Cyber risk in the building lifecycle: Smarter buildings will know more about us

Threat landscape

In their strategic planning, real estate companies need to understand their business risk profile and threat landscape. Smart buildings and building management interfaces may be exposed on the Internet, attracting not only the attention of the occasional hackers who may only “check” if systems are vulnerable (not necessarily knowing if they cause any disruption) but also of financially motivated criminal groups that act to extort money. They could simply change the way the building operates, making it unavailable to tenants, visitors, or third parties, or even affect health and safety. Including a threat intelligence and risk analysis in strategic planning will be fundamental for real estate companies in recognizing such threats and in responding to them through the development and adaptation of their security perimeters.

Cloud security

Traditional on-premise systems like CRM, ERP, sales, finance, budgeting, or reporting are all being transitioned to cloud, which can improve long-term forecasting and planning processes. But while the cloud offers numerous advantages—such as centralized management, scalability, reliable data storage, and enhanced automatic processing—the transition can pose cyber risks. A cloud security analysis should be part of the cloud transition strategy, and a security risk analysis should be performed in case of any major changes in the business or in the supporting technology.

Interconnectivity

New buildings may incorporate standard protocols that will facilitate data exchange with other smart buildings, smart city ecosystems, third parties, suppliers, or even tenants, extending the potential attack surface. This clearly raises questions about how this information is protected in transit, how the connected systems or interfaces are protected, or even whether the connected suppliers increase the risk profile. Tenants and suppliers alike will need to adhere to specific security requirements to be connected so that real estate companies are capable of managing their risks throughout the contract lifecycle. What is more, real estate companies will need to develop mature capabilities and cooperate with third parties and tenants not only to prevent but also to detect and respond to cyberattacks.

Cyber resilience

Buildings will know not only what we do but how and when we do it. We will be recognized by the building every time we appear in the office (facial biometric recognition for commercial and office space is now a fact). The question is, what happens if a visitor is not recognized by the building? Would anyone be able to control the way the building reacts to specific people? How can tenants be sure the building is resilient to cyberattacks?

To respond to these real concerns real estate companies will have to adopt security practices that until now have mainly only been followed by the financial industry and other risk-sensitive sectors. Activities such as red teaming or cyberattack simulations can help real estate companies verify whether they are resistant to cyberattacks and whether their personnel is alert to such threats, properly trained, and capable of responding effectively.

Real Estate Predictions 2019

29/01 - Data Driven Business Models will change the Real Estate Industry

29/01 - Digital Twins in Real Estate

31/01 - Industrial Property: ugly duckling no more

07/02 - Circularity

11/02 - Cyber Security Issue 1

14/02 - Cyber Security Issue 2

21/02 - Blockchain

28/03 - Strategic Approach to Real Estate Management

07/03 -  Future of Work

14/03 -  Future of Commercial Real Estate

21/03 - Transit Oriented Development and Land Value Capture