The phrase “secure building” may evoke an image of a looming windowless fortress, defended by an armada of steely-eyed security guards and a tapestry of barbed-wire fencing. But most office buildings don’t share that kind of dramatic appeal. In this digital era, security for many buildings comes in the form of protection against hackers.
Previously, landlords and property owners may not have considered their tenant’s cybersecurity as their responsibility. After all, tenants are responsible for locking their doors and protecting their own valuables. But office tenants are beginning to push for their landlords to bundle services (including internet access and cybersecurity) into their commercial leases, according to new data from JLL. Bundled tech packages are already popular for flex-space tenants, but Jason Lund, Leader of Technology Infrastructure at JLL, is adamant that the trend of integrating a network of turnkey services, including cybersecurity, will envelop entire office buildings soon. “In the next 12 to 24 months, more and more owners are going to start putting in this central network,” said Lund. “Mark my words.”
Commercial real estate is an industry that is stereotypically behind the times when it comes to embracing technology, so the idea of suddenly putting the onus of cybersecurity on the landlord can sound like a recipe for disaster. Cybersecurity is an involved process requiring continued monitoring against an ever-changing threat landscape. It’s a challenge for any organization, let alone a commercial property owner who may not have ever needed to be tech-savvy in the past.
Office tenants may want the cost savings that come with bundling their cybersecurity, but those savings become moot if lackluster cybersecurity exposes them to a financially devastating hack. Data breaches cost businesses millions of dollars. A 2021 report from IBM revealed that the average price tag amounts to $4.24 million, but that number doesn’t factor in costs associated with the loss of the business’s reputation (can you even put a price on that?) or legal repercussions (lawyers can definitely put a price on that). If a landlord is in charge of their tenant’s cybersecurity, then the legal liability for a breach would pass to them.
But Lund thinks that putting the property owner in charge of the cybersecurity of their office buildings is the better option. “Tenants will call anyone off the street to come in and install anything and attach it to whatever network they pay for with no concern for cybersecurity at all,” he said. “A supplied network that is professionally managed with high levels of cyber monitoring reduces the risk of cybersecurity issues in the building.”
As many office leases across the U.S. expire and office absorption is expected to decline, Lund’s observations couldn’t have come at a more opportune time. Plus, companies have a compelling motivation to remain and renew their leases if landlords can demonstrate that their buildings are quantifiably better for keeping their data under tight lock and key.
Landlords who are up to snuff with their building’s cybersecurity will have a crucial competitive advantage in a market where tenants have more leverage than ever. Having said that, cyber security measures for commercial owners and property managers must meet the ever-changing nature of today’s dangers without losing the convenience and flexibility that today’s workforce needs. There are some important measures that landlords can take to protect their and their tenants’ sensitive information.
Seek professional help
Building networks and systems are complicated, and cybersecurity is still a new topic. So much so that the average IT department may not be savvy enough to safeguard your building digitally. Luciano Cedrone, Director of Commercial Real Estate at GardaWorld, the world’s largest privately owned security services company, told BOMA International Magazine that general IT professionals “are not the same as cybersecurity professionals. I’d strongly encourage property managers to seek out cybersecurity professionals to assess and develop a secure cyber environment for their buildings.”
Many cybersecurity suppliers claim to be experts but lack industry-standard certifications and qualifications. Before choosing a vendor, look for certifications like CompTIA, GSEC, CISSP, or CCSP, and make sure that everybody who has access to your network and data has been thoroughly trained and verified.
Landlords should regularly check for vulnerabilities in their network. A penetration test, often known as a pen test, simulates a cyber assault on your computer system in order to find exploitable flaws. Landlords should seriously consider leveraging a third party to conduct a penetration test. When performed by outside specialists, a penetration test is the most effective approach to determine how vulnerable the building’s network is to cyber-attacks.
Even if your cyber security team has previous penetration testing knowledge, many experts believe that a third party with fresh eyes on your network is more likely to discover possible issues. When conducting on-site security testing, internal teams are more apt to gloss over potential security issues because they have a familiarity with their own network.
Let’s get physical
While many cybersecurity efforts are focused on securing systems and networks, physical security is a crucial component of any cybersecurity program. A landlord cannot have a robust cybersecurity program unless bad actors are unable to physically breach its perimeter. This is why conducting physical penetration tests is crucial, and having a methodology and structure in place to do so ensures you don’t overlook any critical areas of your physical security.
A physical penetration test’s purpose is to expose flaws in the physical security controls of a building (so things like locks, smart building sensors, security cameras, barriers, etc.). This is another venture that requires a third party to carry it out (unless you wish to spend an afternoon role-playing a scene from Ocean’s Eleven). Physical penetration specialists will pick locks, deftly swipe a flash drive in USB ports when people aren’t paying attention, clone RFID badges to gain access into restricted areas, Dumpster dive in search of sensitive documents that have been carelessly tossed, bypass access controls by tricking motion detectors, and so on. Using findings from these physical breaches will inform the landlord on which mitigations must be put in place to prevent attackers from physically accessing their building.
Fire is also a physical threat that can be disastrous to digital information. Water damage from sprinklers can be enough to ruin electronics and lose files. Server rooms require extra consideration. A server room should be outfitted with an inert gas system that works by displacing oxygen with other gases like Argon or Nitrogen, lowering the amount of oxygen available to a fire. These systems are non-conductive, non-corrosive, and leave no residue, avoiding costly and time-consuming post-fire cleanup. Plus, they’re safe for any occupant trapped in the room, as the oxygen levels in the room would only be lowered to 11 percent, enough to squelch a fire but not so much as to suffocate a person.
Segmentation wherever possible
Corporate networks suffered 50 percent more cyber attacks last year on a week-to-week basis than the year before, and hackers often seek out vulnerabilities in a building’s management system to find pathways into the corporate occupier’s IT network. Network segmentation, which isolates specific devices and groups of devices from others, can help IT professionals improve the network’s security posture. This can prevent threats from spreading throughout the network. IoT devices can be placed on their own virtual networks, so if a device gets infected with malware, it will not be able to infect other devices on a different virtual network.
Network segmentation increases security by restricting access to resources to specific groups of people within the building, dramatically lowering the risk of insiders’ unauthorized attacks. Incidentally, insider attacks have gone up significantly over the past few years, with 70 percent of organizations reportedly seeing more frequent hacks from employees, contractors, or other trusted associates that have easy access to the building’s network. Whether these attacks result from malicious insiders with a grudge or lax negligence, they can deal severe damage that can take an average of 212 days just to detect. Because of the enormous amount of sensitive data that office occupiers have floating around in their networks, landlords should segment the network wherever possible. Individual tenants should be given their own WiFi network, and visitors should only be allowed access to a guest network.
Any building can protect you from the elements, but real security comes from protection against outside threats. Property management teams need to understand the best strategies when it comes to both physical and digital security in order to offer the kind of assurance tenants need from a modern office. While it’s challenging to fill the cybersecurity role, there’s never been a better time for landlords to ensure their building’s data and cybersecurity processes are up to date, working smoothly, and securely. In order to put (and keep) a tenant in the building, it’s up to landlords to patch their systems and monitor vulnerabilities.