Building stakeholders – owners, users and managers – should adopt a proactive and strategic approach to digital risk, integrating it into every aspect of building management.
Five steps to take
- Identify, understand and plan for digital risks
- Understand the technology in the building: Identify the technologies that your building relies on.
- Use data protection impact assessments (DPIA): Evaluate how data is collected, stored and protected within building systems. A DPIA is particularly valuable when the impact of a new hardware, software or technology is being considered. Carrying out a DPIA before deployment can help to identify the risk to privacy. Guidance on how to do a DPIA is provided by the ICO.
- Adopt systems thinking: Embrace a holistic view of digital risks, considering combined systems and both direct and indirect impacts on the building and its occupiers.
- Understand compliance requirements: Stay informed about relevant laws, regulations and industry standards to ensure ongoing compliance.
- Understand the risks facing your building: From all the above, you should create a risk register identifying the likely risks, outlining planned actions and articulating responsibility for each risk. It is important to assign ownership to each risk and ensure it is dealt with at the appropriate level within the business.
- Enhance infrastructure and implement robust security measures
- Invest in building upgrades: Allocate capital to modernise and update viable buildings with the latest technology.
- Consider strategic divestment: To minimise risk, sell or repurpose buildings where updating is not feasible.
- Implement strong access controls: Use multi-factor authentication and role-based permissions to secure systems.
- Maintain regular updates: Establish processes for systematic patch management and keep all devices and software up to date.
- Continuous monitoring: Deploy real-time monitoring tools to detect and respond to threats promptly.
- Invest in employee training and awareness programs
- Provide cybersecurity training: Educate all relevant employees on best practices and emerging threats.
- Implement awareness initiatives: Foster a culture of security awareness throughout the organisation.
- Conduct an incident response exercise: Carry out a desk-based ‘What if?’ exercise and prepare staff to act effectively during a security breach through regular simulations.
- Integrate digital risk management with corporate governance
- Align with corporate risk strategies: Ensure digital risk management is part of the overall corporate risk framework.
- Report to leadership: Keep the board informed about digital risks and mitigation efforts for strategic oversight.
- Encourage a security-first culture: Encourage all levels of the organisation to prioritise cybersecurity in their roles.
- Manage third-party risks and prepare for incidents
- Establish supply chain security requirements: Set strict cybersecurity criteria for all third-party service providers.
- Conduct regular assessments: Evaluate the security practices of suppliers and limit their access to critical systems.
Consider insurance: Review and obtain effective insurance coverage to mitigate the impacts from digital risks such as cyber-threats and data breaches.