so as to not put your business’ reputation in jeopardy.

Artificial Intelligence, Virtual and Augmented Reality and block chain / cryptocurrencies are the next trends emerging and converging. These advancements are meant to stack over, and not next to, the IoT and IoE security issues and complexities. Smart cities force smart buildings to emerge but unfortunately even those projects do not put sufficient emphasis on cybersecurity and data consumption. Data breaches and stolen data are being more and more publicized on the DarkNet. Sources of these breaches are pointing out IoT equipment and technologies (the website Shodan.io presents exposed and unsecured IoTs and Industrial Control Systems on the internet). Will your buildings and businesses be the weakest link?

All real estate owners, managers and tenants must vigilantly and constantly challenge and monitor; are your buildings and business an actual, real cybersecurity strainer? Appropriate, consistent, and evolving vigilance and good governance will never be a barrier to your business development. As we move to a more connected world, prove to your tenants, stakeholders, investors and partners that you pay great attention to the sensitive data in your custody.

 

 

[1] “Can IoT be a New Competitive Advantage to Commercial Real Estate”. Forbes. August, 2017. https://www.forbes.com/sites/pikeresearch/2017/08/31/can-iot-be-a-new-competitive-advantage-to-commercial-real-estate/#3b761013a637

[2] “Can IoT be a New Competitive Advantage to Commercial Real Estate”. Forbes. August, 2017. https://www.forbes.com/sites/pikeresearch/2017/08/31/can-iot-be-a-new-competitive-advantage-to-commercial-real-estate/#3b761013a637

Tailor-made solutions