What Property Managers Are Responsible For

Property managers have always been accountable for keeping buildings running and occupants safe. In buildings with smart systems, that responsibility now includes technology most property teams were never trained to manage. The same connections that allow teams to monitor HVAC remotely, control access from anywhere, and track energy use in real time can also give attackers an entry point. Teams need to understand where weaknesses exist and how to address them.

The smart building market reached about $126.6 billion in 2024, according to Help Net Security, and roughly 87% of industry leaders say they plan to continue investing in smart building technology. As adoption increases, so does exposure. More than 1.2 billion connected IoT devices are now installed in commercial properties worldwide, and about 44% lack strong security protections. In one recent 12-month period, cyber incidents affected more than 11,000 smart commercial buildings and disrupted systems in more than 3,200 office properties.

What Is Actually at Risk

These risks are not theoretical. In 2024, Omni Hotels & Resorts experienced a cyberattack that shut down reservation systems, room key cards, and payment processing. In 2021, attackers gained control of a commercial real estate firm’s cloud-based building management system, took over HVAC controls, and demanded Bitcoin to restore operations. That same year, attackers remotely altered chemical levels at a water treatment facility after exploiting a control system vulnerability.

Commercial office buildings face similar exposure. Cybersecurity analysis from CBRE Group shows common weak points in Wi-Fi networks, wireless devices, access control systems, HVAC controls, electrical infrastructure, elevators, fire systems, and property management platforms. Because these systems are connected, a breach rarely stays isolated. A compromised HVAC controller can lead to access to tenant data, door systems, or camera feeds.

Operational issues can also signal cyber problems. A door that stops responding, a thermostat that resets without input, or an elevator going offline may indicate network intrusion rather than mechanical failure. Help Net Security has noted that many of these incidents get routed to maintenance instead of security teams, which delays detection and documentation.

Where the Vulnerabilities Come From

Many building management systems still rely on older protocols like BACnet and Modbus, which were not built with cybersecurity in mind. They often lack encryption and authentication, meaning anyone who reaches the network can interact with system controls. Research from Claroty found that 75% of organizations operate building management devices with known vulnerabilities already being exploited.

Default passwords, hardcoded credentials, and single-factor authentication are still common. Attackers can find exposed building systems using tools like Shodan, which indexes connected devices by type and location. Remote vendor access increases risk, especially when connections lack multi-factor authentication or monitoring.

Researchers from Nozomi Networks identified multiple vulnerabilities in systems built on technology from Tridium. In many cases, property teams were unaware these systems were even connected because there was no documented network inventory.

Industry leaders are also highlighting the shift. According to experts at RSM US, cybersecurity in real estate used to focus on traditional IT. The expansion of IoT into building operations now requires a completely different security approach. Many teams simply do not have full visibility into what is connected to their networks.

What Property Managers Are Responsible For

Legal standards around smart building cybersecurity are still evolving, but operational responsibility is clearer. Property managers sit between building systems, tenants, and technology vendors. CBRE Group has found that unstructured cybersecurity programs almost always lead to incidents, especially when teams do not understand protection levels across individual systems.

At a minimum, property teams should maintain a complete inventory of connected devices and systems. You cannot secure what you cannot see. Network segmentation—separating IoT devices from tenant networks and core building systems—helps limit how far an attack can spread. Default credentials should be replaced during installation and reviewed regularly. Vendors with remote access should use multi-factor authentication, and all access should be logged.

Regulatory pressure is also increasing. In the U.S., the cybersecurity framework from the National Institute of Standards and Technology is becoming more common across commercial real estate operations. Global portfolios must also consider international data privacy rules and state-level privacy laws. Properties working with federal or defense tenants may face additional cybersecurity certification requirements.

Property managers do not need to become cybersecurity experts, but they do need reliable partners. Buildings without internal expertise should work with vendors and integrators who treat cybersecurity as a baseline service, including patch management, firmware updates, and documented risk assessments.

If a building system behaves unexpectedly, the event should be documented and investigated—not just treated as a routine maintenance issue. In the moment, a system glitch and a cyber incident can look identical. Documentation is often what reveals the difference later.

To stay up to date on news and resources such as this and other topics of importance to the real estate industry, subscribe to the free CRE Insight Journal Newsletter using this link.