Categories:Cyber Security

3 reasons asset managers must prioritise cyber security

PostedWillow Team

October is Cyber Security Awareness Month. It’s a worldwide initiative that aims to increase awareness of cyber security and how to protect yourself whether you are a corporate, enterprise or individual.

It’s needed now more than ever as cybercrime continues to escalate year on year. There were 50% more attack attempts per week on corporate networks globally in the 2021 calendar year compared with 2020. We have also seen from the war on Ukraine and a focus on NATO countries how cyber attacks can play out when buildings, real-world assets, energy and other critical infrastructure suppliers are targeted.

Today’s reality is that the consequences of a cyber incident could result in an inability to operate and generate revenue, severe reputational damage and physical harm. This article focuses on the three reasons cyber security should be front of mind for asset managers all year round.

Unique cyber security challenges arise from using multiple third-party vendors

Traditional IT focuses heavily on the privacy and confidentiality of data and information flowing through the network. It is often managed in-house by a dedicated team.

Operational Technology (OT) is primarily concerned with safety and availability. Within the real estate industry, it is usually overseen by a building manager who uses one or multiple third-party vendors for CCTV, BMS, HVAC, digital signage, and lighting.

The use of various contractors creates issues such as

  • Lack of visibility or knowledge (by the owner) of how their buildings work
  • Increased exposure, and larger attack surface due to numerous entry points created by vendors, software and sub-networks required due to the poor interoperability between them
  • Increased vulnerability due to lack of maintenance and updates of vendor applications after they have been implemented
  • Higher risk of systems being compromised because asset managers forgo basic cyber security controls like firewalls, antivirus and monitoring tools due to the OT network being more sensitive to active toolsets.

Traditionally, asset managers have relied on air-gapping—the process of isolating a computer or network and preventing it from establishing an external connection—to protect their environment. However, this approach has an expiration date as the digitisation of buildings is forcing connectivity into outdated legacy networks.

When asset managers are left exposed to threats due to a lack of security investment, there are real consequences to physical safety, brand reputation, board liability, shareholder expectation and an organisation’s bottom line.

Reason one: Safety of occupants

The number of ransomware attacks on healthcare organisations increased 94% from 2021 to 2022. ​​41% of these were carried out against US-based firms in 2021. These kinds of attacks have resulted in delayed life-saving treatment and even death.

Over the last decade, other global attacks on physical assets have occurred. Iran’s uranium enrichment plants suffered systematic failures due to targeted malware. Google’s Sydney offices were exposed through its BMS, and most recently, smart office buildings across Europe saw their BAS devices which control and operate lighting and other functions, completely wiped.

All of these did or had the potential to threaten the safety and well-being of occupants.

Reason two: Reputational and financial damage

When a building becomes inaccessible or unusable due to a cyber attack, organisations face a loss of revenue, either from being unable to operate or tenants refusing to pay rent for space they cannot use. It can damage their market reputation and result in even the most high-grade buildings being unable to attract high-quality occupants.

The financial losses are not small. A 2013 hack via a third-party HVAC vendor cost Target $202 million in compensation, settlements and lost earnings. It can sink a stock price too.

According to a HBR report, after being hacked in 2019, Capital One’s stock price immediately dropped 6% and lost 13.89% over two weeks. Equifax’s breach in 2017 saw its stock price plunge from $142.72 to $92.98 in just one week and took years to recover.

This shows that the financial and reputational damage is real, and asset managers are as vulnerable as any other part of the network.

Reason three: ESG and reporting expectations

You might not think cyber security has much to do with an organisation’s Environmental, Social and Corporate Governance (ESG). As attacks on critical infrastructure, healthcare and other networked systems increase, cyber risk is fast becoming the most immediate and financially material sustainability risk businesses face.

While many organisations already manage cyber security well across their IT systems, their strong governance and ability to accurately track and measure cyber security fails to extend to their OT systems. It leaves them less resilient and less sustainable and has a flow-on effect on the stability of their communities and other organisations they work with.

On top of this, we expect to see insurers narrow the scope of cyber policy coverage at the same time as governments in the US and Australia push to regulate and encourage cyber security investment in physical assets.

Currently, these extend to critical infrastructure but may eventually expand to cover more simple physical assets such as commercial and real estate buildings, especially as they become more digitised and dependent on technology to function.

WillowTwin™ – helping you understand your assets better

WillowTwin™ is a digital representation of a real-world, physical asset. The real-time data is collected and synced to the digital version with the data made available by integrating the numerous systems within an asset to the digital twin.

When WillowTwin™ is deployed in a building or portfolio of buildings, it provides oversight, insights and analysis on activity, maintenance and performance. It can reduce the need for organisations to expose multiple vendors and, where possible, use WillowTwin™ as a single data source.

Our organisation is built to keep yours safer, and we continue to invest heavily in building and maintaining a secure platform. We have executive-level governance, an Information Security Steering Committee and only use the best-of-breed tooling to support detection and protection capabilities.

So asset managers can implement WillowTwin™ with confidence, we have a dedicated application security team. Their priority is your protection and the security of the solution. We are ISO27001 compliant and SOC 2 Type 2 Accredited – a standard highlighting our capabilities and commitment to developing a secure piece of software.

Partnering with the best

We partner with Microsoft Azure to deploy the WillowTwin™. This means you can have peace of mind; wherever you are in the world, your data is kept safe and meets local data privacy requirements.

Microsoft is a leader in their commitment to cybersecurity, investing around $1 billion in cloud security each year and detecting 1.5 million daily attempts to compromise its systems. When it comes to cybersecurity, it pays to have an organisation of Microsoft’s scale on your side.

If you’re an asset manager using multiple third-party vendors within your building, download our ebook to learn more about implementing a digital twin for Real Estate.

More articles you might like

  1. Join our mailing list

    Stay up to date with all the latest news and updates from Willow.