This is Part Two of a two-part series on ways to enhance facility security. This blog focuses on improving IoT cybersecurity. For a concise overview of protocols and tools for maximizing physical building security, read Part One.
During the past decade, the Internet of Things (IoT) has proven to be a game changer in facilities management. But as with any technology, there are also downsides that must be addressed, especially regarding IoT cybersecurity.
The benefits of incorporating interconnected devices into operations are well known. The International Facility Management Association (IFMA) lists predictive maintenance, energy optimization, improved occupant experience, enhanced security, and streamlined asset management as the technology’s top five benefits.
But because these sensors, connected cameras, and automated systems help manage everything from access control to HVAC to lighting and elevators, a successful cyberattack can wreak havoc—disrupting operations, compromising sensitive data, and even risking physical safety.
IoT cybersecurity protocols in many facilities are too lax or outdated to effectively protect the many linked devices spread throughout the facility.
Why Are IoT Devices Targeted by Hackers?
One reason cybercriminals are increasing their attacks on IoT devices is simply because there are so many of them, and their use is expanding. There are nearly 19 billion IoT devices in use today, and that number is expected to hit 40 billion by 2030.
But it’s not just their ubiquity that makes IoT devices such popular targets. Many of these devices have weak or no security, making them a preferred doorway into corporate building systems. IoT cybersecurity protocols in many facilities are too lax or outdated to effectively protect the many linked devices spread throughout the facility. For example, a recent assessment by Building Cyber Security, a nonprofit dedicated to securing the nation’s critical infrastructure, found that 80% of commercial real estate organizations have no network security at all, and only 5% meet reasonable security requirements.
A lax attitude to cybersecurity can come with a high cost. A Verizon Business survey found that 66% of respondents who suffered a cybersecurity attack deemed the resulting impact as “major.” Of these affected businesses, 59% suffered downtime, 56% lost data, and 29% faced regulatory penalties.
And it’s not just cameras and sensors that are being attacked. Internet-connected devices as ordinary as washing machines have been compromised. Even the smart TV in the boardroom can be a security threat.
Understanding IoT Cybersecurity Threats
Most companies have robust security systems in place to shield their computer networks and protect sensitive data. But this cyber-diligence doesn’t always extend to the devices that are part of the company’s buildings. A high percentage of the IoT devices in use today are susceptible to a wide range of cyberattacks due to weak authentication, outdated firmware, and insecure network configurations. Attackers target these devices not only for direct exploitation but also as entry points to broader networks.
7 Common Types of IoT Cyberattacks
There are several types of cyberattacks that can be employed against IoT devices. These are the most common:
- Botnet and DDoS Attacks – IoT devices such as routers and smart cameras are frequently hijacked and added to botnets, which are then used for large-scale distributed denial of service (DDoS) attacks.
- Exploitation of Default Credentials and Outdated Firmware – According to Fortinet’s 2025 Global Threat Landscape Report, attackers routinely exploit default passwords and unpatched vulnerabilities in routers and cameras. Around 20% of global exploitation attempts in 2025 targeted IoT devices.
- Man-in-the-Middle (MitM) and Eavesdropping Attacks – Attackers can intercept communications between IoT devices and servers, enabling them to monitor or alter transmitted data. These MitM attacks are particularly effective in poorly encrypted or insecure network environments.
- Brute-Force Password Attacks – Many IoT devices still rely on highly guessable credentials. Hackers using automated programs can try thousands of passwords in a short amount of time, using this brute-force technique to gain unauthorized access to a single device that then gives them access to an entire corporate network.
- Privilege Escalation and Remote Code Execution – Exploiting software vulnerabilities in IoT operating systems allows attackers to gain higher-level permissions or execute malicious code remotely. Once inside, they can manipulate firmware, reconfigure devices, or pivot laterally into enterprise networks.
- Physical Tampering and Data Theft – IoT devices deployed in public or industrial settings—such as lobbies, hallways, or kiosks—face risks of direct tampering. Attackers can physically access interfaces or ports to install malware or extract sensitive data.
- Ransomware and Supply Chain Attacks – According to cybersecurity firm DeepStrike, ransomware attacks targeting IoT and operational technology (OT) environments increased by 46% in 2025 over the previous year.
Because IoT devices are becoming so common, and because most of them are only weakly secured, they are an appealing target for cybercriminals. Common vulnerabilities like poor authentication, misconfiguration, and lack of patching continue to drive a wide range of cyberattacks.
IoT Cybersecurity Threats to Commercial Buildings
Building control and management technologies used to operate in silos. But today’s smart buildings are integrated into multi-use, internet-based networks. A comprehensive building automated control system (BACS) can include any number of interoperable IoT elements, including:
- Building and energy management systems (BMS/EMS)
- Lighting control systems
- Security systems (such as CCTV) and automated access control systems
- Vertical transportation systems, such as passenger/goods lifts and escalators
- Automated parking systems
- Wayfinding systems
- IT infrastructure hardware and devices
A cyberattack can allow a threat actor to take control of a critical system and gain the ability to change settings, turn off components, or make equipment operate outside of normal parameters.
Even seemingly harmless devices pose risks, as a North American casino discovered when it installed an internet-enabled fish tank. The tank’s connectivity allowed facilities personnel to automate feedings and remotely adjust temperature and salinity. But that same connectivity let hackers use the tank as an opening to steal and transmit 10 gigabytes of data.
How to Improve IoT Cybersecurity
Updating and maintaining your IoT cybersecurity is an ongoing process. Recommendations from cybersecurity experts vary, but almost all include the following steps.
Update Building Software Systems
Your facility’s software systems should be regularly updated and patched. Start this process by taking inventory of all your digital components: building management systems, surveillance systems, fire controls, and others. Make sure each system has the latest firmware or software installed and set up a schedule to check for and install upgrades. If your system is so old that it no longer receives patches, it’s time to replace it.
Secure Your IoT Devices and Building Equipment
Every IoT device is a tiny computer that can be hacked if not secured. Even something as ordinary as a smart thermostat can be a doorway into your company’s network. Hackers know the factory default settings and passwords of thousands of devices from dozens of manufacturers. For this reason, whenever an internet-enabled device is installed, part of the installation process should be to change the default password to a strong, unique password.
Strengthen Access Control and Authentication
More than one-third of network breaches involve stolen credentials. To reduce this risk, be sure to require strong and unique passwords and multifactor authentication. Limit permissions to those personnel who truly need access to the system and train all employees in how to spot phishing attacks. Physically secure spaces with sensitive data via keycards or biometrics; and promptly revoke access when staff or vendors leave.
Segment Networks
Consider putting IoT devices on a separate network, so that even if a device is compromised, the hackers can’t jump to your company’s primary data network. And be sure to monitor IoT devices for unusual behavior. Many hacks involve marshalling hundreds of devices into a botnet to stage a denial-of-service attack. If a normally quiet sensor starts sending out large amounts of data, it could be a sign that it’s been compromised.
By separating your building systems network from your corporate and tenant networks, you don’t just protect access to the main network. You also prevent attacks from that network, such as from an infected laptop, that could compromise building operations.
Finally, the firewall and intrusion detection protocols that are applied to your IoT cybersecurity should be just as robust as the cybersecurity protocols used to protect the company network. A strong intrusion detection system can alert you if someone on a guest network, for example, is trying to ping your elevator control. And if vendors need to access the building management system remotely, require them to go through a secure VPN into that network, so that even if an attacker compromises the vendor’s credentials, they won’t be able to easily access your systems.
Protect Tenant and Sensitive Data
Many facilities are the custodians of a wide range of tenant data. In these cases, even a single security breach can be devastating to the facility’s reputation—and its bottom line. In 2023, the average cost of a data breach was an attention-grabbing $4.45 million.
To protect proprietary data, use HTTPS/SSL for web portals or online services, so that data is encrypted as it moves over the network. In addition, be sure to regularly back up and encrypt sensitive data. And impose strong access controls so only staff who absolutely need access to tenant information have it.
Train Your Team and Tenants on Security Measures
According to IBM, 95% of cybersecurity breaches are due to human error, such as clicking on a malicious email link or using a weak password. That’s why IoT cybersecurity training is a must for everyone.
Start by incorporating general cybersecurity awareness training for all employees and contractors who access your systems. Teach employees to:
- Spot phishing attempts, like emails sent from spoofed sender addresses or urgent money requests. You might use phishing simulations—sending fake emails to employees to see if they click—as a teaching tool, followed by guidance on red flags they missed.
- Handle passwords safely. Teach employees not to share passwords or write them on sticky notes. Make it clear that no IT staff will ask for someone’s password over the phone.
- Report suspicious activity immediately. Send a message to employees that all such reports are appreciated, even those that turn out to be false alarms.
Finally, educate staff and tenants about the simple steps they can take to protect your company’s physical and cyber systems. Prohibit tailgating, a practice in which someone follows a worker through a secure door without badging in. Restrict access to sensitive areas to essential, known personnel. And make sure that visitors are accompanied by company personnel at all times.
Manage and Vet Third-Party Vendors
Vendors are an integral part of building operations, but each third-party relationship is another avenue for risk, especially as these workers have physical access to your IoT devices. In fact, a 2024 survey found that 61% of companies experienced a data breach through a vendor.
Therefore, it’s important to vet vendors before and during the relationship. Ask about their cybersecurity policies. What kind of security certifications do they have? Do they conduct employee background checks and security training? Include security requirements in your contracts and limit a vendor’s access to the minimum needed to perform their work.
Assess each vendor periodically to see if there have been any security incidents; confirm that their privileges are still appropriate for the work they are doing. And encourage vendors to let you know when a staff member has left the company to allow you to promptly revoke their credentials.
Implement Continuous Monitoring and Incident Response Plans
On average, it takes companies 204 days to identify a breach, and another 73 days to contain it. But this time can be shortened considerably through vigilance. Facility managers should deploy tools that scan for unusual activity 24/7, and they should have a comprehensive response plan in place. With continuous monitoring, you can significantly reduce the time that attackers are able to lurk unnoticed. And with a rehearsed incident response plan, you ensure that if there is an intrusion, you can quickly retake control of your systems and act decisively to mitigate damage. It’s like having smoke detectors and a fire mitigation plan in place, but for cybersecurity incidents.
Integrate Physical Security with IoT Cybersecurity
Anything in your building that’s smart or connected can be leveraged in an attack, and not all attacks come through a network. An intruder posing as a delivery person, for example, could slip into a restricted area and insert a malware-laden USB stick into a server or a device. Both cyber and physical security must be top notch.
This is why the most secure companies have chosen to break down the silos between their building and IT security teams. Working together, these two groups are able to devise security protocols that combat both physical and cyber intrusions.
Having IT experts team up with security personnel increases security for server rooms, security control centers, and other sensitive spaces. Working with IT also helps building personnel ensure that IoT devices like cameras, badge readers, and alarm panels are secured with passwords, updates, and network segmentation.
Integrating security efforts helps close the gap in the gray area between physical and IoT cybersecurity. It ensures that personnel don’t overlook the wi-fi security of the network port in the lobby or the smart lighting panel in the conference room.
IoT Cybersecurity in Action
The cybersecurity risks posed by IoT devices are increasing. Now more than ever, it’s important to fold IoT devices into your company’s security efforts. FM and IT personnel, working together, are the ideal team to tackle this security issue. And to get the most from these efforts, security experts recommend a five-step process:
- Gather information. Determine whether specific responsibilities are already assigned, identify all assets and their configurations, review your existing security policies and procedures, and examine records of any past incidents or breaches at your facility.
- Assess your position. Identify potential risks and evaluate your current security posture. You may need to bring in a specialist to provide additional expertise.
- Make a plan. Set clear security objectives, perform a gap analysis, outline corrective measures, and assign ownership for each action.
- Take action. Implement the necessary improvements and create mechanisms to track emerging developments and new technologies.
- Review. Revisit and update your risk assessment, audit your current environment, and monitor industry trends, incidents, and evolving threats.
Finally, remember that maintaining IoT cybersecurity is a never-ending process. Hacking techniques evolve constantly, and so must your defenses. For facility managers, the first step is simple: Treat every connected device as both a valuable tool and a potential target.