Commercial sector must face up to digital risks

What do we mean when we talk about cyber risks in buildings – and how is the commercial property sector tackling its exposure?


  • Dan Hughes

06 October 2023

Technology has become commonplace in most buildings, with more and more data being collected through digital systems and smart sensors. However, for all the benefits that this brings – and there are many – there are also risks that need to be considered. 

The sector has been aware for some time of the risks to companies of data breaches or cyber-attacks. But as buildings evolve from concrete blocks into smart platforms, they too are becoming vulnerable to cybercrime. 

Research identifies risk of cyber-attacks

Research published in 2022 by global software company Essensys found that a third of office workers are aware that their organisation has had a data security breach. In the latest RICS Facilities management survey, 16% of respondents said their building had experienced a cyber-attack. 

Cybercrime, from phishing to ransomware attacks, is often not openly discussed given the commercial and reputational risks it can bring. Perhaps as a result, 2022 research by cybersecurity and systems management firm Tanium suggests that 86% of IT decision-makers who had experienced a cyber-attack in the previous six months believed that senior leadership is only likely to invest in cybersecurity after suffering an attack. 

However, as we can see from the above research, digital risks are a reality today and as the use of technology in buildings grows, so too will the risks.

Related article

Why you should invest in making buildings smart

Read more

Sector vulnerable in numerous ways

While cyber-attacks often grab the headlines, the digital risks facing buildings are far broader – and often overlooked by property managers. This should not deter organisations from using technology, however; they just need to ensure that the risks around it are managed appropriately. 

Digital risks might include hardware becoming outdated, software being unusable or threats to privacy, where data is collected without appropriate consideration, sense of purpose or communication.

A few case studies illustrate how these risks can affect commercial property.

  • Building access failure: Facebook and its subsidiaries, including Messenger, WhatsApp and Instagram, experienced a global outage in 2021 and became unavailable to their users for several hours. Facebook staff were also reportedly prevented from accessing parts of their own office buildings as the security pass system was affected as well.
  • Hardware vulnerability: Perhaps one of the earliest high-profile case studies was in 2013 when US retailer Target was victim of a huge data breach, with malware being used to steal data on around 70m debit and credit cards. The sector was shocked when it was revealed that the hacker gained entry through the retailer's HVAC supplier, highlighting the vulnerability of such systems to a cyber-attack when they are online. 
  • Data privacy fines: A London-based estate agency was fined £85,000 by the UK Information Commissioner's Office (ICO) in 2019 after a data breach left customer's data exposed for more than two years. This included financial records, copies of passports, dates of birth and addresses of both tenants and landlords. The ICO said that the company had failed to take appropriate technical and organisational measures to protect customers' personal data.

These are just three examples in the public domain; there are countless more, and the number is growing rapidly.

Engagement and responsibility are key

Today, companies tend to concentrate their efforts on managing the digital risks to their day-to-day business systems alone, rather than considering those that relate to the buildings they own or occupy. This needs to change. 

When risks in property are not properly handled technology may fail, whether due to poor management or intentional attack, and the building will not perform effectively for its users. This can lead to safety risks, fines, brand damage or people being unable to use the building – all of which ultimately lowers asset value. Action is therefore needed at both the building and sector level.

When it comes to individual buildings, the RICS International Building Operation Standard (IBOS) states: 'A professionally managed building should aim to have a documented register of the largest digital risks it faces, and the steps that can be taken to manage them.' 

Stakeholders for such buildings therefore need to be clear about all the technology they contain, what might go wrong, and who is responsible if it does. The lack of clear responsibility for risk is often a large part of the problem, with owners, occupiers and managers assuming that this sits with other parties. The information should therefore be included in a risk register that is reviewed and updated regularly.

As a sector, though, property needs to make sure those responsible for digital risks are sufficiently aware of and engaging with them. Suitably robust business practice is also vital to manage data appropriately, including agreement over intellectual property rights, how the data is shared responsibly and how it is valued. 

Overall, when digital risk is managed effectively, it should help improve the efficiency of technology, reduce long-term costs and potentially lower insurance costs – all of which will benefit business.

'When risks in property are not properly handled technology may fail, whether due to poor management or intentional attack, and the building will not perform effectively for its users'


Dan Hughes is director of Alpha Property Insight and Digital Property Risk

Contact Dan: Email

Related competencies include: Data management, Smart cities and intelligent buildings

Related Articles


go to article When does new safety regime apply to commercial units?


go to article How regulatory reviews help improve valuation practice


go to article How valuers can support London's prime retail market