by Michael Magee

Reports across the internet indicate that data breaches across industries often cost $4 million or more, with system restoration of a manufacturing system estimated at around $2.5 million. While exact numbers for the cost of a commercial office building dealing with a compromised building automation system (BAS) are difficult to define, it’s clear that cyber incidents are typically costly and unforeseen. Even a minor event can severely strain a property’s budget. Additionally, the potential risk to life safety and the loss of trust from current and prospective tenants can profoundly affect the long-term financial health of the property.

The risk and unpredictability of cyber events challenge even the best budgets. Thankfully, there are actions that should be included in an operations budget. With many properties moving into budget season, Intelligent Buildings (IB) wanted to share some of the data-driven recommendations we are preparing for our customers:

Allocate budget to update the operating systems on your servers.

IB’s monitoring and site assessment activities find that 80% of properties have at least one system running on an operating system (OS) that is or will be unsupported by the end of 2025.

• All support for Microsoft (MS) Windows 10 ends in October 2025, and Server 2012 loses its support in 2026. Upgrading from Windows 10 to 11 may be free; however, budgets for IT admins and systems vendors on site should be accounted for. Server 2012 may be more problematic, as many system applications may need to be upgraded to run on a newer version of MS Server.

• Mainstream support for Server 2019 ended this year, and full support will end in 2029. Since this will likely trigger a number of system upgrades. Starting to plan for this now will have less impact on future budgets.

• In addition to the primary systems (BAS, access control, video surveillance), ensure you are checking the systems that you infrequently interact with including elevator controls, digital signage systems, indoor air quality (IAQ), and metering systems.

Increase or allocate additional budget to your IT support administrator to include the administration of the operational technology (OT) system servers.

IB has identified this as a grey area in many vendor service contracts. Vendors may keep their applications up to date, but they often rely on the property staff to update the operating system and care for the server, while the owner believes they are paying the vendor to manage the server. As a result, the server falls behind in updates and security patches.

• Plan for updating your IT support contracts to take over admin support of your system servers. They better understand your risk tolerance, are specifically trained, and are better positioned to administer these devices.

Invest in or update your firewalls and antivirus/anti-malware (AV/AM) protecting your servers.

IB deploys a zero-plus platform that blocks all external attacks. Even with a zero-trust solution blocking all external attacks from the internet connection, the IB antivirus platform reports suspicious activity at the endpoints. This could be dormant code or, more likely, malicious code introduced by a transient device used on other networks (USB, tech computer).

• Firewalls age like other IT equipment and need to be replaced on a schedule. Determine if your firewall can be updated or needs replacement, then verify that its rules are configured to be restrictive and OT-specific.

• AV/AM provides protection at the endpoint. Viruses and attack methods are constantly evolving, so your AV/AM needs frequent updates to stay current.

• Cyber defense requires a layered approach that includes protecting the entry (firewall) and the endpoint (antivirus) that should be coordinated with your IT support administrator and system vendors.

Allot funding to deploy a remote backup platform.

When IB reviews how systems are backed up, we find system techs often back up the application and database locally on the existing server or to a flash drive left in the desk drawer. Backups to the server are often done to the same physical drive as the application. So, if the server crashes, the backup is usually lost. Flash drives get lost or written over unless properly handled.

• Give yourself peace of mind and budget for a cloud-hosted backup service.

• Backups should be captured at least once weekly.

• Choose a platform that periodically does a restore test on the backup.

Provide training and raise awareness.

IB believes training and awareness programs are crucial to cybersecurity because they help prevent human error. Informed users are better equipped to recognize and avoid phishing attempts, malware, and other cyber threats. Additionally, a culture of cybersecurity awareness promotes proactive behavior and adherence to security policies, reducing the overall risk to the organization.

• Budget for internal or external resources to host regular cybersecurity campaigns through training sessions, workshops, and awareness campaigns.

• Promote your cybersecurity policy and ensure all vendors that connect to your network have agreed to follow it.

Anticipating the actions to secure building systems will impact the operations budget far less than an actual cyber event. With good security measures, the advantages of using technology to help run buildings can still outweigh the risks. Many building owners understand the importance of having a good cybersecurity plan. The challenge seems to be making sure you have enough budget to implement it.