Protecting Property from Cyber Attack
The recent Ransomeware attacks that rocked the NHS remind us just how reliant our organisations have become on technology.
Computer systems run services fundamental to delivering public services; like patient records, financial transactions, scheduling trains and keeping the lights on. But they also control who comes into our workplaces, who has paid for their school meal and the temperature of our facilities.
Organisations don’t control heating and access with just switches and buttons anymore. We now use smart cards, CCTV networks and software. Building Management Systems connect all the sub systems we take for granted including lighting, heating, ventilation, cooling, fire protection, CCTV and access. We don’t even need dedicated terminals; systems can be run from our mobile devices with apps.
Connected estates enable our public services to be flexible, efficient and productive. However, no matter how much our IT partners invest in protecting our networks, vulnerability can still come from a single PC not having up to date virus software or security patches.
Our Principal Surveyor, Joe Reidy says “Complex contractual relationships between owners and occupiers, combined with third party facilities management, can cloud accountability. That means things can be missed.”
The risk of our buildings being affected by a cyber-attack increase as they become more interoperable, leading to data and financial loss, and even shut-down.
As we have seen from the NHS situation, although the cause is technical, preventing it is a management challenge. It requires processes and governance to make sure risks are assessed and mitigated. As Richard Whan, one of our leading Facilities Management consultants suggests, “don’t leave it for ‘another day.’”
Elizabeth Luxton, our Head of Estates sets out this simple checklist every public-sector property manager can consider when you’re planning to make sure the next attack does affect you.
- Define the property portfolio and who is responsible for each site.
- Outline when and how they should report their risk register
- Set out what standards and certification should be maintained and reported on
- Define a governance assurance process for each stage of a property life cycle
- Agree who is going to support your team on the ground with technical capability and the network segmentation options should an event occur
- Identify the responsibilities of your property supply chain, determine now how robust they are and carry out a gap analysis
- Share the plan on what to do if an incident occurs and test it regularly