Cybersecurity Risks in Smart Commercial Buildings: How to Survive and Thrive

Smart buildings promise convenience, efficiency and sustainability. Automated lighting, climate control, access systems and IoT sensors make workplaces more comfortable and energy efficient. But with these benefits comes a growing challenge: cybersecurity risk.

As commercial properties, from multi-tenanted offices and science parks to shopping centres and retail parks, become more connected, they also become more vulnerable. Cybercriminals see smart buildings not just as physical spaces but as gateways to valuable data and operational systems. For owners and managers, the question is clear: how do we protect our assets, tenants and reputation in this new digital landscape?

The threats are not just hypothetical. In one case, reported by Allianz, hackers accessed a New York City office block’s building management system via a connected vending machine, causing a building-wide shutdown that resulted in an estimated $350 million in damages from lost business. This highlights the vulnerability of operational technology in commercial buildings. Nevertheless, despite the news headlines frequently reporting on cybersecurity disasters costing astronomical sums of money, many business leaders fail to act.

Imagine facing a lion in the wild. Your instinct is to “run,” yet some people freeze, paralysed by fear and uncertainty. A similar phenomenon occurs in boardrooms when cybersecurity threats loom large. Despite constant headlines and clear risks, some business leaders do nothing. This “freeze” response often stems from a feeling of being overwhelmed, fear of making costly mistakes, or a belief that someone else within the organisation will act. Just like in nature, inaction rarely improves your odds of survival, especially when the predators are digital and always hunting.

One reason organisations hesitate to provide proper cybersecurity is cost. They see security as an expense, not an investment. This perspective often stems from a focus on short-term profitability. So, security slips down the list. It gets the leftovers. It stays basic. It stays reactive. That choice costs more in the end. An embarrassing, highly publicised data breach or ransomware attack will certainly hurt more than the cost of prevention. But fear of wasted spend keeps you frozen. Without strong leadership buy-in, security programs stall. They fail to move beyond compliance. And when the attack comes, you pay more than you ever planned.

Yes, several well-documented psychological biases prevent business leaders from taking cybersecurity as seriously as they should, thereby reinforcing the perception of security as an unnecessary cost. The most common is the Optimism Bias, or “It Won’t Happen to Me” mentality, where leaders overestimate their own security posture and underestimate the likelihood of becoming a victim. This is compounded by the Availability Heuristic, where the perceived risk is low if they haven’t personally experienced a breach, despite the constant stream of news reports. Furthermore, the Normalcy Bias causes a failure to plan for large-scale cyber disasters by assuming conditions will remain stable. These cognitive shortcuts often lead to a disconnect between the reality of the threat landscape and internal decision-making, resulting in a systemic lack of preparedness across many organisations.

However optimistic you might be, the statistics show that medium and large enterprises are highly likely to experience a cyber-attack and doing nothing is the worst possible option. According to the UK government’s Cyber Security Breaches Survey 2025, in the preceding 12 months:

• 74% of large businesses and 67% of medium businesses reported experiencing a cyber-attack or breach.
• Overall, 43% of all UK businesses identified a cyber-attack in the past year.

These figures highlight that cyber incidents are common occurrences for larger organisations, making preparedness crucial.

Smart buildings rely on operational technology (OT) such as building management systems and IoT devices, integrated with IT networks for tenant services. This convergence creates an expanded “attack surface.” Every connected sensor, HVAC system or access control point is a potential entry for hackers.

Common risks include:

• Ransomware attacks: Criminals can lock down building systems, doors, lifts, HVAC, and demand payment to restore access.
• Data breaches: Sensitive tenant information can be exposed through poorly secured networks.
• Supply chain vulnerabilities: Attackers often exploit third-party systems, as seen in the infamous Target breach via an HVAC supplier.
• Physical safety risks: Cyberattacks can disable fire alarms or security systems, putting occupants at risk.

According to RICS research, 27% of UK facilities managers reported a cyberattack in the past year, and global studies show 73% of business leaders expect a cybersecurity incident within 24 months. These aren’t hypothetical risks; they’re happening right now.

Multi-tenanted properties amplify complexity. Different businesses bring different systems, devices and security practices. A single weak link, such as a tenant’s poorly secured network, can compromise the entire building. Shared infrastructure like Wi-Fi or building management systems increases exposure.

Building owners, operators and managers must ask: “Are we doing enough to prevent our building from becoming a hacker’s back door into our tenants’ organisations?”

Cyber incidents can lead to:

• Operational disruption: Locked doors, disabled lifts, or power outages can halt business activity.
• Reputational damage: Tenants expect security. A breach can drive them away and deter future occupiers.
• Financial loss: Beyond ransom payments, legal costs and regulatory fines, the average global cost of a data breach in 2024 was £3.72 million.
• Asset devaluation: Just as “brown discounts” apply to inefficient buildings, poorly secured properties risk a “digital downgrade” in asset valuation.

Today, cybersecurity isn’t just an IT issue; it should be everyone’s concern, and a board-level priority. Here are some practical steps to strengthen resilience:

1. Map your digital assets
   Identify all connected systems—hardware, software, networks—and who is responsible for each.
2. Segregate networks
   Separate landlord and tenant systems. Keep critical building controls isolated from guest Wi-Fi.
3. Update and patch regularly
   Unsupported software creates vulnerabilities. Establish a clear patch management process.
4. Implement strong access controls
   Use multi-factor authentication and role-based permissions for building systems.
5. Train your people
   Human error is a leading cause of data breaches. Social engineering attacks like phishing can lead to unwary staff giving cybercriminals the keys to your IT systems. Regular cybersecurity awareness training is essential.
6. Plan for incidents
   Develop and test recovery strategies to ensure rapid restoration of services.
7. Secure your supply chain
   Validate that contractors and service providers meet your cybersecurity standards. There’s no point in securing your systems only to have a third-party provider be used like a Trojan Horse to attack you from the inside.

Cyber resilience is more than just risk reduction. It can be a competitive advantage. Certifications like WiredScore and SmartScore assess digital connectivity and smart building performance. Strong cybersecurity practices are integral to achieving these ratings.

Why does this matter?

• Marketability: Tenants increasingly demand secure, connected spaces.
• Asset value: Certified buildings command higher rents and valuations.
• Trust: Demonstrating robust digital security builds confidence with occupiers and investors.

At Modern Networks, we’ve spent decades supporting the UK commercial property sector, tackling the unique challenges of multi-tenanted environments and complex estates such as science parks and shopping centres. Our services range from tailored cybersecurity audits and risk assessments to network design and segmentation that safeguard critical systems. We provide 24/7 monitoring and incident response for complete peace of mind, along with compliance support to help you meet WiredScore, SmartScore and regulatory requirements. More than just installing technology, we work as your strategic partner to build a secure, resilient digital infrastructure that protects your tenants, your reputation and your investment.

Smart buildings offer incredible opportunities for efficiency, sustainability and tenant experience. But without robust cybersecurity, those benefits can quickly turn into liabilities.

By acting now, before a crisis strikes, you can safeguard your building, enhance its market appeal and future-proof your asset value. With the right strategy and the right partner, you can turn digital risks into competitive advantages.

Talk to Modern Networks today and discover how we can help you stay secure, compliant and competitive.