Vendor Risk Management is Key to Mitigating Cybersecurity Risk
Effective cybersecurity may not be easy to implement, but you might agree by the end of this article that it’s easy relative to the broader technology-related problem in commercial real estate (CRE). In other words: cybersecurity is only a subset of the real problem.
For many years, all industries have struggled with traditional enterprise cybersecurity risks and the consequences we read about in the headlines every day. As a result, there are many cybersecurity solutions for traditional IT areas such as local area networking (LAN), remote access and information security (infosec) in general. Although commercial real estate is late to the game in most IT solution implementations, we do have the advantage of being able to pick and choose what is right for our portfolios from established options.
If you have not already done so, in the near future, your real estate organization will either end up putting all building control systems on your existing enterprise network or providing a stand-alone, remote access and LAN solution for those building systems. For the latter, it requires a much more simplified solution that not only protects but is also cost-effective and easy to manage for the organization and the contractors using it. In short: it needs to be an IT solution for a non-IT customer.
However, focusing on the remote access issue alone misses the real problem as it was dubbed in the first paragraph, which we call Vendor Risk Management (VRM). The 2019 Gartner Glossary states that VRM is: the process of ensuring that the use of service providers does not create an unacceptable potential for business disruption or a negative impact on business performance. Gartner intended this description for IT environments but our 15 years in the real estate technology space tells us that this is even more applicable to real estate than it is to IT-proper for the reasons outlined below.
In larger portfolios, there are three things that any real estate professional knows about vendors - particularly building systems contractors:
(1) Fragmentation: There is tremendous fragmentation in the number and type of contractors across the total building count.
(2) Inconsistencies: The fragmentation creates indescribable inconsistencies for system setup and configuration, data back-ups and remote access.
(3) Turnover: There is frequent turnover at all levels between contractors, building managers and property managers.
Fragmentation, inconsistencies and turnover at scale create chaos. This chaos tells us the real problem is VRM and dealing with dozens or even hundreds of different contractors. They not only have (or need) remote access but also manage onsite, complex, digital building systems such as HVAC, elevator, lighting, parking and metering. These systems in buildings provide critical functions affecting life safety, experience, productivity, core network integrity, regulatory compliance and insurance exposure.
It is true that there is a big problem with secure, remote access for control systems and this must be addressed; but there are many different, well-established ways to address that technically. Notwithstanding that fact, nearly all those IT solution providers do not understand the technology or the culture of the building systems world - leaving the potential for a misused or underused solution for remote access.
Still the question remains: “What can go wrong if I establish secure, remote access?” Putting aside for a moment whether or not all contractors will adhere to the remote access procedures, the answer is most things that go wrong today in building systems are not related to the proverbial hacking. The cause of approximately 80% of all cyber-related incidents is human behavior (www.itgovernance.co.uk). Hence, the number one cause of disruption in building systems is ransomware, followed by outdated software or firmware and then a variety of site-related problems caused by poor system configuration.
We know multiple real estate organizations that have never been hacked but have been completely shut down by these other VRM issues. Additionally, a related and very common behavioral issue is that there are no current backups to restore with; and all backups from all systems are never in the same, validated place that lasts through contractor turnover.
With or without a remote access solution, if each system has its own password complexity, proper configuration and recent backups they can survive a malicious attack or sloppy mistakes. This is the essence of VRM - having a proper inventory, policy and policy compliance process for all systems and contractors. The policy and policy compliance must be reasonable and manageable given the deeply embedded cultural realities of building systems contractors - or it will risk rebellion and failure.
A VRM solution must have a customer-empowering, customer-owned approach and this approach must survive contractor turnover and rise above the inconsistencies caused by the fragmentation of service providers. VRM is a top-down solution that is pushed throughout all regions, buildings, systems and contractors. This will be manifested in new policy requirements, service contracts and organization-wide process and controls. The process and controls will eventually mimic formal IT process and controls such as SOC2 (Service Organization Control).
So, the next time you say you need to address cybersecurity for your building portfolio you might consider saying what you really need is a VRM strategy that includes cybersecurity.
Rob Murchison, Co-Founder, Intelligent Buildings
This article is co-authored with Rob Murchison, Co-Founder of Intelligent Buildings, a nationally recognized smart building consulting and services company that leads the industry in OT cybersecurity and vendor risk management solutions for projects and portfolios at scale. Rob has over 20 years' experience in strategy consulting, sales and design of technology to real estate developers and commercial businesses with expertise in networking, and software and database applications.
This Week’s Sponsor
Smart Technology. Smart Equipment. Smart Solutions. Embracing open software and hardware platforms, Lynxspring develops and manufactures innovative edge-to-enterprise solutions. We enable better building automation, energy management systems, control systems and IoT applications. Deployed in billions of square feet of commercial buildings across North America, Lynxspring’s solutions simplify integration, interoperability, and help connect your building’s data.www.lynxspring.com.
UPCOMING REALCOMM WEBINARS
Top GLOBAL INNOVATIONS Impacting Commercial and Corporate Real Estate - 12/12/2019
2020 will likely be another year of great innovations for the Commercial and Corporate Real Estate industry. With a multitude of new companies and ideas being funded by an insatiable appetite of investors, the traditional workflows and processes of Real Estate are challenged daily. Add to this a desire by the established marketplace to also innovate and the pressure of change increases. This webinar will bring together some of the industry’s most prolific prognosticators who will discuss and debate the state of innovation in our industry. For those firms that are leaning into the change brought about by technology this is a perfect opportunity to hear about the leading solutions, case studies and best practices.
Founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world's leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. As CEO, Jim interacts with some of the largest companies globally pertaining to some of the most advanced and progressive next generation real estate projects under development.
Jeff Chulick is the Technology and Innovation Leader for EY Real Estate Services. He leads a global team of professionals focused on the identification, innovation, design and realization of technology solutions that greatly enhance the workplace experience. His areas of focus include digital strategy, smart workplace, IoT, visual communications, workplace management, physical access and audio/visual technology. Jeff has over 20 years of enabling workplace strategies and delivering innovative solutions for EY and external clients across many different industries.
Marc is a pioneer in leading the Intelligent/Smart Buildings and M2M movements pushing the industry forward and has contributed to transforming and changing the Intelligent Buildings and M2M (now IoT) industries. As Chief Marketing and Communications Officer for Lynxspring Marc leads corporate and product marketing, strategy, brand management, public relations and communications that support the company’s strategic and growth initiatives.
Craig Stevenson is President of AUROS Group, a technology company based in Pittsburgh, PA. He is widely known for his role in establishing Pittsburgh as a leader in "Evidence-based Performance" for the built environment. Evidence-based Performance uses technology to bridge the gap between "hoping" a building is performing as designed to "knowing" a building is meeting its performance goals. He is credentialed in virtually all known building performance standards. As a result, Craig focuses solely on owner's performance requirements for their building(s).
John Dulin is a 30-year global telecom and enterprise executive and has held senior positions in product management, marketing and sales in the areas of fiber optics, wireless and new technology development. Currently with Corning, John is focused on introducing its fiber optic and wireless innovations to the commercial real estate market.
As Chief Innovation Officer, Jeff Clark leads the development and delivery of new offerings at RF Connect, properly positioning the company and our clients for the critical trends of technology convergence that define our era in telecommunications. Since joining RF Connect in 2016, he has introduced our software-defined wide area mesh network that provides industry-leading monitoring and LTE transport connectivity for RF Connect’s clients nationwide. Jeff also champions RF Connect’s bold entry into the private LTE segment.