menu close
rics-logo
search close
rics-logo

Popular searches

    close
    search

    RICS: UK businesses risk sleepwalking into cyber attacks unless immediate preventative action is taken

    RICS Digital risks in buildings paper, June 2025

    • Latest RICS Facilities Management survey reveals more than one in four (27%) of respondents said their building had been the  victim of a cyberattack in the last 12 months
    • 73% of more than 8,000 business leaders believe a cybersecurity incident will disrupt their business in the next 12 - 24 months
    • RICS identifies cybersecurity and digital risk as one of the biggest and fastest growing threat to owners and occupiers of buildings
    • Some buildings may be using dangerously outdated operating systems
    • RICS sets out series of critical action points for owners, users and managers of buildings, as well as Government and industry bodies, to mitigate risk and safeguard against the threat of rapidly evolving technologies

    Owners, managers and occupiers of commercial buildings neglecting to take responsibility for digital security of their properties face increasingly prevalent and far-reaching consequences threatening the safety, resilience and sustainability of their assets and operations.

    A new practice information paper published by the Royal Institution of Chartered Surveyors (RICS) highlights the rapidly increasing and diverse threat of digital risks to commercial properties worldwide.

    With cybercriminals becoming more sophisticated and the range of potential cyber threats to buildings expanding, attacks on critical infrastructure and data breaches are becoming more common.  Augmented by the rising capability of AI and the pace of change, the threat to cyber security is set to accelerate further.

    In a startling illustration of the growing prevalence of digital risk, a survey undertaken by RICS of Facilities Managers, service providers and FM consultancies revealed that 27% of respondents said their building had been the victim of a cyber attack in the last 12 months. This represents a significant increase of 11% on the previous year, when 16% of respondents had experienced such an attack.

    The paper identifies operational technology such as building management systems, CCTV networks, Internet of Things (IoT) devices and  access control systems as risk areas. This covers everything from automated lighting and HVAC systems to advanced security protocols and energy management.

    It also notes concerns that some buildings use outdated operating systems (OS). A building opened as recently as 2013 could conceivably use Windows 7; an OS that hasn’t received security updates from Microsoft in over five years.

    Beyond the direct impact on the operation of a building and its occupiers (users), the paper examines additional considerations such as Insurance, Reputation, Building Value and AI.

    Critically, the paper sets out three 5-point action plans for owners, managers and occupiers of buildings; professional industry bodies; and Governments to follow to mitigate risks and safeguard their properties against attacks (see notes to editors).

    RICS Head of Property Practice, Paul Bagust, said:

    “Buildings are no longer just bricks and mortar, they have evolved into smart, interconnected digital environments embracing increasingly sophisticated and ever-evolving technologies to enhance occupier experience.

    “This has led to increasing data being collected and used to inform decision making; at the property manager, building user, occupier and owner levels.  However, while these technologies bring many benefits, from efficiency gains and reduced negative impacts on the planet, they also create multiple risks and vulnerabilities which can be exploited by those looking to cause disruption.

    “It is inconceivable to imagine a world where technology will not continue to pose a growing risk to a building’s operation, and it is equally impossible to consider that the management of digital risks will not be needed as an imperative measure to safeguard the future of a building and prevent systems from being compromised.  

    “I implore building professionals to read the paper and act now. Failure to identify these growing digital challenges and incorporate security countermeasures risks businesses sleepwalking into cyberattacks.”

     

    ENDS

     

    Notes to Editors

    Notes for editors:

    You may download a full version of the paper at this link.

    About RICS

    We are RICS. Everything we do is designed to effect positive change in the built and natural environments. Through our respected global standards, leading professional progression and our trusted data and insight, we promote and enforce the highest professional standards in the development and management of land, real estate, construction and infrastructure.

    Our work with others provides a foundation for confident markets, pioneers better places to live and work and is a force for positive social impact.

    Summary of recommendations for owners, users and managers; Governments; Professional industry bodies

    Building stakeholders – owners, users and managers – should adopt a proactive and strategic approach to digital risk, integrating it into every aspect of building management.

    Five steps to take

    1. Identify, understand and plan for digital risks
      • Understand the technology in the building: Identify the technologies that your building relies on.
      • Use data protection impact assessments (DPIA): Evaluate how data is collected, stored and protected within building systems. A DPIA is particularly valuable when the impact of a new hardware, software or technology is being considered. Carrying out a DPIA before deployment can help to identify the risk to privacy. Guidance on how to do a DPIA is provided by the ICO.
      • Adopt systems thinking: Embrace a holistic view of digital risks, considering combined systems and both direct and indirect impacts on the building and its occupiers.
      • Understand compliance requirements: Stay informed about relevant laws, regulations and industry standards to ensure ongoing compliance.
      • Understand the risks facing your building: From all the above, you should create a risk register identifying the likely risks, outlining planned actions and articulating responsibility for each risk. It is important to assign ownership to each risk and ensure it is dealt with at the appropriate level within the business.
    1. Enhance infrastructure and implement robust security measures
      • Invest in building upgrades: Allocate capital to modernise and update viable buildings with the latest technology.
      • Consider strategic divestment: To minimise risk, sell or repurpose buildings where updating is not feasible.
      • Implement strong access controls: Use multi-factor authentication and role-based permissions to secure systems.
      • Maintain regular updates: Establish processes for systematic patch management and keep all devices and software up to date.
      • Continuous monitoring: Deploy real-time monitoring tools to detect and respond to threats promptly.
    1. Invest in employee training and awareness programs
      • Provide cybersecurity training: Educate all relevant employees on best practices and emerging threats.
      • Implement awareness initiatives: Foster a culture of security awareness throughout the organisation.
      • Conduct an incident response exercise: Carry out a desk-based ‘What if?’ exercise and prepare staff to act effectively during a security breach through regular simulations.
    1. Integrate digital risk management with corporate governance
      • Align with corporate risk strategies: Ensure digital risk management is part of the overall corporate risk framework.
      • Report to leadership: Keep the board informed about digital risks and mitigation efforts for strategic oversight.
      • Encourage a security-first culture: Encourage all levels of the organisation to prioritise cybersecurity in their roles.
    2. Manage third-party risks and prepare for incidents
      • Establish supply chain security requirements: Set strict cybersecurity criteria for all third-party service providers.
      • Conduct regular assessments: Evaluate the security practices of suppliers and limit their access to critical systems.

    Consider insurance: Review and obtain effective insurance coverage to mitigate the impacts from digital risks such as cyber-threats and data breaches.

    In such a large, but fragmented, sector, industry bodies have a vital role to play in ensuring that the digital risks in buildings are recognised and appropriately managed to ensure the safe and effective operation of all buildings.

    Five steps to take

    1. Develop and promote cybersecurity standards and guidelines
      • Set clear standards: Establish industry-wide guidelines on the management of digital risks and potential pitfalls of inadequate measures.
      • Clarify implications to existing standards and laws: Clarify how responsibilities under existing laws, legislation and standards are evolving as the buildings evolve and become more ‘digital’. Even where standards themselves do not change, the way they are interpreted may, and industry bodies need to support the sector to understand and embrace this in a consistent way.
    1. Raise awareness and enhance skills
      • Support skills development: Offer training programmes and resources to build the necessary skills within the industry to manage and mitigate digital risks effectively.
      • Provide case studies: Share success stories and practical examples on repurposing existing buildings and implementing risk mitigation measures.
    1. Support accurate valuations and strategic decision-making
      • Ensure accurate valuations: Advocate for valuation practices that accurately reflect the changing nature of occupier demand influenced by digital risks and the potential impact of digital risks on income and intangible value.
      • Guide investors: Carry out research on the impact of digital risks on building value and valuation.
    1. Promote collaboration and knowledge exchange
      • Facilitate collaboration: Encourage collaboration among industry stakeholders to invest in research, explore innovative solutions and diagnose prevalent digital risks.
      • Disseminate information: Actively share findings, resources and tools that can help organisations within the industry enhance their cybersecurity stance.
      • Consider digital risks in existing content: Build the topic of digital risks into existing content such as conferences, workshops, journals and training, to ensure that professionals are aware of the digital risks in buildings and their responsibilities.
    1. Support the sector with non-built environment standards:
      • Represent the sector with standard-setting bodies and legislators outside the built environment: There are a growing number of standards and laws regarding the use of data and technology that are not aimed at the built environment but are relevant for it. It is important for built environment industry bodies to engage with these new standard-setting bodies to represent the built environment’s perspective and use case.

    Raise awareness and understanding: Make sure that companies in the built environment are aware of standards and legislation that impact them from outside the

    Governments play a critical role in managing the digital risks associated with modern buildings, especially as it becomes a more obviously essential part of a nation’s critical infrastructure. As buildings become more connected and technology-driven, it is essential for governmental bodies to establish effective frameworks that safeguard assets, promote sustainability and provide regulatory certainty for all stakeholders involved.

    Five steps to take

    1. Engage with the built environment
      • Proactively engage with the built environment: The built environment is such a substantial, but highly fragmented, sector that there is a temptation for governments to engage around point solutions or small silos. This needs to continue; but in the same way that the sector needs to implement system thinking, so too do governments need to adopt a holistic approach to the built environment.
    1. Provide long-term clarity
      • Ensure regulatory certainty: Release clear and consistent regulations well ahead of enforcement dates to give investors and industry stakeholders ample time to comply and adjust their strategies.
      • Encourage adoption: Encourage the repurposing and upgrading of existing buildings through tax incentives, especially when carried out in an environmentally sustainable manner.
    1. Mandate minimum cybersecurity standards for buildings
      • Set mandatory security requirements: Impose minimum standards for the management of digital risks within buildings.
      • Integrate cybersecurity into building regulations: Update building regulations to include digital safety provisions as part of standard compliance requirements.
    1. Enable data exchange
      • Facilitate data exchange: Address industry concerns about data sharing between landlords and tenants to promote transparency and efficiency and enable an improved approach to digital risks. A more robust approach to data sharing within management agreements should be encouraged.
    1. Enhance awareness and skills
      • Provide sector-specific guidance: Offer tailored guidance and resources to help unregulated industries adopt best practices in cybersecurity.

    Enhance national skills: Build the skills needed to address digital risks into education and training, both in schools for future generations and in the workplace to upskill today’s workers.

    You may also be interested in

    Housing market stalls as pre-budget anxieties hit buyer confidence

    The latest RICS UK Residential Market Survey for October 2025 reveals a notable cooling across the UK’s housing market, with buyer demand, sales activity and new instructions all falling further into negative territory.

    Update from Justin Young, RICS CEO – November 2025

    This month I have news of two significant streams of work, intended to accelerate progress on issues that cut to the core of our profession and its impact on society: skills and sustainability.

    Industry leaders and young professionals met to discuss the industry skills gap at RICS HQ

    Industry stakeholders and rising stars met at RICS HQ last week to discuss the skills gap and devise practical solutions to help close it.

    Survey of the Profession goes live 20 October 2025

    The second edition of our biannual global Survey of the Profession for 2025 will be open between 20 October – 28 November and we’d like to hear from you.

    RICS releases new insight paper on flooding and property

    The paper examines how surveyors across all disciplines are being called upon to help clients, communities and policymakers manage the escalating risks and consequences of flooding.

    Subdued momentum persists in UK housing market amidst Autumn Budget uncertainty

    The latest RICS UK Residential Market Survey reveals that subdued momentum continued to characterise the housing market in September.

    RICS launches global construction standards consultation

    The Royal Institution of Chartered Surveyors (RICS) is calling on construction professionals across the globe to respond to its new consultation on global construction standards.

    Optimism high for AI in construction but skills shortages and integration challenges adoption

    The construction industry stands on the brink of a digital transformation driven by artificial intelligence (AI), according to a new global report from the Royal Institution of Chartered Surveyors (RICS).

    Housing market weakens as buyer demand softens and prices retain downward pressure

    The Royal Institution of Chartered Surveyors (RICS) UK Residential Survey for August 2025 reveals a continued slowdown in housing market activity, with buyer demand, sales, and new listings all under pressure.

    RICS calls for expressions of interest for pilot programmes of new professional pathways

    The Royal Institution of Chartered Surveyors (RICS) is calling for expressions of interest from professionals and employers for two new planned pathways to RICS membership.

    RICS launches consultation on updated Home Survey standard

    The Royal Institution of Chartered Surveyors (RICS) announces the launch of a public consultation on proposed updates to the RICS Home survey standard, the definitive framework for residential property surveys across the UK.

    Housing sales market remains challenging as previous recovery signs falter

    The Royal Institution of Chartered Surveyors (RICS) UK Residential Survey for July 2025 saw the housing market retreat slightly as previous signs of recovery became uncertain.