Canada's Biggest Real Estate Companies Grapple With Cybersecurity Gaps: KPMG
Tuesday, 13 December 2022 02:23.PM
- Nearly 80 per cent do not monitor technologies that support critical building operations -
Despite the fact that most Canadian real estate companies now build smart tech into their buildings to monitor, manage, and maintain many functions, such as heating, lighting, elevators, power meters and fire alarm systems, very few have invested to ensure these systems can't be hacked, finds new research from KPMG in Canada.
A survey of 17 of Canada's biggest publicly traded and privately owned real estate organizations, representing more than $160 billion in real estate assets, found that nearly 80 per cent of Canadian real estate companies do not proactively monitor their operational-technology (OT) network or devices for cybersecurity threats or vulnerabilities.
Half (50 per cent) do not have an inventory of their OT assets and about a quarter (22 per cent) have an inventory that's incomplete or not updated regularly, the research found. Patches - a key control to resolve new vulnerability – are rarely done and usually in ad hoc manner.
"Smart or intelligent building technology is commonplace in the industry today and holds many benefits, but it also comes with risks that could result in significant health and safety issues," says Tom Rothfischer, Partner and National Industry Leader for KPMG in Canada's Building, Construction, and Real Estate practice. "It is critical that these measures are built into their systems right up front. But the reality is that most companies now find they are playing catch-up to seal the security gaps."
The research found that most real estate companies have a cybersecurity program with the majority having very small in-house teams responsible for key cybersecurity activities. However, their roles and responsibilities aren't clearly defined. And, while the board is regularly informed on the organization's information-technology posture (that is, the ability to predict, prevent, and respond to cyber threats or attacks), they are not kept up to date on the OT posture. Only about 10 per cent of the companies report on their OT security posture or OT readiness.
The survey did find that the majority (83 per cent) have segregated their information- and operational-technology networks, reducing the risk of cyber attackers moving between networks.
"This is an important first step, but it can't be the only step," says KPMG's John Heaton, a cybersecurity partner. "OT and IT networks typically do not have the same protection mechanisms. As well, many OT devices run on older versions of software that are no longer supported.
"The last thing you want is for attackers to infiltrate and insert malicious code into your systems to modify or take over the controls and cause a malfunction," he says.
Key Findings:
• 78 per centdo not proactively monitor OT network or devices for cyber threats or vulnerabilities
• None of the surveyed companies have inventoried all of their operational-technology assets:
o 50 per cent do not have a complete inventory of their OT assets;
o 22 per cent have an inventory that's incomplete and not regularly maintained;
o 22 per cent have only inventoried critical OT assets; and, the remaining 6 per cent have catalogued them for procurement purposes only.
• 72 per cent apply OT patches in ad hoc manner (50 per cent) or have never applied them at all (22 per cent)
• 89 per cent do not regularly report to the board the cybersecurity readiness of operational technology
• 83 per cent have segregated their information-and operational-technology networks
• 66 per cent have cyber insurance to support recovery efforts
• 50 per cent have not tested, or are only in the planning stages of testing, their overall cyber incident response capabilities
Key Takeaways
Real estate organizations should:
1. Expand their IT cyber posture to include operational-technology risks, add board members with IT or cybersecurity experience, clearly define and implement internal and outsourced cybersecurity roles and responsibilities.
2. Incorporate OT into cybersecurity programs, including identifying critical assets, regular reporting on threats and vulnerabilities and actions taken, and define roles and responsibilities between cyber and OT operations teams.
3. Take inventory of all information-and operational-technology assets to monitor and identify cybersecurity vulnerabilities and patching.
4. Monitor IT and OT networks, devices, and assets for cyber threats or attacks, particularly where vendors do not provide regular patches or updates for cybersecurity vulnerabilities.
5. Perform regular cybersecurity tabletop exercises, including for ransomware and phishing emails, to validate incident-response processes and accountabilities and ensure they are clearly understood.
-
Related materials:
- 01-Oct-2024 10:23 AM 🇨🇦🍁💵 Government of Canada Partners With Mila to Guide The Development of a Cultural Data Strategy for Artificial Intelligence
- 24-Jul-2024 08:00 AM 🧑🔎💵Nonprofit Tech Workers Earn 33 Per Cent Less Than Tech Workers in Other Industries
- 23-Jul-2024 10:22 AM ONTARIO 🧑🔎💵 Ontario Supporting Innovation in the Life Sciences 👨🔬🔬⚕️
- 22-Jul-2024 04:21 PM 📱💻🏗️ Study Confirms: By-Products from Lithium Production Can Be Used in Cement Production
- 22-Jul-2024 10:22 AM 🔒💻👁️ Hack Club Coders on a Cross-Country Journey with VIA Rail
- 20-Jul-2024 04:24 PM 📱💻⚕️ AGE-WELL Invites Startups to Pitch Their Technology-Based Solutions for Healthy Aging in High-Profile National Competition
- 18-Jul-2024 12:00 PM 🇨🇦🍁💵 ONTARIO Governments Investing in Horticultural Research and Innovation 📰💻🔍
- 15-Jul-2024 12:00 PM 🍁🏙️📱💻 Global EdTech Leaders Witness Radical Learning Transformation at D2L Fusion 2024 📚🎓🧠
- 13-Jul-2024 02:26 PM ONTARIO 🧑🔎💵 Ontario Investing More Than $200 Million in Postsecondary Infrastructure 🎓📚🏫
- 26-Jun-2024 12:00 PM 👩💻 Tech Developers Pioneering AI Tools to Revolutionize Future Productivity and Logistics