A critical new warning has emerged for UK SMEs operating from smart buildings: cyber attacks on building systems have surged by 69% in just one year, with devastating implications for businesses that continue to trade with Europe.
The Royal Institution of Chartered Surveyors (RICS) has issued an urgent alert to UK businesses following alarming findings that more than a quarter (27%) of respondents said their building had experienced a cyber attack in the last 12 months. This represents a sharp increase from 16% the previous year, demonstrating an accelerating threat landscape that SMEs can no longer afford to ignore.
The Hidden Vulnerability in Your Building
In a new report published this week, RICS highlighted how the convergence of operational technology (OT) and IT systems in smart buildings has created a vastly expanded attack surface. The integration of building management systems (BMS), HVAC, access controls, and IoT sensors with corporate IT networks presents unprecedented risks for SMEs.
The report reveals a shocking reality: commercial buildings opened as recently as 2013 could still be running on unsupported operating systems like Windows 7 for critical functions, leaving them vulnerable to known exploits. For SMEs, this represents a ticking time bomb that could devastate operations overnight.
Why This Matters More for European Trading SMEs
UK SMEs that continue to trade with Europe face compound risks that make smart building cyber threats particularly dangerous:
1. GDPR Compliance Exposure When smart building systems are breached, customer and employee data processed within those buildings becomes vulnerable. SMEs trading with Europe must maintain GDPR compliance, and a smart building breach could trigger notification requirements within 72 hours, potentially resulting in fines of up to 4% of annual turnover.
2. Supply Chain Disruption Smart building attacks can disrupt physical operations, affecting delivery schedules and contractual obligations to European partners. This is particularly critical for SMEs operating on thin margins where delays can cascade into contract penalties.
3. Trust and Reputation Risk European businesses are increasingly scrutinising their UK suppliers’ cybersecurity posture. A smart building breach can undermine confidence in an SME’s overall security capabilities, potentially leading to contract terminations or exclusion from future opportunities.
The Real-World Impact on SME Operations
The consequences extend far beyond immediate operational disruption. RICS analysis reveals three critical business implications that SMEs must understand:
Insurance Policy Invalidation: Insurance policies increasingly feature cyber attack exclusions, meaning SMEs could face complete financial exposure when smart building systems are compromised.
Reputational Damage: The interconnected nature of smart buildings means a security breach can affect not just the SME but other tenants and partners, amplifying reputational damage.
Property Value Impact: The concept of ‘digital discount’ is emerging, where properties with poor digital hygiene are valued lower, affecting SMEs that own their premises.
Current Threat Landscape: The Numbers Don’t Lie
Recent research reveals 51% of BMS systems were reported as being insecurely connected to the internet. Furthermore, 75% of organisations studied had BMS devices affected by known exploited vulnerabilities (KEVs), and 69% had BMS devices with critical KEVs implicated in previous ransomware attacks.
For SMEs, over a third of SMEs, or 35%, are primarily worried about AI-related threats, but smart building vulnerabilities represent a more immediate and tangible risk that requires urgent attention.
Essential Protection Strategies for SMEs
1. Immediate Assessment SMEs must conduct comprehensive audits of their building systems, identifying all connected devices and their security status. This includes HVAC systems, access controls, lighting, and security cameras.
2. Network Segmentation Implement robust network segmentation to isolate building systems from corporate IT networks. This prevents lateral movement by attackers and limits the scope of potential breaches.
3. GDPR Compliance Integration Ensure that smart building data processing activities are documented and compliant with GDPR requirements, particularly regarding data subject rights and breach notification procedures.
4. Regular Security Updates Establish procedures for regular security updates and patches for all building systems, moving away from legacy operating systems wherever possible.
5. Incident Response Planning Develop specific incident response procedures for smart building breaches, including GDPR notification requirements and business continuity measures.
The European Trading Imperative
For SMEs maintaining European business relationships, addressing smart building cyber threats is not just about operational security—it’s about maintaining competitive advantage and regulatory compliance. European partners increasingly expect robust cybersecurity measures, and smart building vulnerabilities represent a significant weakness that could jeopardise valuable relationships.
The convergence of physical and digital security in smart buildings demands immediate attention from UK SMEs. With cyber attacks on building systems increasing by 69% year-on-year, the time for action is now. SMEs that fail to address these vulnerabilities risk not only immediate operational disruption but also long-term damage to their European trading relationships and GDPR compliance status.
Key Takeaways for UK SMEs
* 27% of buildings experienced cyber attacks in 2024, up from 16% in 2023
*75% of building management systems have known vulnerabilities
* GDPR compliance risks are amplified by smart building breaches
* European trading relationships depend on demonstrable cybersecurity measures
* Immediate action is required to prevent operational and reputational damage
The question is not whether your smart building will be targeted, but whether you’ll be prepared
