Latest news

← See all

Cyber risk in real estate

May 17, 2017

The Ransomeware attacks of the past few days have been a stark reminder of just how vulnerable many of the business systems we rely on day to day are. This is despite the significant investment all sectors are putting into procedures to defend against them. What is interesting is that the investment in cyber defence and risk management frameworks is invariably targeted at business systems, i.e. those that hold a wide variety of data and allow businesses to function. Where there is limited investment and more importantly limited understanding, is within property systems – those that actually enable the operation of a building.

The days have past for most businesses where everything was controlled by manual switches, operated by the last person out or the security guard on their rounds. Building Management Systems (BMS) now connect lighting, heating, ventilation, cooling and vertical transportation which in turn are connected to fire protection, CCTV and access systems. The technology revolution has seen a transformation in the property sector that has changed the way buildings are operated. These smarter and connected buildings are what enable our workplaces to be the flexible, efficient and productive nerve centre of a modern business. This quiet revolution has had a major impact on the way we all now work, but the investment in protecting these IT enabled facilities from potential cyber-attack has been pitifully low.

The complex contractual relationships associated with property ownership and occupation makes the sector unique. Landlord to occupier; occupier to sub-tenant; landlord to flexible office provider to occupier; to name but a few. Add in the outsourcing of property and facilities management from each of parties involved in the occupation and ownership chain and the picture becomes even more confused. Each party will seek to embrace innovation and connectivity of ‘their’ systems. Some may have independent technology solutions others may be integrated, but where they will all differ most significantly, is on the degree of sophistication and approach to cyber security.

As the interconnectivity of property continues to evolve, so too do the risks of cyber-attacks. The associated results of such an attack can range significantly and often go undetected. These can be categorised into 3 clear potential consequences;

1. Data loss – the privacy of the business, client, employee, supply chain data. The interconnectivity of internal systems between property and business needs to be understood and controlled.

2. Physical harm – cyber risk within property can potentially cause significant issues if attacks are targeted at lift systems or heating systems for example. These can affect business continuity through the closing of a building or affect the safety of staff.

3. Economic loss – These can be from various, including transaction theft, legal liabilities, reputational or brand damage.

Our experience shows that mitigation solutions for cyber-attacks are invariably not technical in application but are based on a framework, with a requirement to enhance processes, governance and controls throughout the property life cycle. For many the perceived complexity of reviewing and rebuilding such a framework is a problem for ‘another day’, due to the lack of a burning platform or actual attack. This sentiment is changing and we have seen the financial sector taking the lead, expanding their focus onto property systems as well as their business systems.

Whilst every organisation provides different challenges and complexities there is a clear set of elements that will need to be answered when developing a property cyber risk mitigation plan;

  • What is the existing management structure and reporting
  • What is the governance assurance process for each stage of a property life cycle?
  • What framework, standards and certification exist within the current process?
  • What tools and technical capabilities, including network segmentation options exist or are required?
  • What are the existing supply and third party responsibilities and how robust are these?
  • What is the incident response plan?

The opportunity for smart, connected buildings is the future of the workplace. To achieve resilience within a portfolio however it is essential that the real estate sector understand that every business is a continuous target for cyber criminals and more wide spread attacks via property systems at some point is inevitable.

Sam Pickering, Partner – Head of resilience

Apr 6, 2017

This July, a team from Incendium will take part in ‘Ride London’ to raise money for the National Autistic Society (NAS).

Read more

Apr 3, 2017

Congratulations to Incendium's running duo, Yusra and Imogen, for completing the Hyde Park 10km last weekend in 1 hour and 3 minutes with an average pace of 6:20/km.

Read more

Apr 2, 2017

We are proud to reveal the launch of our African business, under the leadership of Eduard van Zyl.

Read more