Cyberattacks on critical infrastructure occur 13 times every second making cybersecurity a top concern for facility managers. In this episode, Stacey Shepherd and E.J. von Schaumburg share how leaders can strengthen resilience, safeguard systems and prepare teams to manage digital risks with the same urgency as physical threats.
Every day, critical infrastructure is under siege with about 1.2 million cyberattacks per day. For facility managers, that means cybersecurity isn’t just an IT issue, it’s a frontline responsibility. In today's episode, Stacey Shepherd and E.J. von Schaumburg from Building Cybersecurity, discuss why facility managers must treat digital threats with the same urgency as physical ones and how leaders can use proactive strategies, assessments and insurance awareness to stay prepared. Together, they share how facility managers can build resilience, safeguard their organizations, and lead the way in a world where cyber risk is constant.
Sponsor:
This episode is sponsored by ODP Business Solutions!
00:00 Introduction: The Growing Threat of Cyber Attacks
00:19 Podcast Overview and Guest Introduction
01:23 Understanding Cybersecurity in Facility Management
02:24 The Importance of Data Management
02:54 Building Cybersecurity: Framework and Training
03:38 The Role of Facility Managers in Cybersecurity
05:01 Cybersecurity Training and Preparedness
08:11 Insurance and Risk Management
11:11 Leadership and Legal Implications
11:48 Resources and Conclusion
E.J. von Schaumburg: [00:00:00] Critical infrastructure is attacked 13 times every second. 1.2 million attacks a day. So if you're a facility manager and think it's not my problem or it's not gonna come to me, it's gonna come to you. The best thing to do is start to take a proactive approach to how you can plan.
Host: Welcome to Connected fm, a podcast connecting you to the latest insights, tools, and resources to help you succeed in facility management. This podcast is brought to you by ifma, the leading professional association for facility managers. If you are ready to grow your network and advance in your career, go to ifma.org to get started in today's episode.
Stacey Shepherd and EJ Von Schaumberg from Building Cybersecurity discuss why facility managers must treat digital threats with the same urgency as physical ones and how leaders can use proactive strategies, [00:01:00] assessments, and insurance awareness to stay prepared. Together, they share how facility managers can build resilience, safeguard their own organizations, and lead the way in a world where cyber risk is constant.
Now, let's get into it.
Stacey Shepard: I'm Stacey Shepherd. I'm an advisory board member for Building Cybersecurity.
E.J. von Schaumburg: And I am E.J. von Schaumburg, one of the founding members of Building Cybersecurity, a nonprofit addressing cybersecurity and operational technology for commercial buildings.
Stacey Shepard: And glad to share a little bit about the challenges of cybersecurity for facility management. The theme here is on circular economy and sustainability. And so with that, there's certainly a ton of opportunities to be able to take advantage of that.
And specifically, I would note [00:02:00] Dr. Matt Tucker wrote a report for ifma on the circular environment and how facility managers can optimize that. And he's essentially got three pillars and looking at maintenance and repair and the ability that, how that is incorporated for circularity also looks at sustainable procurement and thinking about longevity recyclables and things like that.
But the third pillar is the one that I would like to share with EJ and talk with you all today. And that's on data management.
E.J. von Schaumburg: So, yeah. Well, thank you. Just a little background on myself. I'm a 35 year technologist. 30 years ago, about an hour up the street is where wifi was actually invented. So I've spent the last 30 years connecting buildings and stadiums, and now we've spent the last five years trying to protect them.
So when we look building, cybersecurity, it's a nonprofit to help. [00:03:00] Think about the framework of how you assess the risk of cyber as it relates to the building system. So very near and dear to the heart of facility managers, right? The, you know, what is an operational technology system? It's the HVA system.
It's the elevator systems, the access control systems, right? Traditionally, those systems as we everyone's talking about a smart building, right? You know, it means these systems are more tightly coupled and connected together. So when that happens, you have to also make sure that they're protected.
Stacey Shepard: Absolutely. And so building cybersecurity came together with ifma two years ago as they realized they wanted to be on that leading edge in helping raise education and awareness for facility management worldwide to understand this is their problem. We've talked to many facility managers and they said, you know what, this is the [00:04:00] job of our CIO.
This is the job of our IT department. This is not my responsibility. And yet when the bad actors can't get through the front door. Through the IT systems, they're gonna look at going around the back door or through the side window because they're gonna look at areas of vulnerability, which many organizations don't appreciate where they have those gaps and fragmentation.
E.J. von Schaumburg: Yeah and I would say in that. The whole idea of cybersecurity , what we refer to as cyber safety. Yes. Because it impacts the safety of human beings as well. But there, there's a. Village. You know, most of us understand, especially in the facility management world, there's a tremendous amount of subcontractors and others that play a role in keeping these systems up.
How do we ensure that each one of those takes an active role within the process of securing these facilities? Is something that we've built in the framework for building [00:05:00] cyber?
Stacey Shepard: Absolutely. So some of the things that we've been able to do as partners, not only, I mentioned awareness. But also training.
And so we've worked with Cathy Pavick, head of professional development for ifma and some of our best experts to be able to weigh in providing a Cyber 1 0 1 training course. This is really just about the fundamentals the building blocks of understanding terminology and the so what to try and get facility managers aware.
But also to be proactive about engaging and learning about how to incorporate that and to be able to tie that in with their actions.
E.J. von Schaumburg: Yeah, and when you look at how overwhelmed the facility managers are today, there's still some fundamental things they have to do. Things like safety in the building, fire drills, and how do you evacuate a building if something happens?
Now, when you look at cybersecurity, those same events can [00:06:00]impact a building the same way a fire or flood could. So having the understanding of a plan in place and how to respond to that plan, if something does happen is really the key. One of the things that we laid out in the training program it's literally a cybersecurity 1 0 1 for facility managers to help them understand the basics and how they can, you know, help.
Drive the solution here.
Stacey Shepard: Well, and facility managers are inherently safety oriented. And so as we have all hazard resilience, as they do safety plans for natural disasters and for God forbid, an active shooter, they are not also looking at cyber attacks as being something where they need a plan.
I mean, if you look at the total cost of cyber crime today. It is $10 trillion. Wow. And so the [00:07:00] fact that at $10 trillion, if you think about just across the European Union, GDP, that's 19 trillion right there.
E.J. von Schaumburg: Yeah.
Stacey Shepard: And people don't realize the magnitude.
Host: Need business supplies from cleaning wipes to filtered water? Know you have a trusted partner to turn to ODP Business Solutions makes it simple to keep things running smoothly with trusted cleaning supplies and break room essentials delivered fast. Whether you run a hospital, hotel, or cleaning crew, they have your back and can help you restock with consistency, convenience, and less stress, all from a trusted single source.
Visit o DP business.com to learn more.
E.J. von Schaumburg: Yeah. And then, you know, critical infrastructure is attacked 13 times every second. 1.2 million attacks a day. So if you're a facility manager and think it's not my problem or it's not [00:08:00] gonna come to me, it's gonna come to you. The best thing to do is start to take a proactive approach to how you can plan. One of the things that we did early in the nonprofit was.
Think about how insurance plays in this, right? Because cyber attacks is no different than the other risk assessments that you have to do. You have to assess that risk and then understand how you mitigate it, defer it, or transfer it, right? And in that case, you know, when we think about, you know, partnerships, we worked with Aon, one of the large brokers to help drive this end.
Cyber insurance today has been traditionally organizationally driven, right? Property and casualty has been the insurance that protects that asset. We are trying to drive the market to ensure that there's protections on the property and casualty side as it relates to cybersecurity.
Stacey Shepard: And you know, I think when, and unfortunately an incident happens, [00:09:00] many facility managers.
Because they don't have a plan. They don't know what to do. They don't know who to contact. They don't know if they're insured. They don't know if they should take one action vice another in terms of having even more negative impact on that. And so needing to understand what that response. Is should be.
How do they communicate that internally? Do they evacuate the building? Is it something where there's a concern that the elevators may be at risk or that people may be at risk? So needing to know, how am I supposed to respond to this as a facility manager? Who do I tell externally? Who do I tell internally?
And what is the methodology of that communication because that may also be impaired.
E.J. von Schaumburg: Yep. And one takeaway, something very simple from the compliance side is that I would recommend go look at your insurance policies for that building today [00:10:00]and ask the question if. This building was inoperable or what we call, you know, continuing business interruption, right?
If a cyber attack takes down the elevator systems or the access control systems and the building can't be used, is that covered under the policy that I have to, right? So start those questions internally to understand that risk and assessing that risk.
Stacey Shepard: And also it could be through insurance. Or you might be thinking about managed services providers.
Yeah. But how carefully are you reading the fine print? Where is the liability if something should happen? I just heard of a recent incident where the owner had a managed service provider and the breach from CrowdStrike was on them and complete access and infiltration of their systems. So who's at fault?
Yeah. And who is liable? Yeah. And who is to fix it. And so understanding [00:11:00] many of those actions sometimes you have to look within the fine print is where there gaps and where is there coverage and where is there clarity to get that done. Before an incident happens. Yeah.
E.J. von Schaumburg: And many facility managers would say, Hey ej, I can't get my senior leadership to think about this.
Right. How do you help with that? And today, I would say, you know, from a large scale, a lot of the recent events from an attack perspective, there are class action suits going against the leadership team and the CEOs directly. Right, so now it's not isolated to just covered under a director's and officer's insurance policy.
They're getting attacked in class action suits that take decades. To fix that brand, right? From a tarnished brand perspective. So,
Stacey Shepard: absolutely. And so one of the other things that BCS does is we offer solutions. So we're a nonprofit, but our members can do cyber assessments, they can do cyber commissioning, they can help with remediation, [00:12:00] they can help with implementation plans.
But we also offer a framework. And so if anyone were to go to www.buildingcybersecurity.org, it pulls up a little questionnaire and a free downloadable ebook would then be able to go through 16 steps that really bring together and tie in the convergence between the IT and the ot. And a lot of people don't know where to start.
So it's simply about conversations that go through some of the most critical elements of having conversations about roles and responsibility on asset inventory, on risk management. And this was put together with some of the best in. The world on with cyber safety expertise, bringing that background and understanding of the IT and OT to help with a guide.
E.J. von Schaumburg: Yeah, in addition, from the IFMA website, if you search cyber or cyber training, the online training course [00:13:00] along with some of the white papers that we've done in concert with ifma are out there readily available as well. Thank you so much for your time. Thank you.
Host: Thanks for tuning into the Connected FM podcast. If you enjoyed today's episode, please take a moment to rate and review the show because it really helps us reach more listeners just like you. And don't forget to hit the subscribe button so you never miss an episode. See you next time.