Issue link: https://nebusinessmedia.uberflip.com/i/1332010
HartfordBusiness.com | January 11, 2021 | Hartford Business Journal 31 J ust a year ago, commercial property owners were focused on providing amenities Millennials wanted in order to attract companies that employ them. Devoting additional square footage to a state-of-the-art gym, recreation room or coffee shop was a sound investment despite the resulting loss in rentable area. In the world of commercial real estate the term "experiential" was used by brokers to promote a building . In 2021, concerns for health and safety will likely eclipse the importance of tenant amenities. As a competitive differentiator in a difficult market, owners of Class-A office buildings are now providing a high level of detail documenting steps they are taking to protect tenants from COVID-19. After-hours ventilation; better filtration Most office leases specify the operating hours for a building's HVAC system. Tenants can expect landlords to provide, at no extra cost, heating and cooling roughly during normal 8 a.m. to 5 p.m. business hours, but tenants must pay extra for after-hours HVAC service. Even in Class-A buildings, those working evenings or weekends might find themselves chilly or warm unless their employer is willing to pay for after-hours HVAC. However, what was once merely uncomfortable may now be dangerous. Since COVID-19 is primarily transmitted through air droplets, increased ventilation and improved air filtration is the key to reducing risk. With the HVAC system offline, air stagnates. Previously, negotiations of the HVAC lease provision focused on the periods and costs of maintaining a comfortable temperature. Now negotiations will additionally address the quality of air filtration and the allocation of the costs of extended ventilation periods. W hen I read last year that employees at layoff- and buyout-battered Tribune Publishing newspapers (including the Hartford Courant) received mock phishing emails promising bonuses of $5,000 to 10,000, my heart sank. I can only imagine how the journalists themselves felt. Simulated phishing exercises, in which emails that resemble those coming from hackers are sent to employees to gauge and promote cybersecurity awareness, are becoming increasingly common at companies of all sorts around the globe. These exercises can either build trust with employees or degrade it depending on how they are handled by leadership. Believable, not hurtful If you're wondering, "How could Tribune have thought dangling bonuses in a fake phishing email would be a good idea?" here's what they were thinking: "What's an email concept so enticing it will really put our employees' cybersecurity training to the test?" It's a good question to be asking, but only half the equation. Phishing emails from hackers often look quite real, as if they are coming from a boss or coworker, and the content is designed to make recipients click without thought. There are always tells in these emails — such as misspelled words or strange wording — and hackers want to cause an emotional spike so that these go unnoticed. They commonly do this through urgency (saying that an immediate action is needed to avoid disaster) or salaciousness (sending what appears to be a link to salaries for the whole company sent in error). In order to be a real test of cybersecurity awareness, simulated phishing emails need to use these same tactics. However, leaders must also ask, "Could the content of this email be hurtful to anyone on the team?" It's important to pause and imagine how employees will feel once the ruse is revealed. Will they feel like this was a constructive step in building their cybersecurity awareness? Or will they feel duped? Hackers tailor phishing emails to the organizations they target, and a very savvy hacker might realize that pretending to offer bonuses to underpaid journalists could be effective. In that regard, Tribune Publishing's fake phishing emails were realistic. However, there are certainly other narratives that would have been just as effective without looking so much like callous mocking in the end. Assess results as a team Once the results of the phishing exercise are in, those who took the simulated phishing bait should not be pointed out publicly on an individual basis. Instead, it's helpful to share the overall percentage of employees who would have fallen for the attack had it been real. The team can track their progress as a whole without singling out or shaming individual employees. When the results of a phishing exercise are treated with discretion, certain brave employees are likely to come forward voluntarily to share their story of how the exercise fooled them. Without any judgment, encourage them to share their experience. If they can describe what was passing through their mind when they saw the email, it can help others recognize when their cybersecurity awareness may be dulled. Leaders: Be vulnerable If company leaders are among those who clicked the simulated phishing link, it can be particularly powerful if they are willing to open up about this. I've done it myself. In addition to conducting simulated phishing exercises for our clients, Kelser Corp. also regularly tests our own team with simulated phishing. In one case, I fell for the ruse. By coming forward to admit that I clicked the link, I made everyone else who did so as well feel better about it. I was able to show that we don't do simulated phishing to make anyone feel bad. We do it to sharpen our senses so we can work together to beat cybercrime. We do it because anyone can be phished — even the CEO of an IT company who has been in this industry for almost 40 years — so we all have to sharpen our skills. OPINION & COMMENTARY EXPERTS CORNER A brave new world of commercial leasing EXPERTS CORNER How to do simulated phishing exercises ethically Geoffrey F. Fay Barry Kelly Geoffrey F. Fay is a real estate attorney with law firm Pullman & Comley Barry Kelly is CEO of Kelser Corp., an IT consulting firm in Glastonbury By Geoffrey F. Fay By Barry Kelly Beyond cleaning When the pandemic hit, many landlords increased their cleaning schedule. Now that we know more about how the virus remains on surfaces, office leases should include more specificity about cleaning than previously considered. The Centers for Disease Control and Prevention defines "sanitizing" differently than "cleaning," and it's the former that's needed to kill the COVID-19 virus. Before 2020, I never saw the word "sanitize" appear in office lease standards. Today, that's the word tenants want to see. They want to know that door handles, buttons, restroom fixtures, and any other touchpoints are being sanitized many times per day. Force majeure redefined At the onset of this pandemic, businesses took a fresh look at their business interruption insurance policies and most learned that, subsequent to the SARS outbreak in 2002, carriers excluded losses from pandemics from most policies. These days, force majeure — specified circumstances beyond one's control that may temporarily relieve a party's performance of a contract obligation — is no longer brushed aside as "boilerplate" lease language. Force majeure clauses now require more thoughtful negotiation, which often involves the landlord's lender, because it potentially imperils a dependable rental stream and shifts a new risk to landlords and lenders. This pandemic has taught us that tenants need flexibility that force majeure clauses can't address. If remote work is viable for one business, a right to reduce the size of the leased premises should be considered. If remote work is not viable, a right to expand should be considered so employees can be adequately spaced. The distribution of effective vaccines should be celebrated. But the concerns people will have about returning to office towers with crowded lobbies, elevators and cafeterias will remain, so lease provisions addressing building operational and maintenance standards warrant a fresh look.