Risky Business: Protecting a Smart Building from Cyber Exposure

Fall 2022 Issue
By: Dru Douglas
Keeping internet-connected systems secure is a critical challenge for building owners and tenants.

Insurance coverage will be increasingly difficult to acquire if information technology security systems and protocols aren’t in place.

Today, an increasing number of commercial real estate ventures rely on smart technology — the kind of technology that allows users to interact with a device or an entire system through the Internet — to make life easier for owners and tenants alike.

Not only does smart technology make it possible to control an HVAC system for a large office building or to monitor water usage to identify a potential leak, it also can help minimize energy waste by connecting movement sensors to a lighting system in an office building.

Unfortunately, anything connected to the Internet also brings additional risk. If hackers gain control of one system — even a seemingly minor one — it’s a short trip to take over another system. In 2017, a Las Vegas casino was hacked through a smart sensor in a fish tank in the lobby — eventually sending 10 gigabytes of data to a device in Finland, according to the Washington Post. 

Building owners and operators are keen to adopt smart technology for a variety of good reasons, but it’s important to tread carefully. Newer, more advanced technology captures an enormous amount of data, yet it also creates greater risk for building owners and operators. 

Risk is commonly managed through the purchase of cyber insurance, an insurance product that protects businesses should a cyber event occur. For instance, a malicious attacker could encrypt a company’s files. The criminal’s intent could range from wanting to access sensitive information to demanding a monetary payout. Security firm Risk Based Securities reported that the number of stolen records increased by more than 4,000% between 2015 and 2020. 

The increasing number of cyber events is having a direct effect on the cyber insurance market. Insurer underwriting requirements are becoming stricter in conjunction with rising premiums because of higher claim payouts. Cyber is no longer viewed as an emerging coverage. This makes it critically important to manage risk properly and have an action plan.

Four Steps to Reduce Cyber Exposure

When even a small breach can quickly become catastrophic, cyber exposure gains new importance. In the years ahead, underwriters will be much more likely to scrutinize an organization’s network security posture, so it’s more important than ever to have a plan.

By employing these four steps, it’s possible to reduce a property’s cyber exposure.

Review current security controls. With so much at risk, many insurers are requiring building owners to document the specific security controls they are using before a quote will even be offered. Some of these controls are: 

  • Multifactor authentication (MFA) should be standard for remote network access, e-mail systems and privileged accounts.
  • Remote desktop access must be closed or placed behind a virtual private network (VPN) protected by MFA.
  • Privileged account access must be limited to those who need access.
  • At least one e-mail filtration solution, such as a Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication, Reporting & Conformance (DMARC), should be in place to prevent suspicious e-mails from entering the system.
  • A next-generation antivirus solution should be operating on all equipment.
  • An endpoint detection and response (EDR) solution that continuously monitors end-users’ devices for cyber threats such as malware and ransomware must be in operation.
  • At least one copy of backups should be stored off-site or in the cloud.

Require cyber risk training. A 2015 Intel Security study showed that 97% of employees can’t identify phishing e-mails when they land in their inbox. No matter how silly it seems, it’s essential to explicitly train everyone — whether they are employees, vendors or other key constituents — to recognize and delete suspicious e-mails. Creating an organization-wide culture of security takes the entire team, not just the IT department, but taking the challenge seriously can help employees do so, too.

Develop an incident-response plan. An incident-response plan (IRP) is a complete roadmap to support participants during the initial stages of a security incident. It details who to call, what steps to take and when to take each step. Once considered a bonus, the IRP is now often required for those seeking insurance coverage, as it forces organizations to plan out appropriate responses from the time of the breach to post-incident response and closure.

Rehearse the worst-case scenario with a tabletop exercise. The best way to prepare for a disaster is to enact it. Like a fire drill, a cyber tabletop exercise (TTX) is a simulated cybersecurity scenario where participants (usually the management team) must learn about and respond to an incident in real time. Through this stressful situation, management discovers weak links and can improve its preparedness. Anyone looking to minimize their risk can test their IRP with a TTX — and what’s more, more insurers are expecting their clients to do this regularly.

Smart technology comes with benefits and challenges, but the challenges can be actively managed to minimize the risk. As always, planning for the worst and taking the risk seriously goes a long way. But when real estate owners and operators, as well as the tenants, are working toward the goal of remaining secure and connected, the technology is a benefit to everyone.

Dru Douglas is the Ontario real estate practice leader for global insurance brokerage Hub International who specializes in the office, retail, industrial and multifamily sectors.