Every year, the number of IoT devices expands drastically, a trend that has no real end in sight. For the PropTech industry, there is a great deal of concern around how to plan projects that can accommodate and secure all of the elements of the IT/OT environment that are becoming increasingly necessary. At a panel at this year’s MIPIM PropTech in NYC, industry experts cautioned property developers and business owners about the dangers of an expanding attack surface area and the challenges around the data privacy of individuals accessing their properties.
Sandy Jacalow, chief information officer at Meridian Capital Group explained just how much cybersecurity has changed over the past few years. “At one point, we just used to think about malware and email. It’s gotten so disruptive now,” he said. “A lot of proptech challenges have to do with vendors still are not incorporating cybersecurity into what they’re doing. And then you have the users, who are probably the weakest point in all cybersecurity.”
While Robert Entin, executive vice president and chief information officer at Vornado Realty Trust agreed with Jacalow that users are the weakest point in cybersecurity, he specified that this is particularly true in IT. “In OT,” he explained, “the weakness is the devices that aren’t ready yet.”
As more and more IoT devices are introduced, so are more required connections to the internet or the cloud. According to Karl May, co-founder and CEO of Join Digital, this expands the attack surface in a way that is “very difficult to characterize.”
Further, as that attack surface expands, the possibilities for gaps in security also increase and become more challenging to address. “We’re trying to market things more as mobile and accessible,” noted Erik Hart, chief information security officer at Cushman & Wakefield. “Everything is connected, and you can do it remotely. With these OT systems, it’s not as easy to patch them.”
He added that the proptech industry is investing a lot of money into closing some of these security gaps in their networks. “That is what I think organizations really need to look at. What is that attack surface area and how do you eliminate the risk? Sometimes you can’t just patch it, but you might be able to put some other controls around it.”
According to May, reducing the number of network entry points “radically” should be one of the first priorities when improving cybersecurity. “If you go from hundreds or thousands down to one, it’s much easier to guard that one point. That’s our philosophy, number one. Number two is […] the reality is that is that there are really sophisticated technologies out there that do provide more segmentation for traffic on networks,” he stated.
This, he said, not only reduces the opportunity for bad actors to get in, but also allows for the “micro-segmentation” of every camera, sensors, user, device and so on. Keep those separate from each other, he continued. “Then you need the tools to not let the systems access each other’s data, which is really one of the biggest problems.”
Another emerging element of cybersecurity is the concept of personal or private data privacy. And for Jacalow, this is becoming “very much imbedded into proptech” because it carriers implications about tenant and worker movement and biometrics.
When discussing the Ring doorbell, specifically, he offered, “who owns your data? The images of you or your friends walking into your house? Who owns those images of your biometrics?”
These are complicated questions with complicated answers, and while some states, like California have introduced bills to protect consumer data, most are still grappling with the challenge.
Not every panelist agreed on the severity of the data privacy issue. Entin pointed out that the average person uses a number of different applications and devices that record and share their private data. Therefore, to focus on one single device like the Ring doorbell doesn’t make much sense.
“Between every app we use, our lives are filled with giving up our data willingly for a better way of life,” he said. “And to some extent, this is the reality. The youngest generation that grew up with the internet in their hands, are they going to have the same concerns that we do? I’m a little less worried about that than others only because the reality is it’s out there.”