A cybersafe return to the workplace

COVID-19 is a much-needed accelerant for transforming the building industry
Tuesday, August 10, 2021
By Dr. Rick Huijbregts

As the world is getting COVID-19 under control, every executive team and facilities department is—or should be—accommodating for a new era of work where flexibility and mobility are staples.

Our workplaces will need to be more open, transparent, and adapt to various modes of work, interactions, and collaboration. We will have to revisit ‘old’ concepts such as hoteling and open floorplans to meet new expectations. We have to prioritize the health and safety of our employees, from continued social distancing and enhanced cleaning protocols to upgraded ventilation and filtration (i.e., ensuring the air inside the workplace is being completely refreshed every 10 to 15 minutes). We will need to further embrace digital technologies to reduce physical boundaries and enhance seamless remote collaboration with the virtual world. And we have to be equitable and inclusive as we redefine our future.

The only sustainable way to create spaces that can absorb change and adjust to evolving expectations is to leverage converging and exponential technologies such as Artificial Intelligence and the Internet of Things (IoT). Already, more than 30 billion smart objects are connected to the IoT, adding conveniences and value-added services to our built environment, and the smart building market is growing at a double-digit rate annually, from $43 billion in 2018 to a forecasted $110 billion by 2026. The emergence of technology-enabled smart buildings already has proven to reduce energy consumption, increase performance, improve safety, health and security, and transform user experiences.

At last, our buildings are ready to catch up with the conveniences and expectations that future users have come to expect in the 21st century—and COVID has been the much-needed accelerant for this transformation in the building industry. As Winston Churchill famously said, “never let a good crisis go to waste.”

Unfortunately, however, the introduction of intelligent and connected systems leaves us exposed to one of the greatest threats of our century: the rise of cybercrime. What if a ransomware cyberattack prevented you from opening the doors in the morning? Or turning on and off the air handling system, causing discomfort for the occupants? What if you can’t control the lights or electricity in your building? What if hackers get onto tenant networks through backdoors in building system infrastructure? Do you know who has remote access to your current HVAC or security systems? Have you reset the factory passwords that came at installation?

Ransomware, phishing, spyware, man-in-the-middle attack (MitM), and distributed-denial-of-service (DDos) attack, are all forms of malware. Malware is a software intentionally designed to cause damage to a computer or computer network, one that encrypts your files or effectively holds your systems or data for ransom. Access and control can be regained after paying the hackers a ransom. IBM suggests that the average price tag of such ransom is almost $4 million, and as high as $7 million in healthcare. In recent months, Colonial Pipeline paid US $4.4 million to regain control of its pipelines, and JBA Meat paid US $11 million to the hackers that broke into their computer system. How much are you willing to pay to get control of your own building systems and data?

There is no doubt that facility professionals need to prioritize cybersafe buildings. There are lots of ways to go about this, but here are three initial simple steps:

Audit and assess

First, do an audit and cyber assessment of your building today. Understand what is connected; how vulnerable and exposed your building systems are; what backdoor entrances you are not aware of; who is supporting and accessing your systems from afar, and what the magnitude of the risk is.

Crown jewels

Simultaneously, determine your “crown jewels”. What are your most mission-critical and valuable (information) assets that would cause the greatest harm and impact to your business if compromised. Consider all your systems and contemplate what would happen if you had no more access or control. Define your “crown jewels” not in isolation, but rather with the key stakeholders in your organization. Although we may have control over our building systems and facility’s assets, the implications of a breach will reach far and wide, well beyond your domain of control. What if you lose your company’s customer data due to an attack from within your HVAC network? How long will it take before disgruntled and frustrated occupants call you when they lose control over comfort and climate?


Last but not least, design and implement a comprehensive cybersecurity strategy. This strategy should comply with standards (e.g. ISO) and frameworks (e.g. NIST) to leverage established best-practices. Your strategy will articulate data and process governance and detailed procedures on how to identify, protect, detect, respond, and recover from inevitable security breaches. Be sure not to hold back putting some serious resources behind this—get some expert assistance and build out your own cybersecurity capabilities. Implement leading-edge tools and work with world-class vendors. It only takes one data breach or cyberattack to make this worth every penny.

These three steps require business, building, and IT professionals to come together and collaborate. Only an interdisciplinary approach will lead to sustainable success: cybersecurity is not the job of the IT department alone—it concerns us all.

This suggests an even more important preceding step: invest in the digital literacy and capabilities of your facilities team. Not only is basic digital behaviour our first-line defence against cyberattacks (e.g. changing and managing passwords, not opening unknown or unexpected email attachments, managing authorized access and privileges of service providers; asking the appropriate questions to vendors and suppliers, etc.), but also, our facilities teams will have to have a fundamental understanding of the role of their internet-connected devices and systems in the digital world.

Digital disruption and connecting the Internet of Things is still a people business. Training and education are at the core of the transformation. Now, let’s get prepared for a safe return to a more intelligent built environment, one that is connected, protected, and ready for whatever your new normal is.

Dr. Rick Huijbregts is an industry fellow at Intelligent Buildings LLC, which is the only company focused on smart building advisory, assessment, and managed services at scale for both new projects and existing portfolios. Intelligent Buildings helps customers manage risk, enhance occupant well-being, and continually improve performance by providing unmatched expertise, practical recommendations, and targeted services.

Dr. Huijbregts is also vice president of strategy & innovation at George Brown College in Toronto.

Leave a Reply

Your email address will not be published. Required fields are marked *