Securing the smart office of the future

Clare Hopping

Friday 8 July 2016

More companies are opting to transform their offices into smart spaces, taking inspiration from smart home technologies. However, what impact does this have on a company’s security policy?

Smart technologies aren’t just reserved for the home anymore. Offices are increasingly signing up to the Internet of Things (IoT) with Gartner predicting there will be more than 1.7 billion connected devices used in smart cities by the end of this year.

But connecting the office comes with a security price. Earlier this year, security researchers managed to break into the offices of Sydney-based Wharf 7 via Google’s building management system (BMS).

Billy Rios, one of the researchers involved in the hack, explained there are 50,000 buildings currently connected to the internet to control heating and cooling, and security systems. What’s shocking, however, is that 2000 of these buildings don’t even have passwords set up to prevent hackers infiltrating them.

Aside from setting up strong passwords, how can organisations prevent cybercriminals breaking into their smart offices?

Setting privileges

Only those who absolutely need access should be able to control office systems, such as lighting, heating, access or other security systems. Giving access to the wrong people could mean your company can be physically as well as virtually attacked, putting lives in danger, not just data.


Once the privileges have been set, anyone who wants to access office systems should be using two-factor authentication to make significant changes. This ensures even if hackers are able to break through one layer of security, it’s unlikely they would be able to infiltrate through multiple layers of protection.

Implement network access controls

Using network access controls will restrict the ability for people outside the organisation to attack internal networks, such as a building management system (BMS). It means any devices without the defined security policies will be unable to access the systems, meaning security policies on company devices should also be updated too.

Network segmentation

Systems to control the building should be using a different network to other systems in the company. Hackers are able to use corporate networks as a backdoor into the company’s BMS if they are too closely linked. Although running two networks concurrently may be more costly, it’s worth making the outlay to ensure both the building and your company’s data are protected.

Restrictions on administrator access

Where possible, all remote network access options should be disabled. There should always be someone on site who can control the BMS to prevent any hackers being able to break into the office, whether that’s a facilities manager or senior IT personnel who can take control where needed.

Security incident and event management (SIEM)

If someone unknown tries to access the BMS, it’s important for the activity to be flagged as soon as it happens. Implementing a SIEM would mean the network is continuously monitored for suspicious activity and alerts the necessary people should it detect any strange goings-on before it’s too late.

A company BMS used to control the many smart technologies in offices of the future should be protected, just like any network-based system in an organisation. In fact, more care and attention should be taken to ensure they are adequately secure because putting your employees’ lives in danger could be more risky than losing data.


Building the next-gen data centre

Where traditional and web-scale apps co-exist