More than ever data is driving change throughout the commercial real estate industry – from maximizing your value of building spaces to managing a safer return to work, and improving indoor air quality. Data is driving our abilities to identify opportunities, forecast returns, and measure tenant behaviors. About 45.1% of property managers are seeking new ways to improve building efficiencies, meaning data will play an increasingly important role for making smarter decisions within buildings.
Commercial real estate buildings generate vast amounts of valuable data. But in many buildings, data collection practices have outpaced data security. So, what are the best data security practices you can take for your commercial real estate building?
Determine What Data You Need
Customers and end-users want to know that those who have access to any of their personal or sensitive data will do everything to protect that data. But just as important as how you protect the data is what data you collect.
No matter how secure you are, your customers won’t be thrilled if you collect information that has nothing or little to do with your service.
There is a natural tension here. On one side, there are the privacy and security folks who prefer nothing be collected. Not very realistic. On the other side are the data scientists who want as much information as possible. Date of birth? Collect it! Pet’s name? Collect it!
Somewhere in the middle is a system of information that allows us to manage your building’s systems intelligently. Ideally, you’d store almost nothing about individuals and only what the systems need to give you access. The system would then collect and analyze a rich set of information on your building’s inner workings to provide you with a product that delivers occupancy insights, air quality metrics, and tenant engagement data – all collected to make your building run better.
Protect Your Data
First and foremost, you need buy-in from the very top of your organization that data will be protected. That buy-in then needs to be communicated clearly to management and down while including a budget that reflects the level of risk.
Something that will help with this is becoming SOC 2 compliant. SOC 2 is a framework applicable to all SaaS companies that store customer data in the cloud to ensure all controls and practices safeguard customer and client data privacy.
SOC 2 has controls that ensure safety is recorded as enforceable security policies and procedures, guarantee the information is communicated to all employees, and establish sanctions for when they are not followed.
Put Practices in Place
Once you have buy-in, you put practices and technologies in place to protect data from being stolen.
Hollywood is filed television and film with hoodie-wearing hacker stereotypes who operate from dimly lit rooms filled with piles of empty energy drink cans. It creates the impression that hackers only rely on high-tech tools that allow them near-immediate access to anyone’s information with a click of a mouse. Unfortunately, the reality is often more mundane. Many times, the reason for someone unexpectedly reading your sensitive data is not a high-tech tool but rather something as simple as a C-level executive clicking on a link in a phishing email or a developer who left a password in publicly accessible source code.
Your company can and should take actions to protect against these and other places in which you may be vulnerable. SOC 2 ensures that risks like these to an organization and service are assessed and treated. SOC 2 also mandates monitoring systems to detect problems and robust incident response should a problem arise – a response plan that keeps you, and your customer, informed should incidents occur.
Other controls include encrypting data while being sent between systems to prevent adversaries from copying or changing data. When the data is just sitting around on those disk drives (“data at rest” as we call it), we encrypt it so that you can rest as well.
Bring it Full Circle
Next, there are those external entities you share data with. The companies you sell data to typically go through a whole legal process before contracts are signed. For example, vendor management is a critical component of SOC 2. It includes regular reviews of vendors and agreements, including what data is shared, what others can and cannot do with it, and how long they can retain it.
Then, there is managing the access your employees have to customer data. With SOC 2, there is a rigorous access control system, formal access request process, and periodic required access rights reviews. Any access must have a business need, so accounts with more access are controlled tightly and not just handed out. Any terminated employees are removed promptly from the system to keep data fresh and controlled.
Create a Sustainable Data Protection Plan
SOC 2 requires us to take steps to secure our systems from the unexpected. While we can’t plan for every possible scenario, our disaster recovery, and business continuity planning have us doing everything from backing up our systems to simulating situations that may occur that would disrupt our business.
To be effective, a security program that protects your organization needs to be well thought out and based on specific risks to your organization. Well-defined frameworks like SOC 2, ISO 27001, and others provide that risk-based foundation an organization needs to build a solid security program. One of the most cost-effective and efficient steps you can take is to bring in an auditing firm to start building safe practices as early as possible. Not only to explain your business to them but also to partner with them. Having an outside perspective will help shed light on blind spots, and external audits always hold significant weight when wooing customers and investors.
When it comes down to it, modern buildings have many attributes that should be measured, stored, and analyzed to enable property owners and tenants to get the most value out of their facilities. With data security practices in place and a sustainable protection plan, that information can be protected, allow your business to continue functioning, and keep your customers assured.
Cohesion keeps information security top of mind when implementing its technology. Want to learn more about how we keep data secure and safe? Request a demo with our team.
Bob is Cohesion’s Director of Cybersecurity. He is responsible for Cohesion’s cybersecurity program and establishes and maintains the company’s enterprise-wide vision, strategy, architecture, and program to ensure that our information assets are protected.