Episode 6: Cybersecurity and Your Real Estate Business

Posted on: January 7th, 2021 by Real Estate Accountants

In episode 6 of our Talking Real Estate with Peter and George video series, George Dube and Peter Cuttini talk cybersecurity and
the importance cybersecurity plays in real estate, investing and construction with Vivek Gupta, BDO’s cybersecurity and forensic expert.

George:

Good day. This is George Dube, Peter Cuttini [inaudible 00:00:13] are talking real estate segments. And today we have the pleasure of chatting with one of our partners, Vivek Gupta, who is, and I have to look at our screen here. It’s a really in my mind, an impressive title I got Vivek here, but for BDO, you are our national leader for cyber security and forensic technology services. It’s a bit of a mouthful, but I had the pleasure of talking, I guess it was a month and a half ago or so. And we were talking about real estate clients, construction clients, where, what should they be focused on? What should be aware of? It’s not necessarily something that someone who’s an investing in real estate developing. They’re focused on real estate for the most part. They’re not necessarily thinking about cyber security. So maybe I’ll just kind of start off and ask you what type of issues should they be working with you and your team on if they are an investor, a developer, construction trades and I’ll let you take it from there.

Vivek:

Thank you Georgia and Peter for having me for this session and thanks for the kind introduction as well. So, when it comes to talking about cybersecurity, the sort of approach that I take to advise our clients is always starting from the fact that, do you know what is it that you want to protect? Or do you know what others may want that you have in your possession and you would be at a loss if a hacker or a bad actor work that access of it? Oftentimes what I see in the market is, there are so many different boutique firms and other cybersecurity outfits that just reach out to you trying to sell services without necessarily getting a context of your business and without really understanding what is it that is worth protecting. So the way we sort of approach our clients or we try and advice our clients in terms of who to go after or services to procure when it comes to cybersecurity is be first mindful of identifying, what is it that you want to protect?

Where do you have stored it? Who will have access to it? And how can that information be accessed? So any business, be it real estate, and if there are investors, and if it is a construction business, you first have to sort of ask the question, is there data that is important to me or sensitive or critical in nature that we are exchanging with other parties, be it within your own business or with other third parties who have internet? If that is the case, then you certainly need some sort of cybersecurity services to make sure that your IP environment that you have in place has the right level of cybersecurity controls in order to be able to protect that data. Now, there used to be a saying in the cybersecurity world that a cybersecurity breach is not a matter of if but when. It’s an eventuality for sure. It has actually gone a step further. Nowadays, I like to actually even say, it’s not even a matter of when, chances are any organization has already had a breach and they just don’t even know it.

There was a recent research done and a paper was written all about it that it takes an average of five to six months for any organization to even realize that their network or their systems have been breached and someone had been accessing that information without anyone knowing about it. So, [crosstalk 00:04:09] it’s a scary world out there. And with the technology advancements with the digital systems out there with the RPA machine learning, even the hackers are becoming more and more sophisticated and they are utilizing the same technology to create different ways of accessing more than one. So, it’s easy enough for the hackers to get hands on this sort of technology and that means we as organizations have to up our game to be able to protect. Now for businesses that are not traditionally in the technology sector or the financial services sector, the top process used to be, well, I don’t really have to do much because I’m not in a regulated industry, but you really have to think about what type of information do I have.

You might have financial information. You might have personally identifiable information, like name and social insurance numbers. Even if it is of your own employees. You might have intellectual property or trade secrets or deals that are about to happen that could have a financial impact or credit card information, as a matter of fact. You do need to protect all of that. And so organizations again [inaudible 00:05:30] about right now should really consider, could it be the drawings of a net new project that is coming out? Would that be considered critical? And if it is critical, do I need to protect it and how am I protecting it? Especially if you’re responding to bids of contracts. It would be very important for you to save that sort of information before you go to tender or you respond back to a tender. So we advise our clients to really understand one, what that information is worth to a user and where are they located to be able to actually help you consolidate your spend.

There is a myth out there that cybersecurity services are very expensive. Yes, they are expensive if you don’t necessarily plan well. So we help our clients to again, identify what they want to protect. And then, so that this way we can consolidate their spend. If you trying to protect everything, obviously you will be paying a lot more money. The way I look at it as if the control that is going to be implemented to protect the asset is more expensive than the asset itself. Then maybe that asset is not worth protecting. So using that lens, we help you first identify and then so that you can have them in one sort of central place or multiple places but put the control only to protect that information. The services to start off with should be doing a quick health check or discovery session or a diagnostic, where there are three components to cybersecurity, it’s the people component, the process controls component, and then the technology.

So people component is the weakest link. Typically you could have made hundreds of thousands of dollars of investment into cybersecurity controls but all it takes is one person to click on a link and an email that they shouldn’t have clicked on. So it’s important to make sure that you have a cybersecurity awareness culture throughout your business. It is not just a responsibility of the IT department or the CIO. Cybersecurity is an enterprise wide, I would say responsibility. So a CFO needs to know what to do and what not to do. They have to have that general at least level of awareness. So does an end user on top of all the other IT folks that are part of your organization. So that should address at least the people component.

Then it’s the processes. So you might think that a small organization or a startup, they are more focused on just operating their business and the processes will come as they mature. What my suggestion is, you have to start putting the processes as you’re setting up your business so you are set for scalability. Because any business that you’re starting, again, the angle is going to be to scale the business, to make it bigger. You might have five people today, but you might be in a position to have 50 people tomorrow or 500. So if you have the processes upfront, which according to what, as an example, let’s talk about logical access for any new user or employee that you hire. They should only be given access appropriate based on their role. And only the appropriate individuals within the organization should have that privileged access to create access or the work access.

Not everyone should have admin privileges into the system. So like this there are 18 other domains in cybersecurity overall, like logical access, then there’s network security, there is encryption. Not all 18 would apply to every business but when you’re doing a process assessment, you would be on a discovery session with folks from video to see what’s applicable to you. And then a process assessment of your cybersecurity controls should be done as a first step. This is something that we call cyber diagnostic or cyber health check sort of an engagement.

And then the third aspect is technology. It depends on what type of technology stack you have one place. It’s a low hanging fruit. We can do offensive security engagements as in a common name for offensive security engagement called an attack and a penetration test. Basically the whole idea of a pen it’s called an ethical hack.

So we would see what a hacker sees when they are trying to target your organization. We would simulate an attack. We will actually scan your network and your assets for vulnerabilities. And then we will give you proof that we are able to exploit it. The point of this exercises, once we were able to identify vulnerabilities, and more importantly, we are able to exploit those vulnerabilities. We will give you recommendations on how to patch those. What it does is it makes it that much more difficult for a hacker to gain access. Because otherwise these are obvious open doors for any hacker to take advantage of and get into your environment and steal data without even knowing. And they can induce ransomware or malware or other Trojans into your environment, utilizing those back doors. So you would want to do a process assessment as a first step. And you would also as a part of your process assessment, the team would be able to understand what your technology infrastructure looks like, and can recommend an appropriate size of a pen test for your organization. So, those are the-

George:

Sorry, it sounds like then, and correct me if I’m wrong. So if we come in, we have this health check done, your ethical hack, provide the report. Maybe I can’t implement everything, is there kind of a plan that you can say, here’s the highest priority items and now over the next X period of time, we’ll implement type of thing?

Vivek:

Absolutely George, that’s a very good question, very good point. So what we do is, so when we come in and do a health check, it’s not just to give you an idea of what’s not working. Because, yes there’s a lot of value in knowing what is not working, but the value ad really here is making appropriate recommendations on how to address it. So what we do as part of our report is we will identify what are the critical or high severity findings. And then when we are building or drafting the recommendations for you, we give you a prioritized action plan. We can also tell you how much effort it would take to implement any of those recommendations. Now, at that point, clients can decide whether they want to utilize the help of the same team to help them implement those recommendations, or they can implement some of those recommendations on their own if they have that level of talent in-house, or they can choose to go with the firm and we’ll handle all together. But we can at least help you with a very detailed set of recommendations that you can take and try and implement yourself.

The recommendations will come along with the level of effort it would take to implement that recommendation. And the effort is not just in terms of the time it will take but we can also provide you an estimate of cost at that point. Another thing we do is we will [inaudible 00:13:10] So, some recommendations are as easy as you changing a setting within your current systems. That is easy enough you can go here and make the changes. Those are, I will call low hanging fruit, go ahead and make those changes. Those should be a week long exercise from your own team to get done with. And then there could be other recommendations where it requires for you to implement a new system. It could be a [inaudible 00:13:36] system, new firewall, maybe a new end point production. Those could take a little bit of time so we can also tell you the duration it might take you to sort of implement those and how you should go about prioritizing these different projects.

George:

For somebody that has a handful of rental properties. So now, I’ll throw this question out to you too as well Peter because just as we kind of brainstorm here, but what are some of the things that reasons why I should be engaging you in the sense of, I can think obviously I’m going to be having a variety of information, terms of mortgage qualification. So I’ve got my income credit information so somebody can presumably get into my system and pretend they’re me qualify for mortgage somewhere. I’m guessing they’ll have some information that’s sensitive regarding my tenants, that similarly, I don’t know if I’m held responsible for that, but I can’t imagine that there’s not some level of responsibility there for information. If I’ve got some contractors and what have you, I guess I would like to bring it to that perhaps smaller real estate investor who’s also, as you said, trying to scale up and to make it fairly vivid, here’s some of the things that might be taken advantage of and why do we need to be protected? Peter, I don’t know if you have others points there-

Peter:

Or just slightly change the question Vivek, we all hear about the big ones. They make the paper, we all know about that. We all think it’s the big boys that are going to get hit. Where have you seen a small organization get hit and what was the-

George:

Implication?

Peter:

… Implication. Thank you George. [inaudible 00:15:21] Afternoon.

Vivek:

So here’s a little bit about the psyche of a hacker, again, 10, 15 years ago, when it was even difficult to launch attacks, the organized group of hackers would want to attack organizations that were they thought they could make money. So they would go after the banks, they would go after the insurance companies or big corporates. But to launch an attack, they need to put in that much more effort into organizations that are that big. Now the flip side of this is, and today’s reality is, it is very easy to go after a small business. Because the perception is that the small business has not made enough investments into controls or technology to protect themselves from such attacks. Believe it or not the not-for-profit industry or the municipalities are prime target for hackers or ransomware attackers that are out there.

Because again, it’s not just a perception, it’s in somewhat shape or form a reality as well that they don’t have enough funding to make the level of investments to protect themselves. Now, if let’s say a small organization gets hit by a ransomware. And a ransomware is basically where an attacker is coming and they encrypt all of your systems. So you won’t be able to access your system unless you pay them whatever amount is it that they’re asking for in Bitcoin. And then they give you a decryption key so that you can be operational again. For a smaller organization, if they don’t have the right level of backups or the right controls and they get hit by a ransomware attack. For them to stay at going concern, guess what? They’re going to end up paying the ransom. And it’s easy enough for the hackers to launch a thousand attacks in a day hoping that we will be able to catch some business here and there, think of it as fishing.

So, they send out these emails, they send out these attacks and smaller businesses that don’t have the right level of defenses. They penetrate through those. And guess what? Now your system is encrypted. They weren’t necessarily asking for a million dollars. They might even ask you for just, let’s say, $10,000. Now the same attacker imagine has attacked a thousand other businesses. Even if it was able to be successful with the hundred attacks and he’s asking for $10,000 each from a hundred companies, guess how much money he was making? So $10,000 may not seem a large amount for a bank or a big corporate, but $10,000 for a small to medium sized business is still a significant amount. And it could be $10,000, it could be $20,000, $30,000, depending on the size of the business. They might change the ransom demand they’re at least getting something out of it.

So I think it’s a long-winded answer to your question, but it does not necessarily matter how big or small you are. It goes back to making sure what sort of information do you have that is very critical or could potentially lead to some sort of a financial damage for you. In the example of a small rental business, George as you mentioned, they would have access to the personally identifiable information of their clients. They would have access to their social insurance number, especially if they’re running credit history checks before approving the lease agreement or the rental agreement. They would have access to their bank information if the payments are being made by e-transfer or checks or via credit cards, all of this information is considered sensitive, private or critical in nature.

And if this information gets exposed, there are also regulatory fines that could be imposed on you as a business. So to protect yourself from damages, could be regulatory in nature, reputational in nature, financial in nature, you do have to put some controls in place because guess what, you’re an easy target for the hackers or the ransom attackers out there.

George:

As a real estate investor, once I’ve got a little bit of property, it sounds it would be silly not to have the conversation at least with your team.

Vivek:

And you don’t have to worry about that you’re going to have a big, huge engagement to carry out from a cybersecurity perspective. Basically it will be a conversation for us to understand how you currently run your business, how you exchange information, where you store it, where do you, how you access it and how you transmit it to others? So that we can focus on those areas and tell you, these are the best practices. Or given the environment that you have you are able to leverage the controls already provided with the technology you would have access to, or here there is some investment that you might have to make to keep yourself protected. But we will, again, as I was going, I’ll go to my previous point, if the control is going to be more expensive than the asset that you are trying to protect, then it’s not worth protecting. And on the same lines, we will not make a recommendation for you to put some sort of a technology or control in place that, let’s say a large bank would put in place. For a smaller business, we will make scalable recommendations.

George:

Do you find that there are some areas or topics or conclusions, whatever that surprised more business owners than others, or?

Vivek:

What businesses typically get surprised by after sort of having a conversation with us, I mean, and I’m talking about businesses that have traditionally been reluctant they wouldn’t start the cybersecurity conversation, thinking it hasn’t happened to me yet, I’ll deal with it when it happens. They’re two types of surprises there, one, you may not want to pay for preventative care today and you think it may not happen to you, but it’s an eventuality. And when it does happen, you will end up paying a lot more money to get access back to your systems or to recover from that breach compared to what you would have paid in preventative care to protect yourself. So, that conversation when you have with the clients and you explain, especially with case studies and or recent engagements that we’ve done with other clients, it’s an eye-opener for our clients there.

And then the second aspect is when they talk to us and they’ve figured out and when they get a quote from us. Then there he goes, “Oh, I thought that this would cost me hundreds of thousands of dollars.” No, that is not the case. The services that we will offer you, they’re not a one size fits all. All the services that we would offer you will be customized based on your environment and they’re not cookie cutter type of engagements. We will see, again, the size and scope of your IT environment, the assets that you are trying to protect. And we will price the engagements accordingly. And that has typically surprised our clients in the last year or so.

Peter:

Vivek, it seems we’re… I can definitely see where you could get hit financially, but isn’t there also a reputational risk here?

Vivek:

Absolutely, absolutely. Now, if we think about, and I say this with a lot of respect, and the reason I’m using that is, reputational hit makes a lot more sense when an organization is in the public eye. So, imagine an RBS getting hit. We all heard about Capital One hack. We still use that reference and every time we talk about that hack, Capital One is getting that publicity, but not in a good way. It’s the new public shaming at the end of the day. And you saw what happened to Target in the US and other large organizations. For a very small organization that is only dealing with a couple of rental properties here and there, it is more important to look at the financial aspect, because what I’m trying to say is the outreach of that business is not that big.

It is not want to make the front page of a newspaper. Having said that, it’s not an advice that I’m giving and I’m not saying that you don’t have to worry about a trauma reputational aspect. There is definitely that at least your existing customers would not necessarily now feel comfortable sharing information with you. That could make your business operation slightly more difficult going forward. So, there’s definitely that aspect but you have to keep in mind the scale of your business. I would worry first about the financial aspect and then about the reputational aspect.

Peter:

I was just thinking a lot of our clients are attracting joint venture money and then have investors. And it’s not a big community out there.

Vivek:

Very good point. [crosstalk 00:00:24:49].

Peter:

You’ve got hacked.

Vivek:

Oh, absolutely. You’re not going to getting an investor’s money if you’ve got hacked, for sure. It’s going to make it that much more difficult. And even if you will end up getting an offer from someone, guess what, you’re paying a higher interest rate for that. High risk comes at a price. So, no investor wants to, again, work with an organization that has a known attack out there that has happened and they had a loss. Because now the investors money is at stake as well.

George:

That’s enormous for a large percentage of our clients.

Vivek:

Oh, excellent. So, that’s just me not having that background about the joint ventures but Peter, that’s a very good point. If that is the case, then I said the reputational risk is just as high as the financial risk out there. Because loss of reputation would lead you to not being a going concern anymore.

Peter:

In your years of experience, has there been one that’s completely surprised you or is there a little one out there that you’re, wow, didn’t see that one coming, or I guess, does it change so often you always keep on top of it?

Vivek:

So the type of attacks. Yes, I used to get surprised early on in my career as I was not necessarily exposed to the different types of attacks. I won’t say anything really surprises me now because with technology, a lot of things are possible. What does surprise me though is sometimes the behavior of the organizations. So without naming names and without talking about the name of the organization, we were reached out by a client that was hacked and had a ransomware attack. They reached out saying, “Oh, we had a ransomware attack, we need your help to recover, to come in and provide some folks that could help us to respond to this incident.” As we started discussing with them, they mentioned, so that IT worm included one production server. And our first question obviously was, “so where are your backups? Oh, our backups are on the same production server.”

So that does make it challenging to recover, but then fine. So what we can do is… You cannot be a going concern until, and unless you get your data back. So maybe, although we never recommend paying the ransom but this seemed like a case where the client just had no way of recovering their data and they did not have copies of their data anywhere, other than that one production server. So I asked, we’ll have to figure it out, work the messages from the ransomware attacker and figured out a way to contact them. Then I got told, “well, it was appearing in our systems when we were attacked but it’s no longer showing up on our system.” I’m, “what does that mean? Well, when we got attacked we wiped our servers. So what does it mean?” So what they did was they basically took the server offline and they wiped the whole device altogether.

What that does is now it’s a clean slate. There is no data on it. There is no system on it, including any ransomware or malware, all of that was destroyed. So now the client did not have any way of contacting the ransomware attacker. And more importantly, when a ransomware attacker is corrupting your systems or infecting your systems, they don’t necessarily make a copy of your data. The data stays within your hard drive or within your servers for the most part. Some might take the data as well, or a copy of, a part of the data but in this case, all of the data was on their production server but they ended up wiping their whole production server altogether. And there was no way to contact back the ransomware guys either. And they were, “maybe the ransomware attackers have a copy of the data.”

I’m, “why would they have a copy of your data when all they did was encrypt your system?” So, because of them not having the right level of know-how within their business, they panicked and they wiped their server which meant they had to recreate all of their financial records from paper files. And they had a few invoices. They probably had… The auditors would have the financial statements from last year. They had to recreate all of their data, all of their business intelligence from scratch.

Peter:

Wow.

Vivek:

That one surprised me to a level, I mean, we hear that the clients are not aware they will make some level of mistake, but this one was by far something that I always use as an example now.

George:

So, it sounds beyond preventative, which is obviously much better, but if we have somebody that has been, or is currently undergoing an attack, they need to immediately reach out to you.

Vivek:

Absolutely. Absolutely. So, we have an incident response team as well. Again, it’s not a matter of if, but when, so even with all the protection that you have in place, an attack can still happen. But what happens is if you invested enough in preventative care, recovering from an incident is that much more quicker and easier. If you have not done any incident response planning, you will not know what sort of actions to take in case you were hit by an attack. So we recommend doing preventative care to make sure that you have an incident response plan in place, and we can help you draft one, build one. That way you will know who to call, what to do, how to stop the spread of that infection and then the responders come onsite and they help you sort of recover your systems where possible.

George:

And I guess to the point, Peter, and you were talking about earlier, if I’m investing a chunk of change with a co-venture, I also want to make sure their systems have been taken care of. And otherwise my money is, maybe not going to disappear, real estate’s not going to disappear, but my investment might get touch more expensive than I was otherwise expecting.

There’s a lot there that you brought up to us. I think I’m going to be first in line for this. I got to check on my own system.

Peter:

So, Vivek just to wrap up here, what would be the one nugget you would give to a client or what would be the starting point? If someone were to approach you and said, I don’t know what I don’t know. What would be the starting point? What would you suggest?

Vivek:

The statement that you just made to me would be the starting point. Realizing I don’t know what I don’t know is the first step. And then, knowing that you need the help. Don’t think that if you call in a cybersecurity specialist, you’re going to be left with a huge bill. You have every right to get a consultation upfront for free, pretty much, where you do a discovery session with a cybersecurity professional that can help you understand here’s what you need to protect and then here’s how you can protect it.

At least getting a sense of what is it that I need to protect? What do I have in place right now that is a prevention measure or protective control in place? And then knowing what I don’t have in place. Knowing those gaps is really important. So then you can prepare to address those gaps as, and when you possibly can. But, keeping your eyes closed and thinking it hasn’t happened to me yet, I will deal with it later doesn’t cut it anymore because there are so many risks. And the biggest risk of them all is you could be completely out of business if you get attacked with a very sophisticated attack. And if all of your systems are encrypted, guess what? You’re starting from a solid again.

George:

So in terms of reaching out, so people are certainly welcome to get a hold of, Peter and I we can forward contact information to you, but can you share best way of contacting you, I guess, or your preferred way?

Vivek:

Absolutely. I can be contact directly on my office line number or via my email. So again, name is Vivek Gupta, my office phone number is (416) 369-7867. And my email is V as in Victor, G as in George, U, P as in Peter, T as in Tom, A as in Apple, @bdo.ca. So it’s vgupta@bdo.ca

George:

Enlightening. This is again, perhaps more scary than other things, but really, really important for us to know. And I’m sure the people watching this are going to be potentially reaching out relatively quickly. Thank you so much for sharing your time and expertise, and I’m positive we’re going to have a follow-up session, but thank you.

Vivek:

Oh, it’s always a pleasure to talk to you, George and Peter. So thank you again for having me. I’m happy to help, wherever possible.

Peter:

Sounds great. Thank you.

To contact Peter or George you can email pcuttini@bdo.ca or gdube@bdo.ca. To contact Vivek, please email vgupta@bdo.ca.

Comments are closed.