Cybersecurity for Smart Buildings: What Property Professionals Need to Know (BOMA 2026 Preview)

Cybersecurity isn’t just the domain of your IT department anymore—it’s on you as a property professional to make sure you’re following best practices and protecting your tenants against cyber attacks.

Fred Gordy, senior vice president of secure connected solutions at KMC Controls and advisory board member for Building Cyber Security, will discuss the vulnerabilities of smart technologies and how property managers can evaluate their risk in a Sunday session at the 2026 BOMA International Conference & Expo. Attendees will learn about a real-world case study in which one email with embedded ransomware caused a building to become non-operational for nearly a week—and took the operators 92 days to fully recover from the breach.

Joanna Sugunathazan, program manager for the BOMA BEST building certification program, will also highlight BOMA BEST Smart, a roadmap for smarter, more resilient building operations.

“What I try to do is demystify cybersecurity,” Gordy explained. “It’s about operational resilience. What does it cost you if you have to shut down your building for a day? That’s real dollars, because your tenants probably have reimbursement in their contracts. There’s also a safety and trust issue with this—the court of public opinion will take over and perception becomes the reality. That’s a dollar figure that’s hard to quantify.”

Common Vulnerabilities in Smart Buildings

Auditing your smart building starts with answering three questions, Gordy explained:

• What do you have?
• How is it connected?
• Who has access?

“About 90% of people can’t answer any of the three questions,” Gordy said. The unknown nature of smart building technology results in vulnerabilities you may not even know you have. One of them involves the system integration process itself.

“System integrators are putting in remote access to these systems using services like LogMeIn,” Gordy said. “Password crackers are easy to use. But there’s another caveat to this—system integrators use LogMeIn for a couple hundred customers, and they have one username and password to get into LogMeIn. If you figure that out, you could get into hundreds of other systems that they’re supporting.”

Addressing these vulnerabilities starts with knowing what they are, Gordy said—understand what you have in your building, what it’s connected to, and who has access to it. In addition, he recommended three basic best practices that anyone can follow:

• Protect your technology and reduce access. The case study featured in the session involved a computer that controlled many systems in the building. A technician used it to check his personal email, clicked on a message he shouldn’t have opened, and exposed the building to ransomware. “Those systems do not need to be sitting on somebody’s desk so anybody can use them,” Gordy said. “Take those out and put them somewhere secure. Nobody needs to touch it unless they’re doing updates.”
• Perform consistent, safe backups. Another issue in the case study was that facility managers performed a backup—but it backed up ransomware-infected files. “It needs to be on a device where the backup is being scanned to make sure nothing ugly got in it,” Gordy said.
• Understand how you’ll respond. The incident featured in the session is a study in why on-the-fly disaster recovery rarely works. “Every one of those responses were off the cuff, just making it up as they go along, because they had no disaster recovery plan whatsoever,” explained Gordy. The result: significant downtime and more than three months to reach a full recovery.

“See if you’re genuinely ready if you had to dump your building,” Gordy urged. “Do you have a plan in place? Don’t just listen to IT when they say, ‘Yes, we have a disaster recovery plan.’ An OT recovery plan is way different than an IT one.”

Learn from experts—and fellow property professionals—at the 2026 BOMA International Conference & Expo. Sign up today and join your colleagues in Long Beach!