National Advisory Council Explores Cybersecurity Considerations for Building Owners

June 30, 2021 • Caroline Pomilla

BOMA International’s National Advisory Council (NAC), which is made up of senior real estate industry executives, gathered for a virtual program in mid-June on the high-priority topic of protecting commercial buildings from cyberattacks. The program was led by three distinguished guest speakers, Rick Varnell, James Trainor and Lucian Niemeyer, who brought valuable insights from their decades of experience working within the cybersecurity field in both the public and private sectors. The presentation closed with a live Q&A segment, during which NAC members sought guidance on the specific actions owners of commercial buildings should take to better safeguard their buildings. Below are 12 key takeaways from the virtual program:

  1. Modern threats demand modern solutions. As one expert put it, “The past is not indicative of the future as it relates to cybersecurity.” What once worked to protect your building from cyberattacks might not hold up in today’s rapidly evolving tech-first environment. The modern property professional must remain vigilant of emerging threats and opt for a proactive approach, rather than one that is reactive.
  2. It pays to be prepared. While the financial impact of a cyber threat varies depending on the specific attack and the organization targeted, the experts revealed that the reported losses of businesses impacted by cyberattack are growing at a rate of approximately $1 billion per year.
  3. Risk of threat—and financial losses—are projected to rise. According to cybersecurity experts, both the likelihood and frequency of cyberattack is expected to climb due to numerous factors, including heightened connectivity, changing diplomatic relations and the availability of ransomware.
  4. Be aware of ransomware. Cyberattacks can come in many different forms, but ransomware tops the chart as one of the most significant cyber threats facing property professionals today. The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency defines ransomware as an “ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” Roughly 40 percent of all cyber insurance claims nowadays are related to a ransomware event, according to Trainor, who led the Cyber Division at the Federal Bureau of Investigation (FBI) before joining Aon Risk Solutions in 2016.
  5. Know your risk. Experts warn that adversaries are targeting industries that have a lack of investment in cybersecurity protections, as evidenced in recent attacks on the manufacturing and energy industries. Commercial real estate is an increasingly attractive target to attackers as buildings become more tech-enabled and as ransomware attack tools become more accessible.
  6. Know your attacker. The familiar hacker trope depicted in movies is far from an accurate portrayal of the malicious actors behind cyber breaches today. In fact, you might be surprised to learn that ransomware attacks can be launched by almost anyone in this day and age. According to Trainor, the most significant evolution in this form of cyberattack over recent years has been the emergence of a marketplace for bad actors to access the technology needed to complete an attack. In other words, these attacks are being pre-packaged for potential assailants in a “ransomware-as-a-service” fashion, further expanding the pool of bad actors in cyberspace.
  7. Real-world impact. While cyberattacks might occur online, it’s important to understand the very real impacts they can have on the physical world. For example, cyberattacks have the potential to seize a building’s information technology (IT) system, gaining control of critical equipment like elevators, fire controls and HVAC systems. “We see this today as a [business disruption risk], but tomorrow, we see it having a physical impact on any building or asset,” explained Neimeyer, who oversaw the U.S. Department of Defense's real property portfolio as an Assistant Secretary of Defense before launching the non-profit organization Building Cyber Security.     
  8. Consider investing in cyber insurance. Cyber insurance is one box businesses can check to better protect themselves in the event of an attack. However, due to the events of 2020, experts anticipate the cost of cyber insurance premiums will increase anywhere from 20 to 50 percent over the next year. It’s also likely you’ll have to go through a supplemental application just for ransomware, where you’ll be asked to provide information on the controls you currently have in place. And, you might see some limits on your policy. Simply put, investing in cyber insurance is not enough to adequately prepare for a cyberattack, and in some cases, a robust preparedness plan will serve as a prerequisite to even be considered eligible for coverage.
  9. Know your budget. Experts report the ballpark range for businesses to spend on cybersecurity investments is generally around 10 percent of the IT budget, although that figure will vary depending on the organization and its level of risk. To paraphrase Neimeyer, the goal isn’t to be the best at investing in cybersecurity preparedness, so much as it is to be the second worst.
  10. Cybersecurity preparedness = strong leadership. Leadership sets the tone on how well an organization is equipped to prevent and manage a cyberattack. “Most organizations have to go through pain before making changes," shared Trainor. "Have a framework in place before it’s too late."
  11. Are you asking the right questions? With buildings facing an increased risk of cyberattack, the dialogue between building owners and their IT teams must be improved. To get started, owners should be sure they’re asking their IT teams the four fundamental questions listed below:
    • Can you track where every exposure within the building system is? (i.e. unprotected VPNs and devices, etc.)
    • How integrated is our IT with our OT (operating technologies), and are we comfortable with our ability to monitor them to the degree that we can identify a data anomaly or intrusion?
    • What else could we be doing to enhance the safety of our tenants?
    • How do we know that the tools we’re using, such as firewalls, are working?
  12. Make changes, keep quiet. Once you’ve taken action to bolster your building’s cybersecurity, be sure to keep that information confidential. As Building Cyber Security co-founder Rick Varnell stressed, you don’t want to taunt bad actors with a challenge.

Want to learn more? Check out this clip from the presentation.