by Darryl Benson and Mike Magee

As we approach the end of the year, it’s a natural time for reflection and planning, especially for commercial real estate (CRE) executives, managers, and operators navigating today’s complex challenges. Protecting building assets and systems from cyber threats has become a critical priority for the industry, driven by the increasing frequency and sophistication of attacks. The end of the year is a great time to evaluate your organization’s cybersecurity strategies and ensure readiness for cyber threats in 2025.

This article explores critical cybersecurity topics, including the importance of revisiting IT policies to ensure they align with current operational procedures and adapting to and implementing ever-changing privacy regulations. We’ll provide actionable insights to strengthen your organization’s defenses. We’ll also explore the implications of artificial intelligence (AI) and the governance of data usage and privacy, the strategic role of cyber insurance, and how fostering a culture of preparedness can help your organization stay ahead of future threats.

This discussion addresses cybersecurity from two critical perspectives: Executive Leadership and Real Estate Operations. Both are essential for success. While leadership defines the strategy and sets the vision, operational teams execute these strategies, measure outcomes, and drive operational excellence. By integrating these perspectives, your organization can build a cohesive approach to addressing today’s cybersecurity challenges, ensuring resilience and long-term growth.

Implementing Robust Policies

• Executive Leadership: Cybersecurity policies have become a cornerstone for safeguarding CRE assets. However, establishing robust IT policies presents significant challenges. Many organizations need to work on consistent standards across operating systems, leading to vulnerabilities in password protection and irregular backup practices. These gaps are compounded by the lack of comprehensive disaster recovery plans tailored for cyber incidents. To meet the growing complexity of the cyber landscape, executives must prioritize policies that ensure compliance with domestic and international standards. This includes integrating encryption strategies to protect sensitive information and adopting business continuity plans across diverse building portfolios. The ability to anticipate and align with evolving government regulations is essential to future-proof operations and mitigate risks effectively.
• Real Estate Operations: Enforcing a standardized IT framework is foundational to cybersecurity in the CRE industry. Organizations should adopt consistent protocols for system backups, recovery plans, and data security across all sites. These measures ensure uniform protection and simplify the process of managing diverse portfolios. Additionally, leveraging policy monitoring tools can help track legal and cyber insurance requirements compliance. Clear accountability structures and regular policy reviews strengthen organizations’ resilience against cyber threats.

Strengthening Privacy

• Executive Leadership: Data privacy is a growing concern, mainly as CRE operations handle vast amounts of operational and tenant data. The proper compliance framework—GDPR, CCPA, or another model—is crucial for maintaining trust and regulatory alignment. Operational networks, often overlooked, contain sensitive information related to building management systems. Protecting this operational data is as vital as safeguarding personally identifiable information (PII). Another critical challenge is addressing data crossover points where operational and informational networks converge. These intersections are potential hotspots for cyber vulnerabilities, requiring careful segmentation and robust monitoring to ensure privacy and security.
• Real Estate Operations: Organizations should implement network segmentation to isolate operational technology (OT) networks from traditional IT systems and enhance privacy controls. This minimizes crossover risks, ensuring that vulnerabilities in one domain do not compromise the other. Equally critical is identifying the data being collected and stored. Although this data is classified as operational data, it still may contain elements of PII. Knowing what data your systems have and how it is used will allow you to prioritize operational data security. Regular audits and real-time monitoring tools can provide organizations with the visibility needed to proactively address potential threats.

Optimizing Cyber Insurance Strategies

• Executive Leadership: Cyber insurance has become a critical component of risk management strategies for CRE executives. Insuring properties against cyberattacks helps prevent financial losses and reinforces tenants’ trust. However, underinsurance—or worse, lack of coverage—can jeopardize portfolio stability. Beyond direct monetary risks, cyber incidents can lead to operational disruptions and long-term reputational harm, particularly when tenant services are affected. Executives must balance comprehensive coverage with proactive measures to mitigate risks, ensuring their insurance policies remain a vital safety net in an unpredictable landscape.
• Real Estate Operations: Conducting periodic cyber risk assessments is an industry best practice for determining appropriate insurance coverage. These evaluations identify vulnerabilities and quantify risks, enabling CRE executives to negotiate more favorable policy terms. Properties can analyze the audit results to proactively manage threats, such as enforcing policy with both users and vendors, better managing remote access to the systems, establishing data accountability and, most importantly, staff and vendor training. By reducing the likelihood of incidents, organizations can position themselves as lower-risk clients to insurers, potentially lowering premiums and increasing coverage options.

Combatting Future Threats

• Executive Leadership: The rapid evolution of threats, including those targeting IoT devices and ransomware, demands constant vigilance. CRE operators must establish routine protocols to update hardware, firmware, and software. Keeping up security updates can expose vulnerabilities that sophisticated attackers quickly exploit. Advanced threats, such as ransomware targeting building systems, highlight the need for rigorous patching schedules and proactive monitoring practices. Staying ahead of these challenges is not just about technology but about embedding a culture of preparedness into the organization.
• Real Estate Operations: CRE operators must invest in routine maintenance programs to stay ahead of emerging threats. These programs should include regular patch updates, system audits, and proactive threat monitoring. Adopting a zero-trust framework for internet connectivity and remote access to IoT devices can mitigate risks associated with these increasingly prevalent systems. Continuous inventory scanning further ensures that all networked devices are accounted for and protected.

AI and Building Technology Evolution

• Executive Leadership: AI offers significant opportunities but introduces risks when poorly integrated into CRE operations. Vendor platforms utilizing AI may misuse data without proper oversight, leading to compliance and reputational challenges. Executives must define use cases for AI adoption and ensure its deployment aligns with operational goals and regulatory frameworks. Vendor-driven AI solutions require scrutiny; contractual safeguards should specify data usage and retention policies to protect tenants and operators. Establishing governance frameworks for AI will ensure these technologies enhance efficiency without compromising security.
• Real Estate Operations: Integrating AI into building management systems requires a deliberate and controlled approach. Organizations should establish clear governance frameworks to define acceptable AI uses and ensure alignment with operational objectives and privacy laws. Collaborating with vendors to include robust AI usage clauses in contracts is essential for protecting data integrity and tenant trust. Discussions with the vendors should require vendors to disclose where and how data is used and if there are privacy controls when data is stored. Regular reviews of AI deployments, informed by feedback from technical teams and tenants, help balance innovation and security.