Three Ways To Protect Your Building From Data Intrusions
Almost every building has automated management systems today. While the Internet of Things—the network of physical objects embedded with connectivity—has transformed property management for the better, it has created new data security vulnerabilities, too. JLL CIO of the Americas Edward Wagoner tells us how owners and property managers can protect themselves.
“All you have to be reminded of are some highly publicized hacks that originated through the building management system,” Edward says—a potential threat for any building with such automated systems.
But it's not necessarily for the purpose of stealing data, he notes. “What if I were mad at a building or company and decide to shut down the building elevators at 5pm on a Friday? Or set off security alarms?" he asks. "It starts damaging the brand."
There is also the psychological impact of being trapped in a building or hearing alarms that may cause people to panic. If tenants become unhappy, he notes, it may become harder to renew their leases.
Then there’s liability. Not only can hackers steal financial data, but they can steal other kinds of data as well, including medical information—which means you could face a HIPAA (Health Insurance Portability and Accountability Act) violation if a medical office or health insurance tenant is compromised through the building system.
“Laws are becoming much stricter with regards to how companies protect consumer information,” Edward says. “In some countries, your name, email, phone number and physical address are all considered private information, and any unauthorized release of this data is against the law.”
Building owners and managers can take these steps to protect themselves from vulnerabilities:
1) Know Your Vendors
Many companies providing building applications are mom-and-pop companies that may not be focused on data security, Edward points out. It’s critical to work with reputable vendors who take an active approach to protecting client networks and data. Make sure their products have virus protection and that they’ve installed the latest security patches from software providers to close vulnerability gaps.
For example, Edward recalls a recent visit to a building with systems operating on Windows 3.1—a platform released in 1992 and that Microsoft ended support for 15 years ago. Outdated software can be particularly risky as hackers may have learned their vulnerabilities long ago and the latest security software patches may not be compatible. Equipment and facility management vendors should be proactive in addressing data security risks on behalf of clients, Edward recommends.
2) Hire The Right Skill Set
If you’re not a computer science expert, you need to learn to be one or hire the right person to help you, Edward says. "We can demonstrate that we know the proper procedures for managing client data, as well as our own, because we have two of the most important credentials—an SOC2 and the ISO-27001 certification." Achieving these credentials required JLL to bring in a third-party auditor to test its policies and procedures and make sure its account managers and teams are properly following best practices.
3) Follow Best Practices For Access
The two most popular passwords of 2015 were “123456” and “Password,” according to Gizmodo. Those are not enough to protect your building.
Edward says the best route is multi-factor authentication. While multi-factor authentication classically prompts users with security questions, it’s getting more sophisticated. For instance, Edward says that a multi-factor security system might text a code to your smartphone.
“Since you have to have the physical object in hand to gain access to the network, hackers would have to steal not only your password, but also your phone.”
Facial recognition and thumbprints are also becoming more widely used. He said his Microsoft Surface Pro 4 won’t turn on unless his face is in front of the screen.