We need to talk about cybersecurity

The correct implementation of the Internet of Things (IoT) and associated technologies is one of the most consequential topics today. Think of it like this: cybersecurity is to the 21st century, what nuclear was to the 20th century – cybersecurity, data privacy and data sovereignty are the big issues of our time, and it’s essential that they’re tackled head-on.

Cast your mind back to 2007: the first iPhone is yet to be released, Facebook has only been available to the mass market for one year, and one billion people are operating online. It feels somewhat alien to think of now, but the digital landscape looked very different just over a decade ago.

Fast forward to now. Over 3.5 billion people are operating online, cloud computing is the norm, most people own two or more smart devices, and we are all dependent upon the internet in some way, shape or form. Not to mention the fact that many of the objects and systems we count upon to control our surroundings are connected to the internet.

This is exciting. Technology allows us to do, see, and achieve things like never before, but we must consider the bearing this has upon our cyber safety, and the new vulnerabilities we’re exposing ourselves to in regards to cybercrime. The benefits we enjoy from remote control, analytics and predictive maintenance, simultaneously raises the threat landscape, heightening the need for better, more robust cybersecurity measures to be in place.

Once upon a time, the consequences of cyber attacks resided within the virtual world alone. Now, however, cybercrime can have devastating implications on both the virtual and physical worlds…

• Virtual cyber attacks refer to instances where the consequences are non-physical, for example, hacking into an online bank account. Ultimately, it’s a big crime, but no one is physically harmed.
• On the flipside, cyber attacks on physical, internet-connected systems have real-world consequences. For example, if a smart/autonomous vehicle was hacked, the physical implication would be a crash. Or, if a smart building was hacked into, the Heating Ventilation & Air Conditioning (HVAC) could be tampered with, impacting the physical health of the inhabitants.

More internet-embedded devices allow for greater understanding and control of our physical world. However, if that technology is not deployed and operated with resilient processes, the more vulnerable we could become to cyber attack causing the loss of data and control over systems.

Building systems, such as Heating Ventilation and Air Conditioning (HVAC) and lighting, are connected to the internet, if this connection is not properly monitored, it could provide a direct line into the building, and the other connected devices held within.

There are two important distinctions to draw between the ways in which buildings are vulnerable:

1. Digital vulnerability – In times gone by, a shop would be robbed for the physical goods held in the store. Now, thieves connect to the HVAC system to steal data from the cloud. Although the data itself is not physically stored within the building, a data breach can occur because the threat landscape is higher (partly due to greater IT/OT integration), providing access to the cloud computing services used by building tenants.
2. Physical vulnerability – an attack on a physical, internet-connected system (like smart lights) would allow the attacker to alter the conditions within the building itself. For example, they could turn all the lights off or tamper with the heating controls.

Following on from this, Information Technology (IT) systems are increasingly integrated with Operational Technology (OT) systems. IT systems manage data-centric computing (the virtual stuff) whilst OT systems are used for monitoring processes and devices, and making operational adjustments (the physical elements). This integration, if mismanaged, provides an opportunity for operational tech to be hacked into from anywhere in the world.

In-building cybersecurity relates to the policies and practices that ensure the building’s systems and data are secure and are following the right protocols and standards, recognizing that as buildings become more technologically advanced, the risks and consequences of a system failure (through error or deliberate action) increase significantly.

Previously, landlords and building owners haven’t felt that cybersecurity is necessarily their responsibility. But, as building systems become internet-enabled, tenants expect landlords to go beyond ensuring that their personal safety is considered. Tenants now require the assurance that their data and their environment is safe: i.e. tenants expect to work in non-hackable buildings. It’s therefore essential that a landlord has technology, policies and procedures in place, and can outline a robust strategy that sets a standard that any system development or upgrade must conform to.

Beyond penetration testing and strategy, a really key element of cybersecurity within real estate (or any sector for that matter), is responsibility. It’s of utmost importance that any company or organization has one or more dedicated personnel for whom cybersecurity and data ethics are top-of-mind concerns. If a business considers itself cyber aware, yet has no single person who is responsible for cyber concerns, then it’s time to reassess the board. For any cyber protocol to be effective, it’s essential that there is someone operating within the organization who is ready to do the research and take meaningful action.

The future of real estate really depends on communication. It’s essential that landlords and tenants talk regularly and coherently about cybersecurity to create an open channel of discourse, allowing for a healthy partnership and two-pronged approach to cybersecurity to develop. It’s also a must that the real estate industry broadens its workforce by hiring the appropriate skill sets able to respond to the challenges presented by cybercrime.

As we push towards a more digitally-minded future, a bifurcation within real estate is set to occur: those landlords willing to move with the times and listen to the tenants will emerge as successful by virtue of their future-forward vision; but those who turn a deaf ear to the tenant and stubbornly ignore the responsibility that a cyber-safe future places on their shoulders, will become obsolete.