Eliminate Security Weaknesses in Your Smart System Supply Chain


The reliance on smart systems or Internet of Things (IoT) devices in commercial and residential buildings is rapidly accelerating and so are their associated cyber security concerns. From HVAC, lighting and elevator systems to sensors that collect data in the background, these emerging technologies offer incredible benefits, including increased functionality and improved customer satisfaction.

[ compact ]

  • Internet-connected building technologies can create significant cyber security weaknesses in both commercial and residential properties.


  • Many common security vulnerabilities exist in third-party technologies outside the control of building managers and owners.


  • Thoroughly vetting suppliers / providing adequate training to procurement staff is the best risk management policy.


More valuable procurement insights are available in BOMA's 2020 Cyber Wellness Guide.

With Great Power Comes Great Vulnerability

Smart systems are purpose-built for user functionality and convenience; not necessarily with cyber security in mind. With builders and property managers racing to keep up with trends and competitors, the vetting process for new vendors can be lacking and existing vendors are often slow to provide adequate support for newer operating systems.


As cyber attackers become more persistent and patient in trying to take control of your systems or access valuable data, they will explore every channel to find your weak links — which often exist through third-party vendors or their systems. The increase in smart systems provides a lucrative avenue for cyber attacks across your supply chain, which can leave you vulnerable as unauthorized parties gain access to your systems or data through your vendors or even their suppliers.

Know Your Weaknesses

Whether you’re fully aware of it or not, the following conditions likely exist across your network of properties and can potentially expose you to cyber security risks:

Third-Party Access

Multiple service providers or vendors (e.g. janitorial services, engineering, etc.) may have physical or virtual access to your information technology (IT) systems, operational technology (OT) systems, software codes or internet (wired or Wi-Fi).

Numerous Access Points

Your systems and / or data may have a variety of different access points which affect your property’s physical security.

Poor Information and Systems Security Practices

Lower-tier suppliers may not have adequate certification or follow best of breed practices to protect your systems and information.

Compromised Supplier Software or Hardware

Your buildings could be housing vulnerable third-party technologies which give cyber criminals access to your systems and information.

Multiple Third-Party Connections

A variety of people, technologies, vendors and guests connected to your systems may be able to collect, aggregate or store building data.

Lack of Training or Cyber Awareness

Staff members may not know the questions to ask, warning signs to look for or cyber security risks to consider when coordinating / interacting with third-party vendors.

The volume of data at risk could be far more than you know. And from the safety of your people to property damage and related costs, this data has the potential to significantly impact your organization.

How to Protect Yourself

Ensure you’re addressing all cyber vulnerabilities through your supply chain and taking the necessary steps toward comprehensive cyber security. This includes thoroughly vetting your suppliers, verifying their credentials and setting clear expectations for their own internal policies and procedures prior to signing any contracts or installing any hardware or software on your premises.


You also need to invest in cyber security awareness training for your own team — especially those who work directly with your systems and suppliers. Create a proactive culture of empowerment and set clear expectations for everyone who manages, interacts with or maintains technology on your properties.


The Building Owners and Managers Association of Canada (BOMA) 2020 Cyber Wellness Guide offers more valuable procurement insights to help building owners and managers with their cybersecurity journey as it relates to third-party vendors.

“Procurement has historically been viewed as a transactional function but should be positioned strategically to strengthen cyber security and protect you from infiltration of your systems and data through your supplier base.”


Trent Bester, Senior Vice President
Consulting and Public Sector, MNP LLP

If you have any questions or would like additional advice on how you can better secure your smart system supply chain, drop me a line anytime.