Stef Garczynski, associate director of cyber & information security at Buro Happold says it is vital to protect your building from cyber attacks.
The trend of smart buildings is surging globally. But as we become more reliant on digital infrastructure, our vulnerability to cyber threats is also rising rapidly. Businesses and buildings without the proper infrastructure in place are losing ground as cybercriminals become more advanced. In April this year, retail giant Marks & Spencer experienced a major attack that forced it to pause website orders for nearly seven weeks, expected to cost up to £300 million in operating profits. Shortly after, Co-op unwillingly surrendered the names and email addresses of over 6.5 million members to hackers, which saw the retailer’s value drop by half a billion pounds.
And the risks range from retail operations to critical infrastructure. The death of a patient has been linked to the cyberattack on King’s College Hospital NHS Foundation Trust, where a data theft caused more than 1,100 planned operations and 2,100 outpatient appointments to be postponed.
A recent report by the Royal Institution of Chartered Surveyors (RICS) revealed that more than one in four (27%) UK businesses said their building had suffered a cyberattack in the last year, up from 16% in 2024. Building management systems, CCTV networks, Internet of Things (IoT) devices and access control systems were all cited as key points of vulnerability.
The report has uncovered an uncomfortable truth: our data is only as secure as the buildings we operate in. Smart technology is increasingly implemented throughout building systems, in automated lighting, security cameras, fire alarms, optimised temperature control and even in identifying vacant seating or parking spaces.
Whilst once considered a “nice-to-have” bolt on, cybersecurity must now be seen as a cornerstone of our buildings, incorporated from the initial design phases in a strategic process we refer to as Cyber Informed Engineering.
What is cyber informed engineering?
Designing for cybersecurity involves a range of processes that must be identified from the beginning and remain consistent throughout the duration of the project. The core principles include assessing the risks at hand, implementing protective design techniques and ensuring compliance with any existing or anticipated regulations.
Assessing cyber risk in advance is critical, enabling developers to pre-empt vulnerabilities and construct secure buildings without compromising aesthetics. Take an office building, for example: the growing complexity of hardware and software introduces a wide array of digital risks, with employee readiness often lagging. Employees are the natural entry point to a business, and the threat frequently lies in something as familiar as a laptop. Over 80% of successful ransomware attacks now originate from unmanaged devices like personal laptops and smartphones. More than two-thirds of organisations have experienced endpoint attacks that compromised sensitive data or infrastructure, and 71% of employees admit to storing work passwords on personal phones. These endpoints are not only vulnerable but often overlooked; 50% of professionals rank laptops as their most exposed asset. By assessing these risks early, developers and, later, the companies occupying these spaces can implement advanced security features and invest in ongoing protection that addresses both infrastructure and human behaviour.
Improving security system architecture involves adapting and updating networks to be resilient against threats. The RICS report warned that businesses who have occupied the same office space for a decade or longer, could conceivably be using Windows 7 operating systems without any of the latest security updates from Microsoft for several years. Ensuring up to date internal software is critical. But there’s more that can be done from a design perspective to bolster security.
Incorporating alarmed fences and gated entrances, backed by a strong security management system, is perhaps the most recognised form of secure construction. However, we’re at a stage now where we need to reinforce physical barriers with layers of cyber and digital protection, to counteract advanced cyber threats.
The third element of Cyber Informed Engineering is ensuring compliance with regulations. Cybersecurity objectives need to align with local and national regulators to ensure enough investment is channelled into reinforcing interconnected systems. However, in the UK, national regulations are not keeping pace with the complexity of cyberattacks.
National governments stand to learn from local authorities
Whilst national legislation lags, local governments increasingly view cybersecurity as a critical health and safety requirement, and a non-negotiable for buildings. Local authorities are not just maintaining operations, they're safeguarding the digital infrastructure of our cities.
We can see this gradual shift on both a larger and smaller scale with the Greater London Authority (GLA) seeking to encourage London boroughs to increase their resilience to cyber threats. In 2022, it published its Cyber Security Framework, followed in 2023 by updates to its Smart London Plan, supporting the increase of safe but smart infrastructure. Taking a more localised approach, the London Borough of Hackney encourages new developments to secure BMS and IoT from initial design phases, following a cyberattack in 2020 which cost the council £12 million, affecting at least 280,000 residents and other individuals.
Communities elsewhere are following suit, with the Greater Manchester Combined Authority publishing a Cyber Strategy for 2023-2028, which recognised the role of Security in ‘Cyber Places.’ They developed a framework implementing specific capabilities for critical systems across transport, health and care, embedding particular requirements such as ethics and trust into the design phase. By recognising the importance of tangible cyber resilience, these initiatives can equip cities and communities with the tools to resist cyber threats and better protect businesses and citizens.
Cyber-resilient buildings will make for strong businesses
The smart cities market is projected to grow to £2.34 trillion by 2030, underscoring our growing dependence on increasingly vulnerable digital systems. Our retailers, office buildings and even hospitals are now networks of sensors and smart access controls. Without the proper infrastructure in place, we’re exposing ourselves to significant economic, privacy and reputational risks.
Whilst national legislation lags on cybersecurity, leaving it as an afterthought in construction planning, local governments are setting bold standards to secure the built environment. Integrating a consistent strategy of Cyber Informed Engineering in urban design will mitigate the threat against businesses, reduce future costs and increase resilience throughout the growing smart buildings industry. We need to see this as short-term investment for long-term safety.