From  smart metering to intelligent lighting and alarm systems to networked high-resolution video cameras – new technologies offer the real estate sector enormous potential for development. “A better understanding of user behaviour allows better and more sustainable building management”, says Thomas Müller, Head of Digital Transformation at Union Investment Real Estate GmbH. “Improving the ability to assess data leads to better analytical capabilities and therefore also to smarter decisions on fund and asset management.”

The real estate sector generally holds large amounts of information from different sources and its potential has not been fully tapped. However, thinking about data protection and data security is at the same stage: “No best-practice approaches to security and data protection issues have been developed, so careful handling and the integration of information security and data protection represent a critical security measure,” says Thomas Müller.

Data protection requirements are increasingly important when using technical innovations, as well as when performing conventional data processing operations in the real estate sector, such as letting or real estate transactions. There is a great deal of uncertainty about this. For example, a company that lets apartments in Vienna cited data protection as the reason for its plans to anonymise some 220,000 doorbell nameplates. Even if that’s taking things to an extreme, data protection laws are highly relevant for many parts of the real estate industry, and it is an absolute necessity for the industry to comply with those laws – not least to avoid difficulties with the data protection authorities and the potential for hefty fines.

Real estate sector exposed to IT risks

Of course, companies in all sectors of every industry must protect sensitive data against being hacked by outsiders. The number of attacks from cyberspace in every sector continues to rise, according to a study by the IT association Bitkom. According to it, more than eight out of ten of the companies surveyed (84 percent) say that the number of cyberattacks has increased over the past two years.

In the real estate industry, the most critical areas are data on user behaviour and the increased networking of buildings, because the associated technologies and their very short development times result in considerable risks when automating buildings. “Major security loopholes have been found in almost every product type over the last two years alone”, says Marco Wichtermann, a data protection expert at Union Investment. “Even safety devices such as fire and burglar alarm systems, as well as video surveillance cameras, are vulnerable,” he says.

The real estate sector also has a duty to enhance its technical, organisational and personnel-related security precautions.

Networked systems – from smart access control to building automation – are at particular risk of outside interference, warns Heiko Ruppel, who manages the Information Security Office at Union Investment. Access to relevant data offers a major competitive edge, given the lack of transparency on the market, he says.

An incident in the United States shows the serious risk the real estate sector is facing: the real estate title insurance company First American Financial inadvertently exposed an inconceivable 885 million records dating back 16 years online because the documents had not been adequately protected. This included confidential information such as social security numbers, driving licence data and account statements for private individuals, and in some cases – when the contractual partner was a company – internal company documents.

Cyberattacks getting more complex

Given cases of this kind, the real estate sector also has a duty to “enhance its technical, organisational and personnel-related security precautions”, urges Achim Berg, President of the IT association Bitkom. There is no improvement in sight and all sectors are affected. According to the study, 82 percent of responding companies predict that the number of cyberattacks will increase over the next two years – causing immense economic damage.

By this time almost all companies use virus scanners, firewalls and password protection to ensure the IT security of their equipment. But this garden-variety protection no longer offers adequate protection as the hacking of IT systems becomes more complex, says Berg. 

Corporate IT security must be constantly updated if it is to be sufficiently robust against new risks. But IT security means far more than installing technical systems like firewalls, says Peter Lotz, an attorney and partner at the Mayrfeld firm in Frankfurt am Main. “It requires integration into a security process that must be initiated, organised and implemented in a focused way in each company.” After all, data theft can result in more than just economic damage; it can also lead to a loss of confidence in a company. This kind of harm to a company’s image is a soft factor with a major impact. If customers or business partners start to perceive a company or its products as unsafe, it’s hard to dispel those feelings.

“From a technical and organisational viewpoint, I expect the first step to be an integrated security concept that is reviewed at least once a year to verify its suitability and effectiveness and that also includes a clear definition of the need for protection”, says Friedrich Wimmer, Head of IT Forensics & Cyber Security Research, Corporate Trust Business Risk & Crisis Management. He adds that effective technical measures must be instituted in areas such as data storage and backup, hacker resistance and security monitoring. And finally, “you have to get the people involved on board and train them appropriately”, says Wimmer. The fundamental truth is that no system is safe unless its users fulfil previously agreed standards – and human error is still by far the most frequent cause of data security breaches.

IT risk management increasingly important

That’s why real estate firms are also according greater importance to IT risk management, including for reasons related to supervisory requirements. “The information security/risk manager is a standing member of our Risk Committee”, says Thomas Müller of Union Investment. As the complexity of technical processes increases and many different service providers are used, there is a risk that an adequate level of security and data protection cannot be maintained. “This also involves the risk – not to be underestimated – of a loss of control and of unauthorised access”, warns Thomas Müller. Given the long tentacles of 21st century tech companies, there should be limits to the amount of information shared with third parties such as partners and service providers. And protection against “Web crawlers” is also advisable, recommends Union Investment expert Marco Wichtermann. “That will prevent the unauthorised aggregation of a company’s data,” he says.     

Following some very simple rules can also minimize the risk of becoming the victim of data theft. When unlocking mobile devices, for example, people should remember that passwords being input in unsecured areas can be filmed, says IT security expert Wimmer. “It’s simple to avoid this risk by lowering your laptop cover a bit when entering passwords.” Technical solutions such as fingerprint sensors may also be helpful. “Unknown certificates and warnings should not be accepted, and privacy filters for laptop screens should also be used.” They help keep passengers seated nearby in the train or plane from seeing the screen.

“The widely-held view that instituting security measures always involves major investments in technology and security experts is not necessarily true”, says attorney Lotz. “What counts is common sense, a well-planned security strategy and employees who act independently to comply with security requirements.” As those requirements are fulfilled, any necessary decisions about further steps may be taken. According to Lotz, what is needed is “to strike an appropriate balance between legal requirements on the one hand and what is technically feasible and necessary on the other”.

By Harald Czycholl

“Employees’ awareness and risk-consciousness must be increased”

Johanna M. Hofmann on IT security strategies, laws and regulations, and increasing employees’ awareness of the challenges involved in the digital world of work

places and spaces: From data theft to industrial espionage, companies in every industry are increasingly exposed to cyberattacks. How can we protect ourselves against them?

Johanna M. Hofmann: The type of attack really doesn’t matter to victims when they have to cope with the after-effects. The top priority will then be to limit the damage. So one thing must be perfectly clear: safety measures to stop attacks on confidential data before they occur – or at least make them more difficult – must be instituted promptly. By instituting appropriate IT security measures, companies can prevent the loss of data and also avoid liability and the threat of massive fines.

In what areas do companies need to make up for lost time where IT security is concerned?

It is impossible to take IT security too seriously. Companies should not simply turn a blind eye to this issue. There is often a need to play catch-up in this area, particularly given all of the advances in the field of information technology. Hackers and their methods are progressing inexorably. That means companies must constantly update their IT security so they will be able to avert new threats.

What should an IT security strategy in a company look like?

IT security affects every department in a company. Everyone should pull together in this area. At the same time, the impetus must come from above. Incentives can be a good way to motivate individual departments. In any event, responsibilities should be clearly assigned and there should be one contact person for issues related to IT security. Regular reviews, monitoring of systems and updates are essential. Employees’ awareness and risk-consciousness should also be increased.

Employees are often seen as a risk factor. What can be done to increase employees’ awareness of IT risks?

Human error has been and continues to be by far the most frequent cause of data breaches. This problem can be tackled by offering training and information. Machine learning can also help a great deal to reduce sources of error. Companies have a duty to do their best to protect their employees from the hazards of the digital world.

Are stricter laws and regulations needed to guarantee IT security?

The existing rules and regulations are indeed strict enough. It is nowadays up to the companies that process data to implement them properly, which is in their own interest. Of course, users often don’t know what abstract IT security requirements mean for them in concrete terms. 

Certificates, opinions and technical guidelines from agencies such as the German Federal Office for Information Security (BSI) can help bring vague legal concepts to life so people can comply with them. In that respect, the supervisory authorities have an advisory role to play in addition to their responsibility for enforcement. Companies should ask their supervisory authorities for advice; anonymity can be ensured by getting a lawyer to ask the question on the company’s behalf.

Conversation with Harald Czycholl.