Creating Resilience

Cybersecurity: Fortifying Commercial Real Estate for a Digital World

April 24, 2023 5 Minute Read



Looking for a PDF of this content?

As commercial real estate becomes more technologically enabled and the number of smart buildings grows, cyber intrusions are posing a variety of operational and reputational challenges for landlords.

Due to the advanced and complex nature of these threats, many building owners are struggling to identify vulnerabilities within their portfolios and are encountering difficulties in securing systems within individual properties, potentially leading to serious consequences for both themselves and their tenants.

Help is at hand, however, with cybersecurity experts now able to mitigate risks by devising and implementing policies and strategies to combat breaches and ensure buildings continue to operate efficiently and without disruption.

This Viewpoint by CBRE Property Management provides an overview of the cybersecurity challenges facing building owners and identifies best practices to repel attacks and minimize overall risks.

Compiling an inventory of all building systems at an early stage enables property managers to identify their potential exposure to external threats. Other essential measures include internal training and education.
Nick WrightGlobal Head of Digital Solutions, Property Management, CBRE
Person Image

What are the main cybersecurity risks?

Cybersecurity vulnerabilities within commercial buildings include Wi-Fi networks, wireless peripherals, card-key access mechanisms, HVAC systems, power supply hardware and portfolio management software.

While the volume of IT-related breaches of buildings systems, such as phishing and malware attacks, remains relatively low, building technologies and systems are becoming more susceptible to hacking by bad actors seeking to shut down entire properties. This has far-reaching legal, reputational and financial consequences, including operational disruption to landlords and ransom demands to tenants.

The accelerated shift to the cloud and increase in remote working since the COVID-19 pandemic has added a new layer of complexity to cybersecurity and placed additional demands on companies seeking to safeguard against attacks.

In response, companies are investing heavily in new information security and risk management technology and services. Business consulting firm Gartner estimates that worldwide spending in these areas reached US$150.4 billion in 2021, an increase of 12.4% from 2020.


Cybersecurity threats interrupt everything related to that building. In addition to shutting down building hardware such as water supplies and elevators, hackers can manipulate systems to create emergency scenarios.

John McDonaghEngineering Operations Director, Property Management, CBRE
Person Image

Why are cybersecurity systems and policies necessary?

Commercial real estate decision-makers have historically regarded the risk of cyberattack as being low, since building systems do not typically host or manage valuable business or consumer data targeted by phishing or malware. However, as buildings incorporate more technology and get smarter, they are becoming more vulnerable to a wide range of cybersecurity threats related to data breaches and ransomware.

Due to the interconnectivity and interdependence of technology systems within the most modern commercial buildings, cybersecurity breaches can impact multiple if not all occupiers within a single property. While landlords usually take proactive measures to ensure buildings stay operational and occupiers are kept safe when systems are under attack, such safeguards may not be completely secure.

The fragmented nature of the commercial real estate industry also underscores the need for cybersecurity systems and polices. Building operations and management invariably involve multiple providers, such as hardware specialists who install and maintain heating, ventilation and air-conditioning (HVAC) systems, and other facilities management providers who may be replaced over the course of a building’s lifecycle.

The divide between the information technology and operational technology worlds leads to a situation of security by obscurity, where security flaws are hidden. This is not a viable approach in a world where threat actors are seeking easy ways to penetrate building networks. Our role is to ensure landlords have a secure and well-run building, thus netting return on investment versus just a straight security spend.

Ron VissersDirector of IT, CBRE, ESI
Person Image

A robust cybersecurity policy should be based on a thorough audit and assessment of these systems and provide ongoing testing and validation of the building’s security performance and risk profile.

This approach supports the effective lifecycle operations of a building and provides secure access to data and processing across a building’s infrastructure, technology, equipment and systems.

Such an approach involves undertaking a structured assessment of cybersecurity threats, starting by compiling an inventory of all systems and technologies in portfolios. Failing to do so can make it extremely difficult to secure a property and mitigate intrusions.

An unstructured approach to managing cybersecurity threats more than likely will result in cybersecurity breaches of the building and its networks. Having little or no knowledge of the differing levels of protection that are in place in a building across individual systems and pieces of hardware can create considerable risks and vulnerabilities.

The absence of structured cybersecurity policy and standards applied across all building systems leaves room for misinterpretation, increasing vulnerability and exposing undetected points of weakness to cybersecurity threats in both landlord and tenant networks.

By identifying and understanding potential threats and putting in place clear policies to manage building technologies and networks, landlords can reduce many of these vulnerabilities and risks and ensure their portfolios and buildings continue to operate efficiently.


How is a cybersecurity policy devised?

The first stage in devising a cybersecurity policy is compiling an inventory of all building systems to create an asset register. This enables property managers to gain a thorough understanding of all technologies and hardware in an individual property and their potential exposure to external threats.

This process can have immense benefits not only for cybersecurity but also for overall building management and is rapidly becoming a bare minimum requirement for commercial real estate landlords, especially those with extensive portfolios and blue-chip tenants.

Property managers then compile a playbook on how various areas of cybersecurity are addressed across key hardware, such as internet networks, building systems, landlord integration networks and the building’s software system.

Other elements include regular risk assessments and testing. This typically involves creating schedules of when cybersecurity assessments will be undertaken across the smart systems of a building on a regular basis, along with previous reports of cybersecurity assessments that have occurred over the past 12 months.

Effective lifecycle management for hardware is essential, particularly when older legacy properties are involved. Property managers must have measures in place to address issues such as when to replace older hardware and software and the extent to which such actions can mitigate risks. System recovery procedures are also key.

As cybersecurity threats continue to evolve, creating a company culture around cybersecurity via education, training and demonstrating best practice is vital.

With real estate cybersecurity being a relatively nascent area of expertise, CBRE’s approach has been to appoint external cybersecurity assessors with the knowledge to assess buildings, understand threats, mitigate risks and perform remediation. When combined with CBRE Property Management’s expertise, this creates a knowledge base able to assist clients across the entire cybersecurity spectrum.

Building an asset register can have immense benefits not only for cybersecurity but also for overall building management and is a bare minimum requirement for commercial real estate landlords.
Nick WrightGlobal Head of Digital Solutions, Property Management, CBRE
Person Image

What’s next for cybersecurity?

CBRE believes cybersecurity will play a key role as Environmental, Social and Governance (ESG) considerations are built into every stage of the property lifecycle, from due diligence to acquisitions and from leasing to asset management.

With companies mandating stricter corporate governance policies and reporting, cybersecurity will be a critical tool for companies to demonstrate they are effectively managing and safeguarding data. This will also impact the social element of ESG by providing building occupants with greater assurance that their personal data is protected.

Landlords will also need to improve cybersecurity-related cooperation with tenants as more companies strengthen their own cybersecurity policies to ward off potential threats. With some tenants wishing to capture and store data in the cloud and others wanting to do so on networks they control, this will increase challenges on landlords, such as requiring them to provide separate networks and Wi-Fi signals within individual buildings.

As the risks and complexities around cybersecurity continue to grow, landlords must ensure their buildings are cyber resilient. This will require better education, awareness and training for owners, occupiers and managers to ensure genuine durability against potential threats.

With some tenants wishing to capture and store data in the cloud and others wanting to do so on networks they control, this will increase challenges on landlords, such as requiring them to provide separate networks and Wi-Fi signals within individual buildings.

Finally, data likely will emerge as a key battleground in the coming years. This will require landlords introducing cybersecurity systems to ensure data management agreements are signed with occupiers, individuals and other building users.

With smart technologies generating and capturing a huge volume of data, such as internet protocol addresses and information related to people entering and exiting a building, this could potentially lead to disputes regarding ownership of such data, even if much of it is anonymous.

However, CBRE believes many of these risks can be mitigated by putting in place cybersecurity policies that consider governance aspects, such as information flows, and adhere to the relevant data protection laws.

Related Service