‘Organisations are sleepwalking into cyberattacks’
Posted on: 7 July, 2025
By Marc Fleming
Senior Lecturer and Programme Leader, Architectural Design Technology
More than one in four UK businesses fell victim to a building-linked cyber-attack last year, according to a RICS report – proof that digitally enabled buildings and estates are now frontline infrastructure. Even a retail titan such as Marks & Spencer fell victim to a major cyberattack in April. In this opinion piece, University of the Built Environment senior lecturer Marc Fleming argues it is time to design cyber resilience into every brick, byte, and maintenance plan.
Smart buildings, real threats
As buildings become smarter, they are increasingly behaving like living systems. The concept of Internet of Things (IoT) and digital twinning involves sensing, responding, and adapting through the building’s digital infrastructure. With this comes a responsibility to design with cyber resilience in mind. The architecture of a building is no longer bricks and mortar, we need to also factor in its networks, systems, and data.
Legacy IT systems: The hidden weak spot
The Windows 7 discussion is a really interesting one… We must integrate digital lifecycle planning into the architectural process, ensuring that system updates and cybersecurity protocols evolve alongside physical maintenance schedules. Building Information Modelling is a conduit to that in respect of curating information at the design and construction stage but this needs to be interpreted better into FM purposes. Often, there can be a disconnect between design, construction, and operational stages, but cybersecurity and resilience protocols are one of many common threads between all three stages.
Interested in learning more? Enquire about courses at our University
Designing cyber resilience from day one
Any cyber breaches related to buildings can have direct physical consequences, not just digital system challenges. In a post-Grenfell world and all the endeavours made to learn lessons can be in vain, as realistically, a building with a fire suppression system can be hacked to make it inoperable, just like your PC can be hacked and you held to ransom. If you have seen the film ‘Die Hard 4.0’, this is a real (Hollywood drama granted – don’t judge my choice of movies!) insight to the potential buildings and infrastructure threats we face with a lack of cyber resilience.
Closing the FM–IT gap
Most organisations are sleepwalking into cyberattacks because they treat cybersecurity as an IT issue, not a built environment one. The inclusion of facilities managers, and IT teams to collaborate in design and construction processes early and often is crucial. How often have we heard the term ‘early engagement’ used for a whole host of industry challenges?
Much like energy performance, cyber resilience should be measured, benchmarked, and improved over time. This is not a one-time fix but more of an evolving challenge that must be woven into procurement, specification, and post-occupancy evaluation. If we can embed sustainability into the design process, surely we can do the same for cybersecurity?
Want to help make a change? Enquire about these related courses today:
