- Facilities Manager »
- Maintenance Craftsperson »
- Building Maintenance Technicians Needed! »
- Director of Facilities Management »
- Facilities Coordinator »
How to Team Up with IT for Cybersecurity
For facility managers, maintaining equipment and keeping entryways secure and free of hazards to mitigate physical risks are all part of a day’s work. This includes tasks like checking sprinkler systems, handling routine repairs, controlling building entry, and removing snow from lots and sidewalks. As technology evolves across all industries, facility managers must be aware of an additional workplace hazard: cyber risk. Cyberattacks allow criminals to enter facilities in a whole new way. Facility managers who create close partnerships with their IT teams and become knowledgeable in cybersecurity can help reduce the risk of costly security breaches.
The Internet of Things (IoT) consists of devices or equipment that transfer information or link to a network. Consider smart devices engaged in running a building: remote HVAC control, lighting, digital whiteboards, keyless ingress and egress points, sensors, security and access control systems, business machines, and countless other wireless devices. These devices embedded with software and other technology are all contributing data to IoT, which makes them all targets for criminal activity — especially when in large corporate or leased offices. Devices connected to the IoT are targets for good reason — accessing them can make criminals a lot of money, and breaches can tarnish a company’s name in the process.
Any facility is at risk for cyberattacks. According to the Identity Theft Resource Center, data breaches are up 68 percent since 2020. They report that in 2021, there were 1,862 compromises that impacted 293,927,708 victims. With facility managers overseeing several pieces of building equipment and technologies that use vulnerable software, creating a connected, digitally secure facility must be a priority. While this might feel like the role of IT staff, the crossover into a facility manager’s responsibility becomes clear when looking at the connected facilities ecosystem.
Identify the threat
Imagine an entire business forced to shut down because a cybercriminal restricts access to critical data or compromises entryway badge readers, putting people inside at risk. These are the stakes. But recognizing a threat is the first step toward overcoming it.
Cybercriminals can strike from anywhere. Some may work in the facility itself, accessing and stealing private information for themselves or others. Others can enter from a remote environment anywhere in the world, stealing data, manipulating the facility’s systems, or taking personal identification information.
Often, attackers will demand large sums of money to release encrypted data or relinquish control of Wi-Fi-controlled systems. Many businesses will pay out the ransom to keep their business running, but that one-time financial hit can take years to recover from. Also, paying the extortion demand does not:
- Guarantee that the decryption key works as expected, or even at all.
- Ensure the threat actor is out of the environment.
- Prohibit the threat actor from extortion or data disclosure.
- Restore lost data.
- Prevent future attacks.
- Repair reputation damage.
Tools for success
By taking an active role in the cybersecurity of the building and utilizing the resources at their disposal, facility managers can support each component of their company’s safety and security program.
Evaluate access controls: Working directly with IT, facility managers can learn each system’s exposures and develop a plan for protecting the facility. Some effective ways facility managers can help create the most secure systems include:
Identifying all types and locations of data: Make a list of all the building’s connected devices and any other areas with sensitive data. IT departments may not be aware of all the devices in use, or the type of data flowing in and out of the building, without facility managers bringing it to their attention.
Restricting access: Allow only select individuals, whose jobs require access to that specific device or system, to access that equipment.
Managing passwords: Every person who has access to the devices or systems should have a complex and unique password and utilize multifactor password authentication. Multifactor authentication combines two or more independent credentials to access the system. For example, the user would need first to enter their password (something they know), followed by a unique code sent to their phone (something they have). Any default passwords used when implementing new devices or systems should be changed immediately. Typically, these are commonly known passwords that bad actors can use.
Limiting employee access to files and consoles: Determine if individuals can pull data off consoles using external storage, like a thumb drive or through a wireless connection. Lock down necessary physical access to consoles. If facility managers have control on the backend, for example, they can make it more difficult for a disgruntled employee to download sensitive files.
Managing vendor access: When vendors sell equipment with connected systems, they often maintain a port of entry for maintenance. For instance, HVAC vendors may need to perform firmware and software upgrades to the equipment. Determine how secure their access is — how they get in and how well they control who has access. Consult with the IT team to ensure necessary vendor access is as secure as possible.
Work with IT to monitor system activity and establish a communication program to identify any internal or external attempted security breaches.
Backup data: If ransomware causes data to become encrypted, backups can help restore the system. Backups should be kept separate from the main network and are a key mitigation component to avoid paying a ransom.
Plan for patch management: Old operating systems are more vulnerable to malicious attacks. Work with the IT department to stay on top of updates to all the software in the facility’s IoT and promptly install security patches.
Create an incident playbook: Even with a close eye on all the IoT and a close partnership between facility managers and the IT team, businesses can still fall victim to cybercriminals. That’s why it’s critical to have a game plan for the “what if” scenarios.
Establishing a playbook, also known as a disaster recovery and business continuity plan, allows facility managers to determine what to do, provides a list of first responders to contact, and outlines a step-by-step incident response plan. Expediting the needed steps and mobilizing the right individuals can make all the difference when time is of the essence. Businesses often have disaster recovery plans for catastrophic events, such as natural disasters and power outages. Similar principles apply for creating an incident playbook for a cyberattack.
Seek support from insurance providers: Insurance providers can be a valuable resource as businesses develop their playbook. Cyber liability insurance can help provide an extra layer of protection from the risks a facility faces. Well-established insurance providers often have a general response plan already outlined for clients with reputable outside vendors, such as public relations crisis management experts, cyber forensics experts, cyber extortion payment facilitators, and attorneys. These experts are routinely vetted, and can intervene at the right time, softening the financial and reputational blow of a cyberattack.
A valuable collaboration
Breaches can occur when there isn’t a close partnership between IT and facility managers because experienced cybercriminals can identify and exploit such vulnerabilities. But when facility managers and IT teams work together, they can enhance their combined knowledge to help protect their customers, their fellow employees, and their company’s bottom line.
While these are effective guidelines to help facility managers and IT teams protect their companies from cyberattacks, it’s important to stay connected with its insurance provider for guidance. The provider can offer greater detail about insurance options and help with a response plan specific to each company. In addition, consult a cyber professional and attorney for advice.
Dan Zastava is the director of corporate underwriting and product development for Sentry Insurance. Sara Hillery is a Sentry corporate underwriter and product specialist. Scott Hellberg is the director of information security governance, risk and compliance at Sentry.