Modern office spaces are rapidly evolving to keep pace with tenants’ requirements for streamlined processes and enhanced connectivity. And, in response, corporate real estate property (CRE) owners have been keen to introduce artificial intelligence (AI) and aspects of ‘smart buildings’ to improve tenant satisfaction and enhance property management and maintenance. According to JLL’s Global Real Estate Technology Survey 2025 (opens a new window), 87% of CRE investors, owners, and landlords are increasing technology budgets for AI adoption in their buildings and management.

However, landlords may be unaware of their exposure to emerging cyber vulnerabilities in this area. Cyber-attackers could exploit weaknesses to gain access to operational technology and systems, potentially disrupting and destroying physical equipment. As part of sound risk mitigation, property owners should bolster cyber resilience to reduce cyber threats, and ensure their assets remain protected.

Growing uptake of ‘smart offices’

Smart offices are structures that use advanced technologies, such as sensors, internet of things (IoT) devices, and AI, to automate and optimise various building management systems. Introducing this technology can create a more efficient, sustainable, and comfortable environment for tenants via the collection and analysis of data to make real-time adjustments. In the UK, the smart building market is projected to grow at a compounded annual growth rate of 28.5% (opens a new window), from 2025 to 2030.

The introduction of technology has also generated benefits for property owners. Connecting and amalgamating heating, ventilation, and air conditioning (HVAC) platforms and security systems onto a singular, joined-up network has made property management a more efficient process. ‘Agentic’ AI can also flag tenancy compliance risks and trigger maintenance workflows automatically, enabling landlords to achieve cost savings.

Associated cyber risks with modern office spaces

Technology is ubiquitous in modern offices, and security gates, coffee machines, ergonomic furniture, printers, and interactive display boards, are all commonly Wi-Fi-enabled. However, many of these devices are designed with focus on user convenience – not robust security.

The growing introduction of IoT enabled devices – often incapable of supporting strong security features – expands the attack surface area for malicious actors. Hackers will identify smart devices, exploit their network vulnerabilities and gain unauthorised access, with the aim of pivoting and moving laterally across the network to target more critical and sensitive systems.

What physical effects could a cyber-attack cause?

Beyond digital disruption, the physical consequences of a cyber-attack can be just as significant. With access to an asset’s operational system, hackers could lock doors, deactivate HVACsystems, trigger alarms, or issue building access to criminals. Hackers could also activate the sprinkler systems, causing significant damage to the interior of the building and equipment inside.

However, more seriously, a cyber-attack could disable fire suppression systems, evacuation lifts, or fire alarm systems in place. If these were shut down, the building would consequently become a much greater fire risk. A cyber-attack could even directly cause a fire to start, by causing machinery or equipment to overheat and malfunction.

Could there be further repercussions for CRE owners?

Property owners could face potential liabilities from tenants who suffer due to a cyber-attack. If tenants are locked out of their office space or prevented from working, CRE owners could be exposed to business interruption losses. Property owners may also suffer lost rent if clients refuse to pay due to alleged breach of contract in the fallout from a cyber incident. Furthermore, depending on the scale of the attack, remediation costs to repair damage and resolve the interruption can be significantly high.

How CRE owners can build resilience

Beyond considering how to limit physical risks, such as fire or sprinkler activation, it is imperative that CRE owners establish thorough and comprehensive cyber-focused risk management. Key steps for this include:

• Carry out risk assessment of building management systems, identifying connected systems, potential weak links in security, such as unsecured networks or cloud-managed services.

• Ensure networks are managed/separated, both physically and virtually. Segregate networks for core systems (security, access control, CCTV) from less critical systems, such as guest Wi-Fi.

• Review lease agreements with tenants to determine where liability would fall in the event they suffer losses due to a cyber-attack on the building. Consider exposure to losses if tenants were shut out and businesses interrupted – would the property owner be able to handle this loss?

• Assess third-party access to building systems, such as facility management or vendors. Landlords should audit third-party systems to ensure they are secure and do not pose a security risk.

Insurance is also a fundamental aspect of sound risk mitigation. However, CRE owners should be aware that Property Insurance policies may not provide cover for property damage or non-damage business interruption stemming from a cyber-attack. Solutions are available under a Cyber Insurance policy, but property owners must weigh up the costs of such policies against potential losses arising from a successful cyber-attack.

To further explore the issues raised above, we will be holding ‘Office Breakfast Seminar: The Next Chapter for Office Spaces’ , on 22 April 2026. For more information, reach out to a member of the Lockton Global Real Estate and Construction Team here (opens a new window).