Cybersecurity for commercial buildings: what BBC stories really mean

Tuesday, May 5th, 2026

Home » News » Cybersecurity for commercial buildings: what BBC stories really mean

Based on available data, the BBC published or broadcast around 20 significant cybersecurity-related stories between January 2025 and early 2026 on its website, television and digital platforms. It reported extensively on a major hack of Transport for London (TfL), which affected approximately 10 million people.

Cybersecurity for commercial buildings can feel like someone else’s job until another BBC headline grabs the public’s attention, and suddenly it feels a bit closer to home. In this article, Geraint Williams, Chief Information Security Officer at Modern Networks, helps translate those often-disturbing news stories into plain, practical steps for building owners, operators, and tenants.

If you manage a large commercial building, you’re almost certainly juggling people, suppliers, budgets, and downtime risks. A cyber incident is not just “an IT thing”. It can shut down a building, creating some very awkward conversations with tenants, suppliers and visitors.

What does a BBC cyber story mean for your site?

Most of the time, when a cyber incident story breaks, the victim is seldom targeted specifically. Many attacks are automated scans looking for easy gaps like out-of-date systems, weak passwords, unsecured remote access, or people being tricked by convincing phishing emails. Typically, attackers chase an opportunity, the vulnerability in the system, not a grudge.

This matters in commercial buildings because you often have lots of moving parts. Landlord systems, managing agent systems, tenant networks, shared Wi-Fi, contractors, and third-party apps can all sit side by side. One weak spot can cause disruption that spreads further than you expect.

Why “we are too small to be hacked” is a risky idea

A common reaction to cyber threats is, “Why would anyone target us?” The uncomfortable answer is that size does not protect you from automated attacks. If your defences are weaker than those of the next organisation, you become the easy option.

According to Verizon’s 2025 Data Breach Investigations Report, common entry points for cyber-attackers include credential abuse and vulnerability exploitation, which fits the real-world pattern of attackers using stolen logins and unpatched weaknesses.

The report states that “exploitation of vulnerabilities as an initial access step for a data breach grew by 34%, now accounting for 20% of breaches.”

Verizon

Cybersecurity for commercial buildings is a business risk, not an IT chore

When something goes wrong, the impact is usually very normal and very expensive. Staff cannot work, tenants cannot access services, orders get delayed, invoices stall, and reputations take a knock. That is why it belongs in business risk planning, alongside things like continuity and supplier management.

The National Cyber Security Centre (NCSC) also frames incident response as broader than technology, with leadership, communications, and business decisions needed during an incident. If you haven’t already done so, we recommend you read the NCSC’s Responding to a cyber incident – a guide for CEOs.

Most incidents start with simple mistakes

A lot of successful attacks begin with everyday issues. A phishing email that looks genuine, reused passwords, missing multi-factor authentication, or no clear way for staff to report something that feels off. The point is not to blame people. Busy teams need guardrails that make the safe option the easy option.

On multi-factor authentication, the NCSC’s guidance for setting up 2-step verification is blunt in a good way: it makes it harder for criminals to access accounts even if a password is stolen.

“We have antivirus”, so are we covered?

Antivirus is useful, but it is not the whole answer. Modern attacks can use valid logins, move quietly, and sit in a network before anyone spots them. A more realistic approach is layered protection that focuses on identities, email protection, regular updates, and systems monitoring, so issues are spotted early.

Keeping systems up to date is not glamorous, but it’s powerful. The NCSC’s device guidance is clear that patches matter because they fix known flaws that attackers can exploit, and compromised devices can lead to stolen data, encrypted files, or systems that stop working at all.

The questions to ask if you are not “the IT person”

If cybersecurity is not your day job, focus on a few business-level checks. Do you know your biggest risks, so you are not trying to fix everything at once? Would you spot trouble quickly, or only when tenants start calling? Do staff know what to do when something looks suspicious? Could you keep operating if key systems were down for a day or two? Those questions matter more than any dashboard.

The ICO’s ransomware guidance is also worth a look because it ties practical controls to real-world outcomes. It describes ransomware as malware that blocks access to systems and data using encryption, and it points organisations towards measures like MFA for internet-facing services and a defined patch management approach.

What a good MSP should do for building owners, operators, and tenants

Your MSP should reduce confusion, not add to it. You should expect clear language, prioritised actions, and controls that suit your organisation’s size and risk profile. That includes tightening logins, monitoring for unusual activity, keeping updates under control, and making it easy for staff to report concerns quickly. The goal is not “perfect security”. It is a steady, sensible risk reduction that makes you a harder target.

Get in touch

If recent cyber headlines have made you wonder where your commercial building or tenant setup is most exposed, talk to Modern Networks. We can translate risk into plain business impact, then help you put the right basics in place without turning it into a massive project.