Article Archives
Article Categories
Articles
Cybersecurity Vocabulary: What CRE Leaders Should Know
Commercial real estate (CRE) leaders do not need to become security engineers. They do need enough shared vocabulary to ask better questions, spot weak assumptions, and make smarter tradeoffs when buildings, portfolios, and tenants depend on connected systems.
This guide translates common cybersecurity terms into the language of property operations and facility management (FM). It is designed to help CRE leaders have more productive conversations with IT and cybersecurity teams about risks that hide inside building systems, vendor connections, remote access, and data platforms.
The Foundations
Attack Surface
An attack surface is every place an outsider can touch a system. In CRE terms, it is not just the “front door” (the login screen). It includes every connected endpoint: building automation system (BAS) gateways, IoT sensors, remote access tools, vendor portals, APIs between platforms, and even retired integrations that still run. Like a campus with multiple entrances, loading docks, and roof hatches, the risk grows as more access points are added and fewer are inventoried.
Threat Model
A threat model is a structured way to ask: “Who would target this, what do they want, and how might they get it?” It is the cyber version of planning security coverage for a building based on occupants, assets, and credible scenarios. For CRE, threat modeling often means mapping the path from a phishing email to compromised credentials, then to a vendor remote connection, then to BAS controls or sensitive tenant data.
CIA Triad
The CIA triad is the core set of outcomes security protects: confidentiality, integrity, and availability.
· Confidentiality: tenant, employee, or financial data is only seen by authorized parties.
· Integrity: data and control signals remain accurate and unaltered, including work orders, access rights, meter data, and BAS setpoints.
· Availability: building and business systems stay usable when needed, such as dispatch, access control, life safety monitoring, and portfolio reporting. In CRE, integrity and availability matter as much as confidentiality, because “wrong data” and “no access” can disrupt operations just as quickly as a leak.
Identity and Access
Authentication
Authentication answers “Who are you?” In buildings, it is the badge check at the door. In cyber, it is passwords, multi-factor authentication (MFA), passkeys, or single sign-on (SSO). For CRE, weak authentication is like issuing identical keys to multiple contractors. It makes it hard to know who entered, and easy for a stolen credential to look legitimate.
Authorization
Authorization answers “What are you allowed to do?” In buildings, it is the difference between a tenant badge that opens the lobby and a facilities badge that opens electrical rooms. In cyber, it is the rules that determine whether a user can view leases, approve invoices, change BAS schedules, or export tenant lists. Many breaches happen here when systems fail to check permissions consistently, especially in “admin” screens and integration workflows.
Least Privilege
Least privilege means giving each person, system, and vendor only the access needed to do the job, and nothing extra. In CRE, it is key control, not handing out a master key because it is convenient. Least privilege limits the blast radius when a credential is stolen or a vendor account is compromised.
Core Defenses
Encryption (Symmetric and Asymmetric)
Encryption makes data unreadable without the right key. It is the cyber equivalent of locking documents in a safe while they are stored, and sealing them in a tamper-resistant courier pouch while they move.
· Symmetric encryption: the same key locks and unlocks, fast for large volumes of data.
· Asymmetric encryption: a public key locks and a private key unlocks, useful for proving identity and securely exchanging keys. For CRE, encryption matters for tenant data, access logs, invoices, and BAS data streams, especially when systems span properties and vendors.
Hashing
Hashing creates a one-way fingerprint of data that cannot be reversed. It is like a tamper-evident seal number on a valve or panel: it does not show the contents, but it proves whether something changed. Hashing is used to store passwords safely and to detect unauthorized file changes.
TLS/HTTPS
TLS (Transport Layer Security) is the protective “tunnel” that secures data moving across networks. In CRE terms, it is the difference between discussing sensitive information over an encrypted radio channel versus shouting it across a crowded lobby. HTTPS is the web version of TLS. Without TLS, credentials, invoices, and operational data can be intercepted or altered in transit.
Network-Level Security
Firewall
A firewall filters traffic before it reaches systems. In a building, it is the combination of perimeter fencing, staffed entrances, and rules about who can enter where. In networks, it enforces “only these sources can reach this system, and only on these ports and protocols.” Firewalls are effective until rules get too permissive, which is the cyber version of leaving a service entrance propped open.
Zero Trust
Zero trust is the principle that no request is trusted by default, even if it comes from “inside.” In CRE terms, it is checking credentials not just at the lobby, but also at the mechanical room door and the BAS workstation, because an intruder can enter through a side door. Zero trust pushes continuous verification: identity, device health, and permission checks every time.
VPN
A virtual private network (VPN) is a private tunnel into internal systems. It is like providing a secure staff-only corridor from the street directly into the building operations center. VPNs help remote work, but they can also provide broad access once connected. In CRE environments, VPNs should be paired with least privilege, segmentation, and time-limited access, especially for vendors.
Application-Level Risks
SQL Injection
SQL injection happens when an attacker manipulates a system’s input to change what the database does. A CRE analogy is altering a work order form so the system quietly approves a fraudulent vendor payment or exposes tenant records. It is an old attack that persists when input is not handled safely and systems trust what users submit.
Cross-Site Scripting (XSS)
XSS allows an attacker to inject malicious script into a website so it runs in a user’s browser. In CRE terms, it is like someone placing a convincing but harmful notice on a shared digital kiosk or tenant portal bulletin board. It can lead to stolen logins, fake actions, and account takeover.
Cross-Site Request Forgery (CSRF)
CSRF tricks a logged-in user’s browser into performing an action the user did not intend. A CRE analogy is an email that looks like a normal link but silently triggers “approve invoice” or “change banking details” because the user is already authenticated. Strong protections add extra verification for sensitive actions.
Server-Side Request Forgery (SSRF)
SSRF occurs when a server is tricked into making network requests that it should not make, often into internal systems. In CRE terms, it is like persuading a trusted building concierge to deliver a package into a restricted electrical room because the label looks official. SSRF can expose internal services and credentials that were never meant to be reachable.
Modern Infrastructure Security
IAM (Identity and Access Management)
IAM governs who and what can do what in cloud platforms and enterprise systems. In CRE terms, it is the master keying plan and access matrix for a portfolio, applied to applications, integrations, and service accounts. Misconfigured IAM is a common root cause of major incidents because it can unintentionally grant broad control over data and systems.
Secrets Management
“Secrets” are passwords, API keys, certificates, and tokens that unlock access. Secrets management is the controlled key cabinet for digital systems, with check-out logs and rotation schedules. Storing secrets in spreadsheets, emails, or hard-coded into integrations is the cyber equivalent of taping spare keys under the doormat.
Container Security
Containers package software and its dependencies so it runs consistently. In CRE terms, containers resemble packaged equipment skids: standardized, convenient, and quick to deploy, but still risky if shipped with unnecessary components, outdated parts, or excessive privileges. Container security focuses on minimizing what is included, scanning for known vulnerabilities, and limiting what the “package” can access if it is compromised.
Defensive Engineering
Rate Limiting
Rate limiting controls how many requests a user or device can make in a time window. A CRE analogy is limiting repeated badge attempts at a door or throttling repeated calls to a help desk line to prevent disruption. It reduces brute-force login attempts, credential stuffing, and automated abuse.
Logging and Monitoring
Logging and monitoring capture what happened and alert teams to unusual behavior. In CRE terms, it is the combination of security camera footage, access control event logs, BAS trend logs, and alarm management. Strong monitoring looks for patterns, not just single events: a spike in failed logins, unusual remote access times, or a system suddenly making new connections.
Call to Action
This vocabulary is most useful when it becomes shared language. CRE leaders can circulate it to property, FM, IT, and vendor management teams so discussions about cyber risk become clearer, faster, and more consistent. The goal is not perfection. The goal is earlier detection of hidden exposures and smarter coordination with cybersecurity specialists before small gaps become expensive incidents.
