In the article “Smart
buildings: What 'smart' really means”, Lecomte (2019) states that having
certification with standardized metrics is fundamental for smart buildings to
wholly emerge in the 'built environment'. Lecomte mentions that the lack of
unanimity from various stakeholders has delayed the drafting of standardized
rubrics. Hence, private and public sectors design their own metrics to assess
smart buildings, but their rubrics vary from one another. However, current
private and public metrics have been unsuccessful in tackling the complicated
and expanding aspect that buildings will perform in “smart cities”. Lecomte
emphasises that one crucial component to be included in the standardized
rubrics would be cyber risk management as cyber threats “increase exponentially”
along with more advanced and integrated technology in smart buildings. Lecomte
concludes that holistic and reliable “smart building certifications and rubrics”
will be the foundation of a “functioning market for smart real estate”.
Although Lecomte has
discussed the importance of incorporating cyber risk management in the rubrics,
he fails to mention how cyber-attacks can affect operations, why companies keep
quiet and how to improve cyber risk management through a case study.
While more smart buildings are popping up all around
the world, few people know how building operations can be affected with the
increasing number of smart buildings. Lecomte quoted Target
losing 40 million debit and credit card records data as a prime example of a
cyber-attack but failed to elaborate on how Target’s daily operation could be
affected. Customers could be less willing to spend in Target in fear of their
card records data being stolen. Equipping smart building with the proper
security systems would help to minimise and even eliminate potential cyber
risks. Related to customer hesitation to spend in Target is the idea that
business can also be disrupted on their management aspect. According to Chan(2019),
he stated that “responders rank cyber as the business interruption trigger they
fear most” as cyberattacks can result “in a disruption of operations and
services costing hundreds of millions of dollars”. Cyber-attacks are a growing
concern to many companies as it may implicate their day-to-day operations. Marek
Stanislawski, deputy global head of cyber, AGCS, quoted “Cyber risk has been a
major risk for a number of years but as with any new risk it has struggled with
awareness”. Although cyber risk has been a major concern, few companies considered
it as a major business interruption that can cause major financial losses to
them.
Cyber-attacks are
causing damages to companies around the world but only a small quantity of
companies came forward and disclosed the attacks. Lecomte listed out Target as
an example quoting “ANREV reminds us that in 2013, hackers gained access to up
to 40 million debit and credit card records”. It was through another source
that disclosed Target’s security was breached which could further tarnish
Target’s public image causing consumer to lose trust in them. According to
Javers(2013), he stated that most companies do not want to reveal the extent of
damage due to “possibly scaring off potential or existing customers, damaging
their stock value, or incurring potential legal liabilities.”. Disclosing that
the fact that the security system was breached is bad publicity which can
negatively impact the company in many ways. Revealing it will help other
companies to look at their cybersecurity system and identify if there are any
loopholes. According to Newcomer(2017), Uber concealed about the fact that
their consumer data got stolen for more than a year. This may give Uber’s customers
a perception that the company lack integrity causing them to lose customers. “A
patchwork of state and federal laws require companies to alert people and
government agencies when sensitive data breaches occur.”, but Uber failed to do
so on many occasions such as in 2014 for failing to disclose an earlier data
breach which Uber was fined for $20,000. Even with laws in place to make
companies report about the breach, companies still bypass the law as the
disadvantage of reporting outweighs the advantage.
Although Lecomte’s article discussed about the many aspects
of cyber risk management, he failed to give a case study. There should been a case study about the cyber breach
to explain how the security system was breached and identify how to mitigate
it. Based on the original article, Target data was “stolen from the company’s
heat ventilation and air-conditioning operator”. It shows how easy data can be
stolen if the system is missing the appropriate security. In the article
“SingHealth data breach probe reveals ‘blanket’ of basic failings”, SingHealth
identified the problems they had in their cybersecurity. Although Singhealth
failed to stop the breach, their transparency about the breach will regain the
patients’ trust. There was also a public report “detailing the attacker’s
identity and methods” which could assist other company to further enhance their
security system. Knowing how the breach occurs can help other companies to
enhance their existing system. The report gave a "blow-by-blow
account" of how SingHealth leaked 1.5 million data of patients. With a fully
detailed report on how SingHealth was breached, it could help other companies
to identify if there are any gaps in their existing systems. The article also
stated the aftermath of the cyber breach and what steps SingHealth have taken
to resolve the issues identified. With proper business recovery plans in
place, this could help safeguard the company reputation and develop confidence
within the business.
To conclude, Lecomte
briefly touched on the need to include cyber risk management as a key area of
focus in a standardised rubric. Nevertheless, he did not elaborate on how
cyber-attacks can affect operations and the reason behind why companies do not
speak up about experience a cyber-attack. Furthermore, he mentioned “such
threats should be clearly identified, assessed and known” but fails to mention
it can be done through case studies. With increasing smart buildings, there is
really a need to look at cyber risk management. Smart buildings are the way to
the future, stakeholders in the facilities management in the industry such as engineers,
contractors and developers must look at cyber risk management.
Chan, D. (2019, February
5). Business interruption resurfaces as top business risk in Singapore. Retrieved
October 2019, from The
Business Times:
https://www.businesstimes.com.sg/companies-markets/business-interruption-resurfaces-as-top-business-risk-in-singapore
Lecomte, P. (2019, January
29). Smart buildings: What 'smart' really means. Retrieved September 2019,
from The Business Times:
https://www.businesstimes.com.sg/opinion/smart-buildings-what-smart-really-means
Newcomer, E. (2017, November
22). Uber paid hackers to delete stolen data on 57 million people.
Retrieved October 2019, from Bloomberg:
https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data
SingHealth data breach probe reveals
'blanket' of basic failings. (2019, January 10). Retrieved October 2019, from The Business Times:
https://www.businesstimes.com.sg/government-economy/singhealth-data-breach-probe-reveals-blanket-of-basic-failings
Javers, E. (2013, February
25). Cyberattacks: Why companies keep quiet. Retrieved October 2019, from CNBC:
https://www.cnbc.com/id/100491610
No comments:
Post a Comment