Managed IT and Cybersecurity for Commercial Real Estate Firms

Commercial real estate firms run on a mix of building automation systems, lease management platforms, tenant portals, and IoT-connected access control hardware that most IT providers never encounter. These systems create attack surfaces that general cybersecurity guidance does not address. If your firm manages properties, develops commercial projects, or brokers CRE transactions, your IT and security requirements look fundamentally different from a typical office-based business.

This post covers the specific risks CRE firms face and the managed IT and security practices that address them.

Building Automation Systems Create Network-Level Risk

Modern commercial properties depend on building automation systems (BAS) to control HVAC, lighting, elevators, fire suppression, and access control. These systems improve energy efficiency and tenant experience, but they also introduce devices to your network that were never designed with cybersecurity in mind.

BAS controllers and IoT sensors typically run on embedded operating systems with limited or no patching capability. Many use default credentials that are publicly documented. Older systems communicate over protocols like BACnet and Modbus, which transmit data in plaintext without authentication. When these devices sit on the same network as your property management software, lease databases, and email servers, a compromised BAS controller becomes a stepping stone to your business-critical systems.

This problem is not theoretical. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published multiple advisories about vulnerabilities in building automation and industrial control systems used in commercial facilities. Their Known Exploited Vulnerabilities catalog includes entries for HVAC controllers and access control platforms found in commercial buildings across the country.

The fix is network segmentation. BAS devices, IoT sensors, and access control hardware belong on isolated network segments with strict firewall rules governing what traffic can cross into your corporate environment. Your tenant WiFi should be on its own segment as well. A flat network where a smart thermostat can reach your accounting server is a liability, and it is far more common in CRE environments than most property managers realize. Segmentation limits lateral movement so that a compromised camera or badge reader cannot provide an attacker with a path to your financial data.

Your managed IT provider should maintain an inventory of every networked device across your properties, including BAS components that building engineers installed independently. Devices you don’t know about are devices you can’t protect.

Wire Fraud Targets CRE Transactions Specifically

Commercial real estate closings involve large wire transfers between multiple parties under tight deadlines. This makes CRE firms among the most targeted industries for business email compromise (BEC) and wire fraud.

The FBI’s Internet Crime Complaint Center has identified real estate transactions as a high-risk category for BEC fraud, with individual losses frequently exceeding $100,000 per incident. The attack pattern is straightforward: an attacker compromises or impersonates an email account involved in a transaction, sends modified wiring instructions at a plausible moment in the closing process, and the funds go to an account the attacker controls. No malware is involved, so traditional endpoint security tools do not detect it.

CRE firms need email security controls that go beyond what a default Microsoft 365 configuration provides. DMARC enforcement set to reject, conditional access policies that restrict email access by device and location, and priority account protection for closing coordinators and controllers all reduce the likelihood of a successful BEC attack. We covered the full checklist for CRE-specific wire fraud prevention in a dedicated post, including email authentication setup, payment verification workflows, and M365 hardening steps.

Beyond email, the operational process matters. Every change to wiring instructions should require out-of-band verification by phone, using a number on file before the transaction started. Dual authorization for outgoing wires adds another layer. These controls are simple, but they fail when firms skip them under deadline pressure.

Tenant Data and Investor Information Carry Compliance Obligations

CRE firms collect and store sensitive information from multiple sources: tenant applications with Social Security numbers and financial statements, investor communications with personal financial details, employee records, and vendor payment data. A breach exposing this information triggers notification obligations and potential liability.

The Texas Data Privacy and Security Act (TDPSA), which took effect in 2024, applies to businesses that process the personal data of Texas residents. If your firm manages residential-commercial mixed-use properties or collects personal data from tenants, you fall under its scope. The law requires reasonable data security practices, limits on data collection to what is necessary, and notification to the Texas Attorney General within 60 days of discovering a breach affecting 500 or more residents.

Even without a specific state mandate, tenant lease agreements and investor operating agreements increasingly include data protection clauses. If a breach occurs and your firm cannot demonstrate that reasonable security measures were in place, the contractual liability exposure alone can be significant.

Practically, this means your firm needs endpoint detection and response on every workstation and server that handles tenant or investor data. It means access controls that limit who can view lease applications and financial documents. It means encrypted storage and secure disposal of records past their retention period. A cybersecurity risk assessment is the starting point for identifying where your sensitive data lives and whether your current protections match the risk.

Cyber Insurance Now Requires Real Controls

Cyber insurance underwriters have tightened their requirements substantially over the past three years. For CRE firms, the renewal questionnaire increasingly includes questions about network segmentation, endpoint detection, email authentication, backup architecture, and incident response planning.

A firm that runs a flat network, lacks multi-factor authentication, and has no endpoint detection will either face significantly higher premiums or be declined outright. Underwriters have access to external scanning tools that check your email authentication records and exposed services before they even issue a quote. If your DMARC policy is set to “none” or your VPN concentrator is running outdated firmware, the underwriter may know before you do.

We wrote a detailed breakdown of what insurers are requiring for 2026 renewals in our cyber insurance requirements post. The summary: MFA everywhere, EDR on all endpoints, tested backups with immutable copies, a documented incident response plan, and email authentication with DMARC enforcement are now baseline expectations. CRE firms that also operate building automation systems should expect additional questions about OT/IoT segmentation during the underwriting process.

The upside is that the controls insurers require are the same controls that actually reduce your risk. Implementing them for the insurance questionnaire also makes your firm materially harder to breach. Treating the renewal as a compliance checkbox and implementing controls only on paper will not survive a claim investigation.

SOC Monitoring for Multi-Site CRE Environments

CRE firms with multiple properties face a monitoring challenge that single-office businesses do not. Each property may have its own network infrastructure, BAS controllers, access control systems, and tenant WiFi. Security events can originate from any site, and an attacker who compromises a smaller satellite property may use it as a pivot point to reach the corporate network.

A security operations center (SOC) that monitors all properties from a single pane provides the visibility needed to detect cross-site threats. SOC analysts correlate events across locations, so a failed login attempt at one property followed by a successful login at corporate using the same credentials triggers an investigation rather than being dismissed as two unrelated events.

For CRE firms, SOC monitoring should cover more than just workstations and servers. Network monitoring at segment boundaries catches unusual traffic from BAS devices. DNS filtering blocks command-and-control communications from compromised IoT hardware. Log aggregation from M365 audit logs, firewall logs, and endpoint detection tools gives the SOC a complete picture of activity across your environment.

The alternative is discovering a breach weeks or months after it started, when tenant data has already been exfiltrated or an attacker has been quietly reading your transaction emails waiting for the right moment to redirect a wire. According to IBM’s Cost of a Data Breach Report, organizations that identify breaches within 200 days spend significantly less on remediation than those that take longer. Multi-site CRE environments without centralized monitoring consistently fall into the slower detection category.

Where to Start

If your CRE firm has not had a formal assessment of its IT and cybersecurity posture, that is the right first step. An assessment maps your current environment, including building automation devices, tenant data flows, email configurations, and network architecture, and identifies the gaps between where you are and where you need to be for insurance, compliance, and actual protection.

The priorities for most CRE firms fall into a consistent pattern: segment building automation and IoT systems from the corporate network, enforce DMARC on all email domains, deploy endpoint detection across all workstations and servers, implement MFA and conditional access in M365, and establish SOC monitoring across all properties. None of these require a multi-year project. A firm with five to ten properties can typically complete the core improvements within 90 days when working with an experienced managed IT and security provider.

The specifics vary by firm size, property types, and existing infrastructure. But the risks, including wire fraud, tenant data exposure, unmonitored building systems, and insurance gaps, are consistent across the CRE industry. Addressing them is a business decision, not a technology project.