Vendor Risk Management is Key to Mitigating Cybersecurity Risk
Effective cybersecurity may not be easy to implement, but you might agree by the end of this article that it’s easy relative to the broader technology-related problem in commercial real estate (CRE). In other words: cybersecurity is only a subset of the real problem.
For many years, all industries have struggled with traditional enterprise cybersecurity risks and the consequences we read about in the headlines every day. As a result, there are many cybersecurity solutions for traditional IT areas such as local area networking (LAN), remote access and information security (infosec) in general. Although commercial real estate is late to the game in most IT solution implementations, we do have the advantage of being able to pick and choose what is right for our portfolios from established options.
If you have not already done so, in the near future, your real estate organization will either end up putting all building control systems on your existing enterprise network or providing a stand-alone, remote access and LAN solution for those building systems. For the latter, it requires a much more simplified solution that not only protects but is also cost-effective and easy to manage for the organization and the contractors using it. In short: it needs to be an IT solution for a non-IT customer.
However, focusing on the remote access issue alone misses the real problem as it was dubbed in the first paragraph, which we call Vendor Risk Management (VRM). The 2019 Gartner Glossary states that VRM is: the process of ensuring that the use of service providers does not create an unacceptable potential for business disruption or a negative impact on business performance. Gartner intended this description for IT environments but our 15 years in the real estate technology space tells us that this is even more applicable to real estate than it is to IT-proper for the reasons outlined below.
In larger portfolios, there are three things that any real estate professional knows about vendors - particularly building systems contractors:
(1) Fragmentation: There is tremendous fragmentation in the number and type of contractors across the total building count.
(2) Inconsistencies: The fragmentation creates indescribable inconsistencies for system setup and configuration, data back-ups and remote access.
(3) Turnover: There is frequent turnover at all levels between contractors, building managers and property managers.
It is true that there is a big problem with secure, remote access for control systems and this must be addressed; but there are many different, well-established ways to address that technically. Notwithstanding that fact, nearly all those IT solution providers do not understand the technology or the culture of the building systems world - leaving the potential for a misused or underused solution for remote access.
Still the question remains: “What can go wrong if I establish secure, remote access?” Putting aside for a moment whether or not all contractors will adhere to the remote access procedures, the answer is most things that go wrong today in building systems are not related to the proverbial hacking. The cause of approximately 80% of all cyber-related incidents is human behavior (www.itgovernance.co.uk). Hence, the number one cause of disruption in building systems is ransomware, followed by outdated software or firmware and then a variety of site-related problems caused by poor system configuration.
We know multiple real estate organizations that have never been hacked but have been completely shut down by these other VRM issues. Additionally, a related and very common behavioral issue is that there are no current backups to restore with; and all backups from all systems are never in the same, validated place that lasts through contractor turnover.
With or without a remote access solution, if each system has its own password complexity, proper configuration and recent backups they can survive a malicious attack or sloppy mistakes. This is the essence of VRM - having a proper inventory, policy and policy compliance process for all systems and contractors. The policy and policy compliance must be reasonable and manageable given the deeply embedded cultural realities of building systems contractors - or it will risk rebellion and failure.
A VRM solution must have a customer-empowering, customer-owned approach and this approach must survive contractor turnover and rise above the inconsistencies caused by the fragmentation of service providers. VRM is a top-down solution that is pushed throughout all regions, buildings, systems and contractors. This will be manifested in new policy requirements, service contracts and organization-wide process and controls. The process and controls will eventually mimic formal IT process and controls such as SOC2 (Service Organization Control).
So, the next time you say you need to address cybersecurity for your building portfolio you might consider saying what you really need is a VRM strategy that includes cybersecurity.
Rob Murchison, Co-Founder, Intelligent Buildings
This article is co-authored with Rob Murchison, Co-Founder of Intelligent Buildings, a nationally recognized smart building consulting and services company that leads the industry in OT cybersecurity and vendor risk management solutions for projects and portfolios at scale. Rob has over 20 years' experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and database applications.
This Week’s Sponsor
Smart Technology. Smart Equipment. Smart Solutions. Embracing open software and hardware platforms, Lynxspring develops and manufactures innovative edge-to-enterprise solutions. We enable better building automation, energy management systems, control systems and IoT applications. Deployed in billions of square feet of commercial buildings across North America, Lynxspring’s solutions simplify integration, interoperability, and help connect your building’s data.www.lynxspring.com.
Wells Fargo: Workplace Re-Entry Industry Research At the beginning of April 2020, when most of America began shutdowns, Wells Fargo started collecting articles, talking to peers, and attending COVID-19 conference calls and webinars to assess and digest COVID-19 impacts to the workplace. In late April, the company began distributing a weekly report that summarized this information, focusing on impacts to facilities supporting essential workers and the proposed changes to administrative spaces and plans for eventual workplace re-entry.
Software-Defined LAN and Fiber/Power-Deep Networks Define New Norm and a Better Future There is no doubt that this year has been a difficult one for enterprise businesses of all sizes across all vertical markets. However, the COVID-19 pandemic has also accelerated our digital future. With millions more people using technology to work, connect, entertain and shop from home, demands on service provider networks and data centers to accommodate the increased internet traffic and VPN usage is higher than ever.
European CIOs Respond to COVID-19 Europe is experiencing a wide range of COVID-19 reopening phases, strategies and sentiments. From “feeling almost back to normal” in Switzerland to quarantines and essential travel restrictions in the U.K., property managers, building owners and occupiers are navigating the ever-changing CRE coronavirus landscape.
The Impact of COVID-19 on Commercial Cleaning Processes COVID-19 has fundamentally changed many aspects of our lives and the world economy. Cleaning and disinfection are crucial priorities in reopening plans around the world. The future hinges upon providing the safest possible environment for building occupants, while also respecting new requirements (e.g., social distancing, contact tracing, monitoring microbial contamination). How are we going to successfully navigate these radically increased needs? By fully empowering facilities with technology