Weekly Briefing

article sponsor image

Vendor Risk Management is Key to Mitigating Cybersecurity Risk

4 min read
listen to article Listen to this article

Effective cybersecurity may not be easy to implement, but you might agree by the end of this article that it’s easy relative to the broader technology-related problem in commercial real estate (CRE). In other words: cybersecurity is only a subset of the real problem.

For many years, all industries have struggled with traditional enterprise cybersecurity risks and the consequences we read about in the headlines every day. As a result, there are many cybersecurity solutions for traditional IT areas such as local area networking (LAN), remote access and information security (infosec) in general. Although commercial real estate is late to the game in most IT solution implementations, we do have the advantage of being able to pick and choose what is right for our portfolios from established options.

If you have not already done so, in the near future, your real estate organization will either end up putting all building control systems on your existing enterprise network or providing a stand-alone, remote access and LAN solution for those building systems. For the latter, it requires a much more simplified solution that not only protects but is also cost-effective and easy to manage for the organization and the contractors using it. In short: it needs to be an IT solution for a non-IT customer.

However, focusing on the remote access issue alone misses the real problem as it was dubbed in the first paragraph, which we call Vendor Risk Management (VRM). The 2019 Gartner Glossary states that VRM is: the process of ensuring that the use of service providers does not create an unacceptable potential for business disruption or a negative impact on business performance. Gartner intended this description for IT environments but our 15 years in the real estate technology space tells us that this is even more applicable to real estate than it is to IT-proper for the reasons outlined below.

In larger portfolios, there are three things that any real estate professional knows about vendors - particularly building systems contractors:

    (1) Fragmentation: There is tremendous fragmentation in the number and type of contractors across the total building count.

    (2) Inconsistencies: The fragmentation creates indescribable inconsistencies for system setup and configuration, data back-ups and remote access.

    (3) Turnover: There is frequent turnover at all levels between contractors, building managers and property managers.

Fragmentation, inconsistencies and turnover at scale create chaos. This chaos tells us the real problem is VRM and dealing with dozens or even hundreds of different contractors. They not only have (or need) remote access but also manage onsite, complex, digital building systems such as HVAC, elevator, lighting, parking and metering. These systems in buildings provide critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance and insurance exposure.

It is true that there is a big problem with secure, remote access for control systems and this must be addressed; but there are many different, well-established ways to address that technically. Notwithstanding that fact, nearly all those IT solution providers do not understand the technology or the culture of the building systems world - leaving the potential for a misused or underused solution for remote access.

Still the question remains: “What can go wrong if I establish secure, remote access?” Putting aside for a moment whether or not all contractors will adhere to the remote access procedures, the answer is most things that go wrong today in building systems are not related to the proverbial hacking. The cause of approximately 80% of all cyber-related incidents is human behavior (www.itgovernance.co.uk). Hence, the number one cause of disruption in building systems is ransomware, followed by outdated software or firmware and then a variety of site-related problems caused by poor system configuration.

We know multiple real estate organizations that have never been hacked but have been completely shut down by these other VRM issues. Additionally, a related and very common behavioral issue is that there are no current backups to restore with; and all backups from all systems are never in the same, validated place that lasts through contractor turnover.

With or without a remote access solution, if each system has its own password complexity, proper configuration and recent backups they can survive a malicious attack or sloppy mistakes. This is the essence of VRM - having a proper inventory, policy and policy compliance process for all systems and contractors. The policy and policy compliance must be reasonable and manageable given the deeply embedded cultural realities of building systems contractors - or it will risk rebellion and failure.

A VRM solution must have a customer-empowering, customer-owned approach and this approach must survive contractor turnover and rise above the inconsistencies caused by the fragmentation of service providers. VRM is a top-down solution that is pushed throughout all regions, buildings, systems and contractors. This will be manifested in new policy requirements, service contracts and organization-wide process and controls. The process and controls will eventually mimic formal IT process and controls such as SOC2 (Service Organization Control).

So, the next time you say you need to address cybersecurity for your building portfolio you might consider saying what you really need is a VRM strategy that includes cybersecurity.

Rob Murchison, Co-Founder, Intelligent Buildings

This article is co-authored with Rob Murchison, Co-Founder of Intelligent Buildings, a nationally recognized smart building consulting and services company that leads the industry in OT cybersecurity and vendor risk management solutions for projects and portfolios at scale. Rob has over 20 years' experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and database applications.

Tom Shircliff, Co-Founder, Intelligent Buildings
Tom Shircliff is a co-founder and principal of Intelligent Buildings. Intelligent Buildings was founded in 2004 and provides managed services and advisory services that reduce operational risk and lower cost structure in commercial real estate. Their services support smart building design development, contractor cybersecurity and facility public health solutions.

This Week’s Sponsor

Smart Technology. Smart Equipment. Smart Solutions. Embracing open software and hardware platforms, Lynxspring develops and manufactures innovative edge-to-enterprise solutions. We enable better building automation, energy management systems, control systems and IoT applications. Deployed in billions of square feet of commercial buildings across North America, Lynxspring’s solutions simplify integration, interoperability, and help connect your building’s data.www.lynxspring.com.