By Sam Pickering, Partner – Head of Resilience – energy, sustainability and risk, Incendium Consulting

The ransomware attacks of the past few days have been a stark reminder of just how vulnerable many of the business systems we rely on day to day are. This is despite the significant investment all sectors are putting into procedures to defend against them. What is interesting is that the investment in cyber defence and risk management frameworks is invariably targeted at business systems, i.e. those that hold a wide variety of data and allow businesses to function. Where there is limited investment and more importantly limited understanding, is within property systems – those that actually enable the operation of a building.
The days have passed for most businesses where everything was controlled by manual switches, operated by the last person out or the security guard on their rounds. Building Management Systems (BMS) now connect lighting, heating, ventilation, cooling and vertical transportation which in turn are connected to fire protection, CCTV and access systems. The technology revolution has seen a transformation in the property sector that has changed the way buildings are operated. These smarter and connected buildings are what enable our workplaces to be the flexible, efficient and productive nerve centre of a modern business. This quiet revolution has had a major impact on the way we all work, but the investment in protecting these IT enabled facilities from potential cyber-attack has been pitifully low.
The complex contractual relationships associated with property ownership and occupation makes the sector unique. Landlord to occupier; occupier to sub-tenant; landlord to flexible office provider to occupier; to name but a few. Add in the outsourcing of property and facilities management from each of parties involved in the occupation and ownership chain and the picture becomes even more confused. Each party will seek to embrace innovation and connectivity of ‘their’ systems. Some may have independent technology solutions others may be integrated, but where they will all differ most significantly, is on the degree of sophistication and approach to cyber security.
As the interconnectivity of property continues to evolve, so too do the risks of cyber-attacks. The associated results of such an attack can range significantly and often goes undetected. Impact can be categorised into 3 clear potential consequences;

  1. Data loss – the privacy of the business, client, employee, supply chain data. The interconnectivity of internal systems between property and business needs to be understood and controlled.
  2. Physical harm – cyber risk within property can potentially cause significant issues if attacks are targeted at lift systems or heating systems, for example. This can affect business continuity as well as the safety of staff.
  3. Economic loss – This can take various forms, including transaction theft, legal liabilities, reputation or brand damage.

Our experience shows that mitigation solutions for cyber-attacks are invariably not technical in application but are based on a framework, with a requirement to enhance processes, governance and controls throughout the property life cycle. For many, the perceived complexity of reviewing and rebuilding such a framework is a problem for ‘another day’, due to the lack of a burning platform or actual attack. This sentiment is changing and we have seen the financial sector taking the lead, expanding their focus onto property systems as well as their business systems.
Whilst every organisation provides different challenges and complexities we have developed a clear set of elements that will need to be answered when developing a property cyber risk mitigation plan;

  • What is the existing management structure and reporting?
  • What is the governance assurance process for each stage of a property life cycle?
  • What framework, standards and certification exist within the current process?
  • What tools and technical capabilities, including network segmentation options exist or are required?
  • What are the existing supply and third party responsibilities and how robust are these?
  • What is the incident response plan?

The opportunity for smart, connected buildings is the future of the workplace. To achieve resilience within a portfolio however it is essential that the real estate sector understand that every business is a continuous target for cyber criminals and more widespread attacks via property systems is inevitable.