Commercial real estate (CRE) organizations are known for their relative hesitation when it comes to moving to adopt new technologies, and changes in process. To put it simply, the consensus has been: “Why change what already works?”

And it makes sense. Many folks have been trained that it is safer to keep your competitive, trade-secret cards close to their chest, and many new technologies and changes often create more process transparency. After all, how can they be expected to do their job better when their competitive data might be out in the open?

Historically speaking, this has been how people in CRE have thought, which makes it a lot harder to want to make changes.

As CRE Tech adoption becomes more and more prevalent, industry professionals have grown less concerned with the open availability of certain aspects of their previously private trade data. CoStar, for example, has built a strong business exposing tenant rosters, lease rates, and market information.

From a residential perspective, home sale data, mortgage information, and occupancy are all available as current market knowledge – information that at one time was closely guarded. And this trend shows no sign of ending.

But while there’s greater acceptance of this openness, as businesses port more and more of their data to the cloud for accounting, property operations, billing, and vendor management, there is an increasing concern about where the line should be drawn between public and private information.

This is a great thing – but the line has to be drawn somewhere.

The reality of the situation is that as more CRE organizations transition and become dependent on managing their businesses digitally, they face increasing risk of their data being manipulated, misappropriated, or hijacked.

Take Target’s recent credit card breach for example. That breach was initiated due to a refrigeration vendor’s access to a cloud vendor portal, which highlights (very publicly) the risks affiliated with what might, in other circumstances, seem to be unrelated data silos (client credit card data and vendor work assignments).

“Locking down” sensitive data isn’t simply to prevent public consumption of private information, but to decrease the liability risk which could affect employees, vendors, and tenants!

Data Security Considerations

According to the Federal Trade Commission, or FTC, there are five key principles to consider when building an effective data security plan:

1. Take Stock

   Do you know what mission critical files you have on hand, both in physical and digital form?

2. Scale Down

   Do you have an excess amount of files that could leave you vulnerable if exposed, or weakened by unnecessary security resource use?

3. Lock it

   Do you know how you intend to protect your data, both physically and digitally, from threats? What are the case scenarios for exposure?

4. Pitch it

   If you don’t need some of your data, how will you safely dispose of it without creating additional vulnerabilities that threaten your organization, employees, vendors, and tenants?

5. Plan Ahead

   Create a flow chart that considers the potential security incidents that may occur in both the physical and digital sense, who you may need to notify, and how you will react in the moment.

While your digital data security is important, it is also critical to evaluate your policies and practices for physical data storage and access. To do otherwise would be like installing a strong deadbolt on your front door, only to leave the key for it under the welcome mat.

For more information regarding how you can evaluate your data security processes, the FTC guide for “Protecting Personal Information” offers a bevy of insights and resources to assist.

Not all CRE Tech is Created Equal

If you’ve already purchased – or are evaluating – CRE technologies to implement within your organization, it is important to take a look at how the vendors you choose view and value your data security, and privacy.

Consider this:

1. Are they transparent about their security practices?

   No one deserves to be left in the dark when it comes to knowing how safe your mission critical data is. Make sure that your CRE Tech vendor has your data security and privacy in mind, through every aspect of their business, including: communicating possible issues, and solutions.

2. Are security features built into the core of their product?

   Software that was built with security in mind is typically stronger than software with security “add-ons.” A good analog example is adding a chain lock to a door – it’s better than a door with no lock, but it is not a substitute for a proper deadbolt and bottom lock combo.

3. Have their security methods and procedures been independently audited?

   Just saying that your data security and privacy methods and policies are great, doesn’t mean that they are in reality. By undergoing an independent audit, a CRE Tech provider is confirming that yes – they are working hard to ensure that your property data is safe.

4. How long have they been in business?

   Who is more trustworthy: a company that pops up in the middle of the night, promising a safer car, or a company that has consistently produced safe cars (and has data to defend the claim) for years? Probably the latter. Be sure to evaluate your CRE Tech vendor’s history to be sure that they won’t disappear, and that they are known for excellence.

5. How reliable are their services?

   Always check your vendor’s SLA (or Service Level Agreement) to see what they promise their service uptime and reliability will be. If it is poor, or shrouded in secrecy, you’re likely not dealing with a reputable – and secure – service.

The current ‘Gold Standard’ in SaaS (Software-as-a-Service) application security policies, controls, and procedures was formerly known as SAS 70 Reports, from the American Institute of CPAs (AICPA) and is now referred to as the Service Organization Control (SOC) Reports.

It is important to note however, that when requesting SOC audit reports from prospective vendors, you should ask for BOTH the vendor’s SOC audit AND the SOC audit of their application hosting provider. Only then will you be able to determine how the company deals with your data internally prior to or after it has been uploaded into the application.

Or in the case of the Target example cited earlier, it would not provide reassurance that the companies own hardware is equipped with the appropriate security and antivirus applications.

Once you’ve fully vetted your own security practices, and that of your CRE Tech vendors, you’re well on your way to effectively “locking down” your property data and setting a new standard for success!

Vetting Property Management Software?

If you’re in the market for a SaaS-based (Software-as-a-Service) Commercial Property Management platform, with security and service quality at its core, we welcome you to check out Building Engines.

We’re transforming property management through innovative web and mobile solutions for tenants, property owners, managers, and vendors, helping them: improve tenant service and engagement, mitigate operational risk, and maintain their properties using data-driven insights and easy-to-use tools.

Building Engines is trusted by over 1 billion sq. ft. of commercial real estate, and has completed a SOC II audit from an independent party. That means that you can rest easy knowing that our team is working hard to help you improve your service delivery, and keep your property data safe and secure!