Our buildings are getting smarter, but as technology enables organisations to do everything from control heating remotely, to enable digital payments on vending machines, it also means new risks are emerging.
We know embracing technology in our buildings offers significant benefits. Automatic centralised control of a building’s heating, ventilation, air conditioning and lighting systems can make it a better and more productive place to work.
Technology can also make a building more secure. CCTV systems can be monitored by security partners, and entry systems based on facial and fingertip recognition can deter unwanted visitors.
Connected technologies can also drive efficiencies. By monitoring data such as temperature, water usage and foot fall, exactly the right amount of energy can be used 24/7. This is a big tick in the ESG box too.
Having access to all this data can also give an organisation insight into how a building is used. This intelligence might inform a decision on redesign, retrofitting or even support relocation.
But there are risks too. As our buildings are transformed into technology hubs, organisations must consider how they manage digital and cyber risks alongside more traditional property risks.
Connected and shared networks offer potential vulnerabilities for cyber criminals to exploit. Whether it’s a criminal taking advantage of a hole in your security or exploiting the weak security of a partner’s system to steal log-in details for yours, connected technologies are potential gateways to your network. Cyber security needs to be robust throughout the supply chain. Data, especially personally identifiable information, is incredibly valuable and, if stolen, can be incredibly costly.
Malicious damage is another possibility. A connected system could be hacked to enable the thermostat or air quality settings to be adjusted or fire alarms and sprinklers to be triggered. This could result in various problems including property damage, personal injury and business interruption.
Connected technologies also bring concerns around who has access to the data. These security concerns are such that, in November 2022, the UK Government banned the installation of surveillance cameras made by manufacturers from specific countries on sensitive sites (for example any government facility including council premises) and advised removing existing equipment. A similar approach was made in the UK’s core communications infrastructure under the UK’s Telecommunications Act 2021.
Another risk with connected buildings is how they interface with other technologies. The energy-efficient fabric of connected buildings can mean they become victim to signal blackspots for Wi-Fi and mobile phone signals (in particular 5G).
The National Cyber Security Centre has just issued a warning that the threat to the nation’s most critical infrastructure, which includes broadband and electricity suppliers and the National Grid, is ‘enduring and significant’.
All these technologies are dependent on electricity, and a power cut can be a much bigger issue than just the lights going out. (See ALARM Risk Awards winner, Tim Rollett’s article on power outage resilience on page 46 of October stronger.)
Ensuring risks are well managed enable buildings and their occupants to enjoy the benefits of connected technology.
Aon’s top tips for controlling risks
Assess the risk
Determine which technology within a building is connected and whether it poses a risk. Also check your supplier’s terms and conditions if they have access. If they do, are you comfortable with this? We recommend aligning to the National Cyber Security Centre’s Cyber Assessment Framework when conducting this risk assessment.
Determine critical areas
These may be systems that are essential for the organisation’s operations or networks where sensitive data is held. For many public service organisations, this is likely to include personally identifiable information on members of the public.
Ensuring critical elements are protected is a priority. Networks can be segregated to ensure that sensitive data is held securely and not readily accessible to someone updating the software for your heating system. A cyber security expert can provide guidance to help you address any vulnerabilities. This might also include regular penetration testing so you can see just how secure your systems are – or aren’t.
Ensure supplier security
Your risk assessment should also extend to the security arrangements in place with your suppliers, especially if they are able to monitor your data or update their software remotely. You may want to renegotiate terms with suppliers or, as a minimum, ensure they have adequate cyber security in place to prevent a hacker using their systems as a gateway to yours.
Involve IT in procurement
It’s prudent to involve IT when purchasing any connected technologies so that any risks can be identified at this stage. Procurement can often focus on the functionality of these connected services, rather than the potential cyber risks. Involving IT at this phase will ensure that appropriate steps are taken to protect the organisation’s network and that security requirements become a key part of the tender.
A data breach or cyber attack can be extremely disruptive and damaging to an organisation’s services and reputation. Cyber insurance is available to organisations wishing to transfer this risk but, as insurers set high acceptance criteria, uninsured organisations can struggle to get cover. Where this is the case, Aon can provide support and advice around reducing your organisation’s cyber risk.