The number of data breaches, exposures, leaks, and unknown compromises hit 3,205 in 2023, up 72 percent from the previous high of 1,860 set in 2021, according to the Identity Theft Resource Center (ITRC). The vast majority of these data compromises were linked to cyberattacks.
Cybersecurity isn’t a concern only for the information technology (IT) department in institutional and commercial facilities. As facility managers know, buildings have become more automated and connected, with devices linked to each other and the organization’s network. This cyber-connectedness helps buildings and facilities staff operate more efficiently. At the same time, however, it leaves facilities susceptible to cybersecurity attacks.
“Successful cyber-attacks on facilities can have severe consequences, such as data breaches, operational disruptions, physical damage, and significant monetary loss,” says Sean Ahrens, security market group lead with AEI Engineering.
In 2023, the average cost of a data breach hit $4.45 million, up more than 15 percent from 2020, according to the Cost of a Data Breach Report. Also in 2023, organizations spent an average of 204 days identifying data breaches and 73 days containing them, according to the Data Breach report. That equates to about nine months during which management’s time is devoted, at least in part, to dealing with a breach.
The damage done to the reputation of organizations that are victims of cyberattacks can also be significant. Moreover, many companies no longer can keep cybersecurity compromises private. As of 2023, the Securities and Exchange Commission requires publicly traded organizations to disclose material cybersecurity incidents. Yearly, they also need to disclose material information regarding their cybersecurity risk management, strategy, and governance.
Facility managers can protect against cybercriminals by understanding potential entry points, and then leveraging the technology and processes that can mitigate these vulnerabilities.
As in real life, users’ preference for convenience in the virtual world can lead to risks.
“It’s no different than physical security,” Ahrens says. Just like people sometimes prop open doors so they can get in and out of a building more quickly, some people find ways to make it easier to access data or applications from outside a facility’s operational technology (OT) network. There’s a price for that convenience.”
For example, to save money and time, service technicians may troubleshoot a building system remotely, says Fred Gordy, national practice lead, building cybersecurity with Michael Baker International. In some cases, multiple service technicians may share a single username and password. This makes it easier for the system administrator, who doesn’t have to keep updating this information as employees come and go.
The challenge?
“If you only have a single username and password, you don't really know who has access to the system,” Gordy says.
Ideally, organizations would provide each employee with his or her own log-in credentials. However, if a decision is made to share usernames and passwords, one way facilities professionals can mitigate the risk is with two-factor authentication, or requiring two forms of identification before users can access data or systems. For example, a user might need to input not just a password, but a code that’s sent to their phone number, after it’s been vetted.
Once employees leave an organization, their access to the IT and OT systems should be terminated, Gordy says. Otherwise, a disgruntled former employee who has access to the system may be able to compromise it.
Facility Managers Share Responsibility for Cybersecurity
