Managing 21st-century Cyber Risk Before It Manages You

Fall 2016

Commercial real estate industry leaders must understand and be prepared to respond to the challenges presented by global terrorism and cyber risk.

SUCCESSFUL BUSINESS leadership today requires more than a great vision and financial management skills. Of course, those abilities remain very important. But an increasingly complex 21st-century threat environment is changing what it means to be a business leader, whether you run an established Fortune 500 corporation or an entrepreneurial startup.

Today’s business leaders can be sure of two permanent conditions. The first is the scourge of global terrorism. The attacks in Paris, San Bernardino, Brussels and Istanbul are just a few of the most recent stark reminders that the ideology that produced the September 11, 2001, attacks has not abated.

The second permanent condition, with trends of increasing complexity, is cyber risk or what I call “the digital forevermore.” The cyber domain offers criminal organizations, hacktivists (those who break into computer systems for politically or socially motivated purposes) and even terrorists and nation-states new methods of attack, new tools to communicate and new weapons to carry out their plans to steal, attack, disrupt and destroy.

Commercial real estate is not immune to the challenges that these conditions pose. Industry leaders who understand and prepare for the potential impacts of both of these conditions will not only better protect their tenants, customers and investment partners; they will put themselves at a competitive advantage in the marketplace.

A Modern Leadership Challenge

Over the last two decades, technology has transformed business at a pace never before seen. Most business leaders today utilize smartphones, electronic tablets and social media platforms to conduct business without a second thought. But behind the laptops, mobile devices and apps is an interconnected domain that not only brings speed, convenience and efficiencies. It also creates vulnerabilities. An entire business can be put at risk by these vulnerabilities, so executives can no longer ignore the implications.

Here are a few key questions to consider:

Where and how is your most sensitive information stored? Personally identifiable information (PII) such as client financial data and employee records as well as business plans, strategy documents and internal communications can all be found on your networks. 

Who has access to your systems? Are third-party business partners, contractors and vendors connected to your networks? What about former or terminated employees? Do you have policies for access? Who manages that access?

Do your employees understand their digital responsibilities? Have they been trained about risk avoidance and company policies for online behavior? The human factors of cybersecurity can be as threatening to our cyber defenses as the external actors who seek to exploit them. We must be persistently introspective and assess how we manage internal threats to our information networks regardless of size.


Tom Ridge

Do your physical security and information technology personnel collaborate? Physical security breaches can lead to a cyber breach and vice versa.  

What happens if you are the victim of a cyber breach? Do you have a response plan? What messages will you communicated to your clientele? How will you continue business operations? Do you have cyber insurance?

These are just a few critical questions. Many are not technical in nature, but all are consequential to your business. 

What is on your networks is your business. This means that cybersecurity cannot be viewed simply as an IT problem to be delegated. It is a contemporary business culture proposition that carries equal importance throughout your organization’s workforce. But the buck stops in the C-suite and with the board — a fact that has not escaped federal and state regulators or litigators. 

The Continuing Scourge

The World Trade Center and surrounding office buildings were targets for al-Qaeda on 9/11 for what they represented: our economic freedom and the American way of life. 

The built environment is much more than just buildings, roads and bridges. It is a driver for the U.S. economy. NAIOP’s most recent figures show that construction of buildings as well as infrastructure such as water and sewer systems, highways and power systems contributed nearly $3.2 trillion to U.S. gross domestic product (GDP) and supported more than 22 million jobs in 2015. (See “Economic Impacts of Development Reach $450 Billlion in 2015.”) 

The adherents of al-Qaeda and those directly affiliated with or indirectly inspired by other rising extremist organizations such as the Islamic State group, understand that the economic strength of America is its backbone. As we have seen in the Western world, they will continue to pursue so-called “soft targets” such as transportation hubs, sporting venues, restaurants and office buildings. Sadly, almost by definition, democracies are soft targets.

Even if you already have vigorous security operations, training programs for security personnel and response plans, now is a good time to review them. Are exercises — ones that include the engagement of company leaders — part of your security and preparedness programs?

It is also wise to evaluate critical relationships for prevention and response. Do you have established contacts with local law enforcement and emergency response agencies?

Is your organization actively involved with the Real Estate Information Sharing and Analysis Center (RE-ISAC)? NAIOP is a member of the RE-ISAC, a not-for-profit information-sharing entity that serves as a critical conduit for sharing threat information between the commercial real estate sector and the federal government, as well as for building best practices for security and resilience. 

Risk and Reward

Contemporary risk management goes far beyond limiting financial risk and avoiding poor investments. The ability to reduce risk and to bounce back in the face of man-made or natural hazards makes companies better business partners and more attractive to clients and tenants. Security and resilience capabilities, therefore, can be differentiators in 21st-century business. 

Even though every attack, whether in the kinetic or cyber domain, cannot be stopped, we do not need to be breathless about the threats we face. We can reduce the risk. We do need to be prepared. We simply must manage the risk, before the risk manages us.