Skip navigation

Risky Business: 10 Things to Know About Information Security for CRE Investment Firms

Everything from a simple oversight to a sophisticated malware exploit could prove costly.

The commercial real estate industry is in the midst of a transformation. The influx of big data and the ubiquity of information have contributed to the rapid adoption of commercial real estate software services. According to Deloitte, investment in real estate tech start-ups recently hit $33.7 billion, up from $2.4 billion in 2008. Yet with more data—and more value at stake—come new risks.

Critical deal information, financial models, tenant information and proprietary research are valuable resources in the commercial real estate industry. Everything from a simple oversight to a sophisticated malware exploit could prove costly. BNP Real Estate, for instance, recently got hit by a particularly virulent strain of ransomware that caused significant downtime.

Whether it be from careless handling of data or malicious activity, these risks can compromise transactions, or worse, irreparably harm the company’s returns and reputation as a professional and trustworthy fiduciary.

To protect data assets and deliver the enterprise risk management that modern institutional investment requires, these 10 items should be top-of-mind:

  1. Establish appropriate access rights

Access privileges should be clear, standardized and managed intentionally. Privileges beyond the purview of an employee’s function and responsibilities introduce risk. To benefit from collaboration without sacrificing security, you should put careful thought into how access rights will be granted and maintained.

  1. Enforce proper authentication protocols

In order to help ensure that people are who they are, and that corporate access is up-to-date, there should be a strict user authentication process in place. In particular, two-factor authentication, strong passwords and single sign-on (SSO) are effective and best practices. These protocols are a crucial line of defense against malicious actors attempting to access sensitive data and unintentional delays in updating systems to reflect corporate changes.

  1. Maintain an audit log

Even with the appropriate access rights and a robust authentication system, the accountability of knowing who did what, and when, is a valuable tool. Accidental changes, purposeful transmissions and regular operating activities are all captured, thereby reducing moral hazard, enabling better identification and improving remediation protocols.

  1. Keep diligent records with a data retention policy

Whether you’re subject to FINRA compliance or not, data storage is cheap and historical information can be very valuable in a variety of common situations. Create a data retention policy and enforce it or risk hefty fines, disciplinary actions, missed insights and lost value.

  1. Have a documented disaster recovery plan

Companies need to equip themselves with a recovery plan in the event of a data breach or critical data loss. To take a proactive stance, automated system availability, network monitoring, incident response protocols and communication procedures should all be in place well before they’re needed.

  1. Leverage redundancy in data centers

Distributed data centers across multiple regions allow firms to remain resilient in the face of system failures, natural disasters or other worst-case-scenarios. By outsourcing to professionally maintained and distributed data centers, firms can protect their data without having to worry about the logistics, like system maintenance and compliance with location-specific requirements, like the EU Data Privacy Directive.

  1. Secure physical locations of data centers

As more companies move their data to the cloud, it’s allowed us to take advantage of secure data centers rather than on-premise server rooms. The physical access to these data centers should be strictly controlled, with a professional security staff, video surveillance and intrusion detection systems. Other considerations, like climate control and two-factor authentication for staff, should be accounted for as well.

  1. Encrypt data at rest

Encrypting data at rest is a critical aspect of a comprehensive enterprise security strategy. A secure data storage provider should have SOC compliance and meet industry standards with 256-bit (bank grade) encryption.

  1. Encrypt data in transit

Data being transmitted across the internet or a local network must also be encrypted at all times. Industry best practices recommend that all data in motion be encrypted via 256 bit (SHA2) TLS certificates and the connection itself should be encrypted via HTTPS, SSL or FTPS. In addition, companies should implement network security controls such as firewalls and endpoint solutions to protect data in motion from malware and exploit kits.

  1. Conduct regular reviews of data services and security policies

Data services and security policies aren’t meant to be static. They need to be reviewed, updated, and modified as your company and its data evolve. A regular review of current procedures should be at the core of any sound information and data security strategy.

While the proliferation of data in the commercial real estate industry has unlocked substantial value, it has also created an urgent need—how to structure, secure and maintain a vast amount of data in an industry that historically hasn’t had to invest in data risk management and cyber security. But with a centralized data management platform, intentional access controls and robust encryption, commercial real estate firms can mitigate risks and maximize the benefits of their data assets.

Mike Sroka is co-founder and CEO of Dealpath, a software company focused on commercial real estate.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.