Innovations in Comfort, Efficiency, and Safety Solutions.
|The Business Side of
Why it Matters
Chief Marketing and Communications Officer,
Smart buildings have
created new opportunities for building owners and operators to leverage
technology that maximizes operational efficiencies, deliver better
performances, improves experiences for occupants and increases asset
value. They have also increased the risk of cyber attacks and opened
new opportunities for hackers looking to disrupt businesses.
Businesses, no matter the industry, are cyber targets. Improving cyber
security control and programs should be a priority for every
organization because a successful incident can lead to a number of
issues that directly affect the business side of an organization.
cyber vigilance within the built environment remains insufficient. Many
companies continue to be unprepared to deal with cyber risk. No
building owner, operator, system integrator, contractor, facility
operations manager, service provider or technology provider want to see
their efforts hindered by poor cyber security.
it comes to the business side of cyber security, there are many
concerns and resulting risks to be aware of. Here are several key
points from a presentation I delivered recently.
A Look at the Numbers
first public cyber incident occurred in 1971. It was the computer virus,
known as “The Creeper” and was purposely designed and released on
ARPANET and copied itself to the remote system displaying the words: “I
am the Creeper: Catch me if you can.”
12,449 was the number of
confirmed data breaches in 2018. This represented a 424% increase over
The average global cost of a data breach is $3.86 MM. This is up 6.4%
from the previous year.
The average cost of a cyber incident in the United States is $7.35 MM
$148.00 is the average cost globally, for each stolen record containing confidential information --representing a 4.8% increase 2018 vs 2017
5% is the average drop in stock price immediately following the disclosure of a cyber incident
1.8% is the average decline of share price on a permanent basis after a cyber occurrence
$6T (Trillion) is the projected
annual cyber damages costs by 2021
What are cyber criminals and bad actors
there are many things cyber criminals and bad actors take notice
of to find ways to take advantage of organizations, here are some of
the more common ones:
Critical and specific data about
customers, suppliers, and personnel-
cyber thieves are interested in obtaining sensitive info like credit
card numbers, social security numbers, and other data. At the same
time, they will try to infiltrate into a corporate network to siphon
information about customers, vendors, and staff as it can be sold from
$10 to $300 per record in the dark world depending on the data value.
Banking credentials- Think from
a hacker’s perspective- no cyber
invader will hesitate to figure out a company’s banking credentials in
order to swindle money and/or gain access to bank accounts.
Intellectual Property & Trade
Secrets – The competitive business
world has given rise to the increase in stealing trade secrets to stay
ahead of the competition or with some malevolent motives. Secret
formulas, software codes, design specs, and specific processes are
valuable information to hackers.
Email records– especially top
positions in both the private and well as
the public sectors can prove valuable within the cyber world. It has
been said that such data can bring $1,200 to upwards of $30,000
depending on the person whose account credentials have been stolen.
Supply Chain and Business Partners-
trying to obtain credentials and
access to passwords and accounts through a supply chain and working
relationship in order to find their way into the network of an
organization. This is especially true with larger companies.
What are the business concerns and
consequences that can result from a
Ratings and Assessments
There is an increase in interest in the cyber posture of a company with rating and assessment organizations. For example, Moody’s, a leading provider of credit ratings, research, and risk analysis is integrating a company’s cyber security posture and the dangers posed by cyber attacks into its broader advice about how various creditworthy companies and industry sectors are.
security has become a priority for lawmakers and law enforcement
agencies, regulators globally.
Within the United States, there are now some 30 bills introduced in the House of Representatives and 7 bills introduced in the Senate that directly deal with cybersecurity issues. These bills promote a proactive, holistic and risk-based cyber strategy and, most importantly, requires senior corporate oversight.
Cybersecurity Systems and Risks
H.R.5069-This bill amends the
Sarbanes-Oxley Act of 2002 to apply to
cybersecurity systems and officers the same requirements regarding
corporate responsibility for financial reports and managements’
assessments of internal control structures and procedures for financial
reporting as applying to public company’s subject to oversight by the
Securities and Exchange Commission (SEC).
In addition, the Securities and Exchange Commission has stated it expects companies to disclose cyber security risks and incidents that are material to investors, including financial, legal, or reputational consequences.
Congress introduces a bill to improve
'internet of things' security
Internet of Things Cyber security Improvement Act wants to make
sure the federal government isn't buying devices that can be easily
hacked. If passed, the federal IoT security bill would require
recommendations from the National Institute of Standards and Technology
on security standards the federal government should follow.
Within the States, this past year also witnessed a host of strong state cyber security regulations. New York, for example, now requires affirmative sign-off on cyber security plans and programs (see 23 NYCRR 500), which could potentially open up directors and officers to individual liability.
The State of California has taken a leadership role toward cyber security with new a new regulation for Internet-of-things (IoT) devices. Beginning January 1, 2020, all manufacturers of a “connected device” must equip that device with a “reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.
the EU, in addition to the GDPR, they have reached additional
agreements on establishing a cyber security framework to assist the
Member States in effectively responding to cyber-attacks. The Cyber
Security Act also creates a framework for European Cyber Security
Certificates for products, processes and services that will be valid
throughout the EU.
the wake of the number of significant cyber incidents, companies-and
their directors and officers can face a flurry of private lawsuits from
a range of different constituencies: individual customers whose
personal information has been compromised, shareholders alleging
failures by the board and senior leadership in preparing for and/or
responding to cyber attacks, and other third-parties.
Are you exposed?
incidents keep giving and giving
cyber incident does not just come and go. It is long lasting-i.e.
Target-this incident took place in 2013 yet here we are in 2019, and it
is still being talked about and referenced.
System Integrators and Service Providers
Integrators and Service Providers need to take a proactive
approach to cyber security and vulnerability mitigation. They must
understand threats and risks and practice best practice cyber security
methods. They need to demonstrate their cyber security credibility in
their proposals especially as more RFPs/RFIs are requesting that
cybersecurity protection is addressed. In addition, integrators are
getting assessment letters asking them what their cyber programs look
like and how they’re protecting the data, equipment and devices.
today’s data-driven economy and smart based buildings, it is
essential we collect, store and adequately protect data and proprietary
secrets. Failure to do so will significantly damage a company’s brand,
have an adverse effect on operations and directly impact revenue and
frequency of cyber attacks is only going to accelerate over the
coming years. Therefore it is vital that we have a full understanding
of the inherent business risks and implications. Balancing cyber
security priorities with business flexibility and agility is a tough
challenge. But it’s a challenge every organization faces as it strives
to drive growth, achieve competitive advantage and maximize operational
and performance efficiencies.
security is hard and always will be. Attackers will continue to
innovate with new techniques, deception and determination. The
challenge isn’t people, process, or technology; they all exist today
and are available. The big issue is the internal culture at companies
and the understanding of cyber security from a business perspective and
why it matters.
all comes to one thing-- risk. How much are you willing to take? We
can no longer take a wait-and-see philosophy or “it’s not going to
happen to us” approach when it comes to prioritizing and aligning cyber
initiatives within our buildings. As we operate in an interconnected
environment, we must look at their entire ecosystem and spread and
share responsibilities, creating security partnerships. Cyber security
is no longer an individual company effort; it is a shared
responsibility among us all.
Here are some resources that you may find useful.
Baldrige Cybersecurity Excellence
Builder Key questions for improving
your organization’s cybersecurity performance
Cybersecurity for Building Control
Systems Workshop Series
Intelligent Building Management
Systems: Guidance for Protecting
Building Automation & Control Systems. An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]