Definition

Cyber security is the operational discipline of protecting an organisation's data, systems and networks from unauthorised access, disruption or destruction. It covers all data — client financial records, commercially sensitive project files, BIM models, valuation reports, tender prices, tenant schedules and firm infrastructure — not just personal data.

This is an important distinction from GDPR and data protection, which are a legal framework governing how personal data is collected, used and retained. The two overlap — a cyber breach may trigger GDPR notification obligations if personal data is involved — but they are not the same thing. A ransomware attack encrypting a client's project files raises cyber security issues even if no personal data is affected at all.

Why this matters for Data Management

  • Level 1 knowledge: understand the five NCSC Cyber Essentials controls and a surveying firm's practical obligations — and how they differ from GDPR.
  • Surveying firms hold an unusually rich mix of sensitive data: client identity documents, AML due diligence packs, bank account details for rent collection, valuation reports, BIM models and tenancy schedules.
  • Business email compromise (BEC) — criminals spoofing emails to redirect completion monies to a fraudulent account — is one of the most prevalent attacks in the property sector.
  • RICS Rule 5 (competent service) is engaged directly: a firm without adequate cyber controls is not delivering a competent service.
  • Cyber insurance is increasingly a tender requirement for public-sector and institutional appointments.

Key principles and explanation

1. The five NCSC Cyber Essentials controls

The UK government-backed Cyber Essentials scheme (administered by the NCSC, assessed through IASME) is built around five technical controls:

  1. Firewalls — a security boundary between the internet and internal systems; unnecessary ports closed and default credentials changed.
  2. Secure configuration — devices and software hardened at the outset; default accounts disabled, unnecessary services removed.
  3. User access control — unique accounts per user; admin rights limited to those who need them; leavers removed promptly; MFA required for internet-facing and administrator accounts.
  4. Malware protection — up-to-date anti-malware across all in-scope devices including remote laptops; risky file types and macros controlled.
  5. Security update management — high and critical vulnerabilities patched within 14 days; end-of-life software removed.

Cyber Essentials is a self-assessment verified by an independent assessor. Cyber Essentials Plus adds independent technical testing — vulnerability scans and hands-on verification — to confirm the controls work in practice. Plus is increasingly required in larger tenders and by public-sector clients.

2. Common attack vectors in the property sector

The most common vectors affecting surveying firms are:

  • Phishing — the most frequent entry point; emails designed to steal credentials or install malware. Spear-phishing targets named individuals using publicly available information.
  • Business email compromise (BEC) — particularly dangerous in property. Criminals impersonate a solicitor, agent or client to redirect completion monies or rental income. Verbal verification using an independently sourced phone number is the key control.
  • Ransomware — malicious software encrypts accessible files and demands payment. Even firms with backups face days of disruption and the risk of data exfiltration.
  • Credential stuffing — leaked username and password combinations used to access firm systems. Password reuse is the root cause; a password manager and unique passwords per service are the remedy.
  • Insider threats — accidental (emailing a file to the wrong address) or deliberate (a leaver exfiltrating client data). Access controls and prompt leavers procedures are the key mitigations.

3. Practical obligations: controls every surveyor should know

Candidates should be able to explain the following practical controls in a surveying context:

  • Multi-factor authentication (MFA) — required for all cloud services, email and any internet-facing account. An authenticator app (preferred over SMS) means a stolen password alone cannot grant access.
  • Password policy — the NCSC recommends three random words rather than complex short passwords; use a password manager; never reuse passwords across services.
  • Staff training — regular, documented cyber awareness training; simulated phishing exercises; a blame-free culture so staff escalate suspicious emails promptly.
  • BYOD policy — personal devices used for work must meet the firm's security baseline.
  • Secure remote working — VPN or zero-trust access; encrypted laptops; auto-lock screens; no sensitive work over public Wi-Fi.
  • Secure file sharing — client files via firm-approved platforms (SharePoint, secure portals) only; never via personal email or consumer cloud storage.
  • Backup and recovery — the 3-2-1 rule — at least three copies of data, on two different media types, with one copy offsite or in immutable cloud storage. Test recovery regularly; an untested backup is not a backup.

4. Incident response

A structured response reduces harm and demonstrates competence:

  1. Contain — isolate affected devices, disable remote access, change credentials.
  2. Assess — determine what data is affected; has personal data been exfiltrated or merely made inaccessible?
  3. Notify the ICO — if personal data is at risk, report within 72 hours; notify affected individuals where the risk is high.
  4. Report to Action Fraud (actionfraud.police.uk) — the national reporting centre for cyber crime.
  5. Notify the PI insurer — late notification can prejudice a claim; do not pay a ransom without legal and insurer advice.
  6. Post-incident review — update the risk register, run refresher training, review supplier contracts.

5. Supply chain and vendor risk

A surveying firm is only as secure as its weakest supplier. Cloud platforms, BIM tools, accounting software and IT providers all access firm and client data. Due diligence before onboarding should confirm whether a supplier holds Cyber Essentials or ISO 27001 certification, what its breach-notification obligations are, and where data is hosted. Institutional clients increasingly include supply chain cyber risk questions in tenders.

Assessor tip

Do not conflate cyber security with GDPR. UK GDPR governs lawful bases, data subject rights and ICO notification for personal data. Cyber security protects all systems and data. They overlap — a cyber attack may trigger GDPR obligations if personal data is compromised — but a ransomware attack encrypting commercially sensitive project files is a serious cyber incident even if no personal data is involved. Assessors will probe this distinction.

Relevant RICS guidance and legislation

  • RICS Data Handling and Prevention of Cybercrime professional statement — sets out mandatory obligations for RICS professionals and regulated firms on data handling and cyber security. Refer to the current edition on the RICS website.
  • RICS Rules of Conduct (effective 2 February 2022) — Rule 5 (competent service) and Rule 3 (integrity) are both engaged by inadequate cyber controls.
  • UK GDPR and Data Protection Act 2018 — governs notification obligations to the ICO and affected individuals where a cyber incident involves personal data.
  • NCSC Cyber Essentials scheme — the UK government-backed baseline certification; see ncsc.gov.uk.
  • NCSC Small Business Guide: Cyber Security — practical guidance for surveying SMEs.
  • Fraud Act 2006 and Computer Misuse Act 1990 — the primary criminal law framework for cyber attacks and BEC fraud in the UK.

Ethics and Rules of Conduct angle

Cyber security obligations sit primarily within Rule 5 of the RICS Rules of Conduct (effective 2 February 2022) — the duty to deliver a competent service. A firm lacking MFA, staff training and a tested backup strategy is not providing a competent service. Rule 3 (act with integrity) is also engaged where poor cyber hygiene exposes client funds or confidential instructions. Cyber security is a professional conduct obligation, not merely a technical one — RICS can pursue breaches independently of criminal or regulatory proceedings.

APC questions and answers

Q (Level 1)Name the five controls covered by the NCSC Cyber Essentials scheme.

Firewalls, secure configuration, user access control, malware protection, and security update management. Together these address the most common internet-borne threats and form the baseline for UK government-backed cyber security certification.

Q (Level 1)What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a self-assessment questionnaire verified by an independent assessor. Cyber Essentials Plus uses the same five controls but adds independent technical testing to confirm they work in practice. Plus provides stronger assurance and is increasingly required in public-sector and larger private-sector tenders.

Q (Level 2)Your firm receives an email purportedly from a buyer's solicitor instructing you to redirect completion monies to a new bank account. What do you do?

This is a textbook business email compromise (BEC) attack. I would not act on the email. I would call the solicitor on a number from the original engagement letter — never the number in the suspicious message — to verify verbally. I would log it as a cyber incident and remind staff of the firm's completion-money verification protocol. If monies had been transferred, I would contact the bank immediately to attempt recall, notify the PI insurer, report to Action Fraud, and assess whether ICO notification within 72 hours is required if personal data was exposed.

Q (Level 2)How does cyber security differ from GDPR compliance, and why does the distinction matter for your APC?

UK GDPR is a legal framework governing how personal data is collected, used and retained. Cyber security is the operational discipline of protecting all data and systems — including non-personal information such as BIM models, valuation reports and tender prices — from unauthorised access or disruption. The two overlap: a cyber breach may trigger GDPR notification obligations if personal data is involved. But a ransomware attack encrypting commercially sensitive project files raises cyber security issues even if no personal data is affected. Assessors expect candidates to treat them as related but distinct.

Q (Level 3)A ransomware attack has encrypted your firm's server overnight. Walk the assessor through your response.

Immediate containment: isolate affected devices, disable remote access, and engage IT support or an incident response specialist. Identify the scope: which systems are affected, what data is involved, and whether personal data has been exfiltrated rather than merely encrypted. If personal data is at risk, notify the ICO within 72 hours and affected individuals where the risk is high. Report to Action Fraud and notify the PI insurer. Do not pay the ransom without legal and insurer advice. Activate the backup and recovery plan using the most recent clean backup — applying the 3-2-1 rule (three copies, two media types, one offsite or cloud). Once restored, run a post-incident review, update the risk register, and deliver refresher training.