Cyber in the built environment

We are surrounded by digital technology in every aspect of our lives; whether we carry it in our pockets and bags, have it displayed on screens in our homes or it is used to control the buildings in which we live and work. Smart building controls are an area of rapid development and the associated cyber security aspects require careful consideration.

The key trend we have observed in our research around this at Mishcon de Reya is the close relationship between the digital and physical worlds: cyber breaches cause not just losses of data or funds, but can cause physical, real world consequences. As a result, cyber security is an important consideration to bear in mind when choosing a new location or when upgrading an existing building. For example, IoT technologies have provided building occupiers with digitised fire systems, but if the integrity of the system can be breached, what impact will this have on the fire safety response?

Our research has determined that cyber risks to the property industry can affect three interdependent groups – building designers and contractors, building owners and managers and building occupiers. The cyber security and data retention choices that any one of these parties makes can have profound consequences for the others, and so it is key that decisions are considered in the wider context of a property.

Designers and Contractors

The digitisation of building planning and design involves the generation of large volumes of digital information. This data must be accessible to multiple parties throughout the lifecycle of the creation of a building in order to enable collaborative working, and as its accuracy is of importance for build planning and budgeting; the protection of its integrity is therefore important.

As with all modern businesses, real estate is a potential target for cyber-enabled fraud. The involvement of a wide range of small to very large organisations can introduce a level of complexity that leaves building projects susceptible to fraud schemes involving supplier invoicing and purchasing teams. Our research shows that fraud schemes of this type are increasing significantly year on year.

Building Managers

The introduction of smart buildings has given owners and managers the ability to monitor and influence their internal environments. Integrating technology into a building’s structure increases its attractiveness to buyers and tenants, as well as increasing the overall value of the space on offer. Clearly technological improvement can bring potential cyber risks, and decisions around these need to be made with an eye towards not just sales value but also future security and business continuity.

Smart building technology generates considerable amounts of data and additional responsibilities in terms of data protection and security. The introduction of the new General Data Protection Regulation will see stronger protections for personal data in its many forms; for example, data relating to activities such as the tracking of staff movements to facilitate workspace planning and optimisation. Building Managers will need to ensure that this data is treated in accordance with the new regulations as employees and users of the building will have the right to request copies of the data that is held on them.

Building management systems require regular monitoring, as business disruption can occur if systems are accessed. The blurring boundary between office IT and building management systems has led to at least one high profile data breach that was initiated by a third party (in this case a heating and ventilation contractor) being given access to the organisation’s internal networks. It is therefore important that the separation of the building from wider IT should be carefully managed.


Many individuals are oblivious to the data that is collected about them as they go about their daily business. From entry phones, to retail footfall counting, the built environment is a significant harvester of personal data.

The good news is that GDPR will mean that individuals will now have new rights to access data held on them and have it amended, rectified and deleted. Confidence that building managers and owners are on top of these requirements may form part of any decision making process for future building occupiers.


As the built environment becomes more reliant on technology, cyber security and data protection will become more important. Planning ahead will allow designers, building managers and occupiers to create safe, reliable and compliant buildings. Ignoring the risks could cause regulatory and business critical issues.

As always, the business strategy for managing cyber and data risks should be proportionate to the scale of the company and its overall appetite for risk; it is important to strike a balance between business priorities and cyber/data protection.

For more information, please contact Joe Hancock