Cybersecurity Breaches in Facilities Management
EXECUTIVE SUMMARY
Dr. Erika Pärn1
Jeffrey Saunders2
Edited by Matt Tucker3
CONTEXT
In April 2024, the World Economic Forum reported on data showing that critical infrastructure is the top target for cybercrime, with corporate targets ranking fourth in the total number of global cyberattacks in the previous year.4
In August 2024, one of the world’s largest oilfield service providers confirmed unauthorized access to some of its systems; and by the end of September, the company’s expenses related to the cybersecurity incident reached US$35 million.5
As more digitally controlled systems and cloud-based tools are incorporated into building operations, critical functions are increasingly susceptible to breaches. Cyberattacks on operational technology (OT) systems can trigger equipment malfunctions, facility shutdowns, even explosions; however, information technology (IT) departments are not always involved in securing OT systems and facility management (FM) professionals are often unaware of their responsibility in implementing robust cybersecurity measures to safeguard building technologies.6
SCOPE
Drawing on data from the largest survey of its kind in the FM industry, this study evaluates the current state of cyber awareness and preparedness among FM professionals and identifies 10 unique organizational configurations that commonly lead to cyber incidents.
Survey respondents’ perceptions of cybersecurity in their organizations were measured across seven internal and external factors:
KNOWLEDGE
How well managers understand their organization's cybersecurity needs.
THREAT PERCEPTION
Awareness of risks like financial loss, operational disruption, or data theft.
PREPAREDNESS
Steps taken to establish policies, train employees, and secure systems.
BARRIERS
Challenges like outdated systems, lack of investment, or limited employee training.
CRITICALITY
The importance placed on protecting key assets, such as IT systems, financial data, and operational infrastructure.
TECHNOLOGY TURBULENCE
Rapid changes in technology that create new vulnerabilities.
MARKET PRESSURES
Customer demands and competition that strain resources.
KEY FINDINGS
The report identifies four common high-risk organizational scenarios that make organizations especially vulnerable to cybersecurity breaches. Each organizational scenario highlights a different combination of weaknesses in internal and external factors:
1.
The Unprepared Minimalist
Description: This is the most vulnerable configuration, where no significant internal or external cybersecurity measures are in place. Organizations in this category lack basic policies, training, and resources to defend against threats.
- Key Risk: With no internal preparedness (e.g., training, policies) or external awareness (e.g., technology trends, market pressures), these organizations are easy targets for cyberattacks.
- Action Needed: Start by implementing foundational cybersecurity policies and providing employee training to build internal defenses.
2.
The Market-Driven Reactor
Description: Organizations in this category respond primarily to market dynamics, such as customer demands or competitive pressures, but neglect internal cybersecurity preparedness.
- Key Risk: Relying solely on external responses leaves them unprepared to manage vulnerabilities, as they lack critical internal systems like training programs or operational readiness.
- Action Needed: Shift focus inward by establishing cybersecurity frameworks and ensuring employees are well-trained in cybersecurity protocols.
3.
The Tech-Focused Struggler
Description: These organizations are preoccupied with technology turbulence — rapid changes in digital systems — but fail to back this up with robust internal cybersecurity measures.
- Key Risk: Without strong internal policies or operational readiness, these organizations are at high risk of breaches despite their focus on adapting to technological changes.
- Action Needed: Strengthen internal defenses, such as implementing policies that cover IT systems and training staff to handle tech-related vulnerabilities.
4.
The External Pressure Cooker
Description: This configuration faces both market pressures and technological turbulence but has weak internal readiness to handle these external demands.
- Key Risk: The combination of external challenges without sufficient internal defenses makes these organizations highly susceptible to cyberattacks.
- Action Needed: Balance external responses with investments in internal preparedness, including regular cybersecurity assessments and resource allocation for training and infrastructure.
These high-risk scenarios can be avoided by striving to adopt the following lowest-Risk organizational scenarios. These scenarios highlight organizations that minimize cybersecurity risks through various strengths. However, even the most effective configurations have potential weaknesses that facility managers should address to ensure comprehensive protection.
1.
The Comprehensive Defender
Description: The most resilient configuration, where all internal and external factors are present. Organizations in this category excel at balancing operational readiness, cybersecurity preparedness and external pressures.
- Strengths:
> Fully integrated systems provide strong internal and external defenses.
> Proactive monitoring and response to external risks, like technology changes and market dynamics.
> Awareness of asset criticality ensures resources are allocated to protect high-risk areas.
- Weaknesses:
> Resource-intensive: Maintaining this configuration requires significant financial and human resources, which may not be sustainable for all organizations.
> Complexity in managing a wide array of internal and external factors simultaneously could lead to inefficiencies.
- Main value:
> Demonstrates the value of a holistic approach while emphasizing the importance of asset prioritization.
The Balanced Protector
Description: This configuration balances internal and external factors. It includes operational readiness, financial readiness and external awareness of market dynamics.
- Strengths:
> Strong financial resources enable investment in cybersecurity initiatives.
> Awareness of market dynamics ensures the organization is responsive to external demands.
> A balanced approach to managing both internal and external risks.
- Weaknesses:
> Cybersecurity preparedness is absent, meaning the organization may lack specific policies or training programs to address direct cyber threats.
> Operational measures may be reactive rather than proactive, exposing gaps in internal defense mechanisms.
- Main value:
> Highlights the importance of strengthening cybersecurity frameworks while adapting to external pressures.
2.
3.
The Well-Rounded Defender
Description: Organizations in this configuration combine operational readiness and cybersecurity preparedness. This balance creates a solid internal foundation.
- Strengths:
> Operational systems work seamlessly with cybersecurity defenses, reducing risks of internal disruptions.
> A well-coordinated approach ensures that most internal vulnerabilities are managed effectively.
- Weaknesses:
> External factors are absent: leaving the organization exposed to changes in market demands or technological turbulence.
> Limited flexibility to respond to external cyber threats, such as those arising from industry-wide vulnerabilities.
- Main value:
> Supports the need for a holistic approach (Recommendation 4), integrating internal and external considerations.
The Cybersecurity Champion
Description: This scenario represents organizations with strong cybersecurity preparedness. These organizations have effective cybersecurity policies and proactive measures to manage risks.
- Strengths:
> Clear and robust internal cybersecurity frameworks and protocols.
> Strong focus on mitigating internal risks through proactive planning and systems.
- Weaknesses:
> External factors are absent, meaning the organization may struggle to adapt to external pressures such as market dynamics or rapid technology changes.
> Limited ability to address risks introduced by external stakeholders, such as third-party vendors.
- Main value:
> Demonstrates the value of a holistic approach while emphasizing the importance of asset prioritization.
4.
KEY TAKEAWAYS
FINAL RECOMMENDATIONS
KEY TAKEAWAYS
Internal Preparedness is Essential: Facilities with clear cybersecurity policies and regular employee training are far less likely to experience cyber breaches.
External Pressures Add Complexity: Changes in technology and market demands increase risk, especially for organizations with weak internal systems.
Focus on Critical Assets: IT systems and financial data are the most vulnerable. Protecting these assets should be a top priority.
A Balanced Approach is Most Effective: Organizations that integrate strong internal systems with external awareness and adaptability achieve the best cybersecurity outcomes. Balancing both ensures resilience to a wide range of threats.
FINAL RECOMMENDATIONS
Take a Holistic Approach: The “Comprehensive Defender” underscores the importance of balancing internal and external factors for robust cybersecurity defense.
Adapt to External Pressures: The “Balanced Protector” and "Comprehensive Defender" demonstrate how external awareness can complement strong internal systems.
Focus on Asset Criticality: The “Balanced Protector” and "Comprehensive Defender" stress prioritizing critical assets to improve resilience.
Strengthen Internal Systems: The "Cybersecurity Champion" and “Well-Rounded Defender” highlight the critical need for internal preparedness, even when external pressures are less prominent.
SUMMARY
Finding that whether FM operations are vulnerable to breaches, the potential impact and how well the organization is prepared to respond is not limited to a single approach or factor, the analysis explores how multiple dimensions interact to heighten the risk of cybersecurity breaches. It focuses on how different combinations of internal preparedness (operational readiness, cybersecurity preparedness, financial strength), external pressures (technology turbulence, market dynamics) and perceived barriers (legal, organizational, knowledge-based) influence the likelihood of a cybersecurity breach.
FMs who evaluate the presence or absence of risk factors across the various configurations outlined in this report can determine where they and their organizations fall in terms of awareness and readiness. Enabled by insights based on expert analysis, FMs can better ascertain what measures and resources to prioritize when mapping an organization-specific plan for strengthening defenses against breaches and better ensure effective response to cyber threats.
DOWNLOAD THE FULL REPORT (scientific context provided)
Loading...
1 Dr. Erika Pärn, Ph.D — Senior Research Associate at University of Cambridge
2 Jeffrey Saunders, Chief Executive Officer at Nordic Foresight
3 Dr. Matt Tucker, Ph.D — Director of Research, IFMA
4 Joshi, Akshay. “These Sectors Are Top Targets for Cybercrime.” World Economic Forum. April 22, 2024; Updated Sept. 10, 2024. https://www.weforum.org/stories/2024/04/cybercrime-target-sectors-cybersecurity-news/
5 Kovacs, Eduard. “Cyberattack Cost Oil Giant Halliburton $35 Million.” Security Week. Nov. 11, 2024. https://www.securityweek.com/cyberattack-cost-oil-giant-halliburton-35-million/
6 IFMA. “The Convergence: FM’s Role in Securing Digitized Buildings.” 2023. https://ifma.foleon.com/white-paper/cybersecurity/
METHODOLOGY
This report provides an in-depth summary of key findings from research conducted on cybersecurity readiness in the facility management industry. It explains the results using a specialized analysis technique called “Fuzzy-Set Qualitative Comparative Analysis” (fsQCA), which helps uncover the different combinations of factors that influence cybersecurity readiness in facility management, making sense of patterns in smaller datasets and blending both qualitative and quantitative insights.
Between April and July 2023, a survey was sent to 15,022 IFMA members who actively manage facilities – excluding consultants, students, academics and other FM-affiliated but nonpracticing members – which provided an ideal sampling of informed professionals covering many organization types and industries. The final questionnaire was converted to an electronic format using the Qualtrics online survey platform for ease of distribution and response recording.
The survey garnered 372 responses, which were filtered to include only those cases in which a cybersecurity breach occurred. Incomplete responses and responses in which professionals stated they had not experienced any breaches or were unaware if breaches had taken place were excluded. After this screening, 200 complete, valid responses involving cybersecurity incidents were carried forward for analysis. Focusing specifically on breach scenarios provided the targeted insight needed to uncover configurations leading to vulnerabilities.
Analysis was completed via collaboration among researchers and subject matter experts from the University of Cambridge, DNV, RAND and IFMA, with input from IFMA’s Executive Summit and Building Cyber Security.
DIMENSIONS LEADING TO CYBER INCIDENTS (INTERNAL/EXTERNAL FACTORS)
KDIG: Knowledge of cybersecurity within the FM organization; may include factors such as training, education and awareness programs.
TCYBERSEC: Perceived risk/threat levels; considers how well the organization recognizes and comprehends the nature and severity of cyber threats.
[this didn’t appear to have a designation]: Preparedness for cyber incidents; includes measures such as cybersecurity policies and procedures, incident response plans, business continuity management, and regular audits and assessments.
BAR: Barriers to effective cybersecurity; obstacles and challenges that hinder effective cybersecurity implementation, such as budget constraints, resource limitations, organizational culture and regulatory compliance issues.
CRT: Criticality of assets; assesses the understanding of the potential impact a breach could have on the organization's operations, reputation and financial stability.
TECHTURB: Impact of technology turbulence; considers how well the organization adapts to new technologies and incorporates cybersecurity measures in the face of rapidly evolving threats.
MARKDYN: Impact of market dynamism; examines how market conditions influence the organization's approach to cybersecurity, including allocating resources and prioritizing security measures.
About International Facility Management Association (IFMA) IFMA supports over 25,000 members in over 140 countries. Since 1980, IFMA has worked to advance the FM profession through education, events, credentialing, research, networking and knowledge-sharing.