• International Workplace
  • 5 December 2017

Cyber security: the modern FM’s role

Cases of cyber-attacks and corporate espionage are on the rise, according to software provider Urgent Technology. In 2017, one notable high-profile cyber-breach was that of the UK’s National Health Service (NHS), in which computers throughout the UK were frozen by an attack of ‘ransomware’. The increasing adoption of the Internet of Things (IoT), which connects devices throughout a building or even an entire city, brings many operational benefits by automating building services, but also opens up the real risk of organisations being hacked through their Building Management Systems (BMS).

As the lynchpin behind the maintenance of a building’s operational integrity, today’s facilities manager (FM) plays an important role in protecting systems against hackers as well as meeting the latest regulatory standards.

In response, Urgent Technology has produced a white paper, which explores the threats posed by cyber-security breaches, and explains how the FM can become the guardian of an organisation’s security and data.

“Cyber-hacking is no longer the sole concern of the IT department; it is an assault on the entire organisation, from the C-Suite, to HR and FM,” the paper states.

“The systems used to automate and maintain building controls can be used to deliver building managers and FMs vital data on a variety of areas, including health and safety compliance, space usage and lift maintenance. They can also be used to monitor services requirements; for example, the use of sensors that connect washrooms to smartphones or tablets that enable cleaning and facilities staff to check remotely when a maintenance visit might be required.”

However, says Andy Compton, Managing Director of Information Security Consultancy, Blackfoot, all this useful connectivity may come at a price because:

“The richer the data sets, the more attractive an organisation becomes to financially or maliciously motivated cyber criminals. Sadly, devices and systems that leverage the power of data often become the point of network compromise when poorly secured devices are networked and create jump points to critical systems such as fire alarms, HVAC and CCTV systems where data can be stolen or abused.”

The white paper, Cyber Threat and the FM Solution, reports that despite all these growing threats there is evidence that organisations are still doing little to protect their systems from cyber-attacks, and the built environment appears to be particularly vulnerable.

The consequences of ignoring the threat of cyber-breaches are far reaching and could include:

  • physical damage to equipment or infrastructure;
  • theft of high value property;
  • loss of revenue;
  • bodily injury or death;
  • HVAC shutdown/manipulation;
  • door locks being disabled;
  • disabling of physical intrusion detection systems;
  • loss of building lighting;
  • data centre thermal overloads;
  • loss of customer confidence/contracts; and
  • higher insurance premiums.

The paper advises a data breach also brings a risk of prosecution. The introduction of new European-wide General Data Protection Regulations (GDPR) affects how organisations can collect, use and transfer personal data and applies to any global company which holds data on EU citizens.

This does not just apply to data such as personnel records, but can impact on anyone responsible for the storage, destruction or recycling of equipment that contains data. As such, FMs must understand the new regulations and liaise with the various internal departments to ensure company-wide compliance, as there will be hefty financial penalties for organisations that don’t.

To address the cyber-security risks which may affect their organisation, the white paper advises that FMs first need to acknowledge that they have a crucial role to play:

“FMs who are concerned that their systems are vulnerable should begin the cyber security process by lobbying those who are responsible for the safeguarding of information to commission a data assessment. This will help an organisation identify what critical information is stored, processed or transmitted, establish why the data might be an attractive target, and establish any regulatory compliance it must adhere to.”

The paper sets out the steps FMs should take once they have identified what critical information is stored, processed or transmitted. The full report can be downloaded here.