The way we work has changed. Hybrid and remote models are no longer temporary responses to a crisis—they’re a permanent part of the workplace landscape. This shift has transformed not just company operations, but how commercial properties are managed. Security is no longer just about door locks and surveillance cameras. It’s about networks, data, and the many devices that now interact with a building’s systems.

Before remote work took off, it was easy to assume a building’s digital presence stopped at the management office or maybe a shared Wi-Fi connection. That’s no longer true. With employees working from home, logging in from coworking spaces, or switching between personal and work devices, the boundaries around digital security have blurred. What we’re left with is a patchwork of access points—and each one can be a potential vulnerability.

Property teams are discovering that cybersecurity isn’t just an IT issue anymore. The systems they manage, the vendors they bring on, and the protocols they follow all contribute to the digital safety of their tenants and the building itself.

A New Kind of Risk

When organizations transitioned to remote work during the early days of the pandemic, cracks in digital infrastructure became painfully clear. Personal laptops—often unprotected and outdated—were used to access sensitive platforms. Home routers, many still using default passwords, became easy targets for attackers. At the same time, many buildings were still online, with building management systems (BMS) like HVAC and access control connected to the internet but receiving little oversight.

The result was a significant increase in cyberattacks. According to a 2021 report from the FBI’s Internet Crime Complaint Center, cybercrime complaints rose by 69% in just one year. Phishing, ransomware, and business email compromise were among the most reported threats. And it wasn’t just Fortune 500 companies that were hit. Small businesses, third-party vendors, and property managers were affected too.

Smart buildings, while offering tremendous operational efficiencies, added even more complexity. Many rely on interconnected systems that can be accessed remotely for maintenance or performance monitoring. But if a bad actor gains access to one system—say, lighting—they may be able to move into more critical areas, like building access or tenant networks. A 2022 IBM X-Force Threat Intelligence report found that building automation systems are increasingly being targeted as entry points in larger attacks.

The Building as a Digital Gateway

Commercial properties are now filled with connected devices. Smart elevators, occupancy sensors, cloud-based access systems, and even digital signage are all part of the modern office. Each new connection adds convenience, but it also increases the building’s digital attack surface.

One of the primary concerns is how these systems interact. If all are connected to the same internal network without segmentation, a breach in one device can potentially allow a hacker to move laterally to others. In 2017, for example, hackers accessed a casino’s network through a smart thermostat in a fish tank, then moved deeper into the system to extract data—a widely cited case that shows how unexpected these vulnerabilities can be.

To reduce risk, many property teams are now partnering with IT firms and cybersecurity consultants. These professionals help audit systems, isolate high-risk areas, and implement best practices such as multi-factor authentication, network segmentation, and real-time monitoring tools. Some properties are even requiring that new building systems have cybersecurity baked in from the start.

Helping Tenants Stay Secure

Today’s tenants are thinking about more than square footage and amenities. Many are evaluating cybersecurity as part of their leasing decisions. In a 2023 survey by Deloitte, 63% of corporate tenants said data security was a factor in selecting office space.

Even if tenants don’t bring it up directly, there’s value in addressing cybersecurity proactively. Providing a simple one-pager with best practices—such as recognizing phishing emails, using strong passwords, and enabling multi-factor authentication—can help prevent incidents. So can offering occasional workshops, short lunch-and-learns, or updates on emerging threats through tenant newsletters.

Some property managers also share information about the building’s cybersecurity protocols, like vendor vetting practices or secure Wi-Fi policies. These small steps build trust and show tenants that their safety—both physical and digital—is a priority.

Vendor Access

Vendors often have remote access to building systems. Whether it’s to troubleshoot HVAC controls, apply software patches, or check on elevator diagnostics, remote access has become routine. Unfortunately, it also creates potential entry points for cybercriminals.

In 2013, the infamous Target data breach occurred through a third-party HVAC vendor. Attackers gained access to Target’s network via the vendor’s login credentials, ultimately compromising payment information from over 40 million customers. The lesson still holds true today: vendor access is a significant risk if not managed properly.

To reduce exposure, property teams should maintain a current inventory of vendors with digital access, ensure those connections are protected with secure logins or VPNs, and review activity logs regularly. Contracts should clearly outline cybersecurity requirements, and remote access should be limited to specific windows or activities when possible.

The Human Element in Building Security

Technology plays a major role in modern security, but people are still the first—and often best—line of defense. Front desk staff, engineers, janitorial teams, and property managers are often the first to notice if something feels off: a door that shouldn’t be open, a badge that doesn’t scan right, or an unfamiliar person wandering the halls.

Training these staff members to recognize and report anomalies is an important part of a building’s overall risk mitigation strategy. In 2024, a facilities team in Denver stopped a potential breach when a cleaning supervisor noticed suspicious activity in a loading dock. The individual was posing as a delivery driver but failed to follow standard check-in procedures. Because the team had been trained on tailgating and access protocols, they reported the incident immediately. Security detained the intruder, who was later found to be attempting to access tenant data servers.

In buildings where security staff are not present 24/7, empowering all team members to be part of a “security-aware culture” can be especially impactful. Quick huddles, safety briefings, and visual reminders in staff areas help keep awareness high. When everyone understands their role, vulnerabilities shrink—and response time improves.

Designing for Digital Resilience

Cybersecurity isn’t just about reacting to threats—it’s also about designing systems that can contain them. From the architectural stage through operations, property teams are starting to think about “digital resilience” the same way they do physical durability.

This includes incorporating physical separation for critical systems, ensuring backup power sources for essential equipment, and designing redundancy into communication platforms. In 2023, a newly developed Class A building in Atlanta implemented network segmentation from day one, separating the building management system, tenant Wi-Fi, and public-facing amenities like digital signage. This structure not only made monitoring easier, but also prevented a malware infection from one smart kiosk from affecting any operational systems.

Resilience also means anticipating downtime. Battery backups, failover systems, and alternative communication plans—like handheld radios or analog backups—can keep operations running when digital tools are compromised. In a hybrid world, where buildings and their occupants rely on constant connectivity, resilience planning is as essential as cybersecurity software.

Planning for the Worst

Even the best cybersecurity defenses can fail. That’s why having an incident response plan is essential. If a breach does occur—whether it’s a ransomware attack or unauthorized access to a system—property teams need to act quickly and confidently.

At minimum, an incident response plan should include contact information for cybersecurity support, steps to isolate affected systems, and a clear chain of communication for internal and tenant notifications.

Simulations or tabletop exercises can help teams prepare. Practicing a breach scenario might seem unnecessary—until it isn’t. In a 2022 Ponemon Institute survey, only 43% of companies reported that their incident response plans were regularly tested. But those that did were able to contain breaches significantly faster.

Everyone Has a Role to Play

Cybersecurity isn’t just an IT issue anymore. Property managers, engineers, vendors, and tenants all have a part to play. That might mean incorporating cybersecurity into lease agreements, reviewing it during tenant onboarding, or making it part of vendor selection processes.

Staying informed is also crucial. Threats evolve rapidly, and staying one step ahead requires ongoing education. Industry associations like BOMA International and ASIS International offer updated cybersecurity guidelines tailored for commercial real estate. The National Institute of Standards and Technology (NIST) also provides a Cybersecurity Framework that many property teams use as a baseline.

No one expects property professionals to become cybersecurity experts. But being aware, asking the right questions, and partnering with experts can make a significant difference.

As hybrid and remote work continue to shape how buildings are used, cybersecurity will remain front and center. The choices made now will determine not just how safe a building is—but how confident tenants feel walking through its doors.

To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.