Cyber attacks are on the rise, and the construction industry as a whole appears to be taking a lax approach to cyber-security. Paul Shillcock, MD at Operam, and Chris Waynforth, area vice president – northern Europe at Imperva, believe the ISO 19650-5 guidance will help the industry to combat this clear and present danger.
Today every business is a digital business, regardless of industry or sector, with valuable information that makes them a potential target for hackers and insider threats. While the threats to construction companies might not be as obvious as they are to financial institutions or retailers, they are very real, as the latest guidance in ISO 19650-5 makes clear.
The complexity of modern construction projects has made the need for coordinating information and the use of a common data environment (CDE) far more important, enabling greater collaboration and efficiency between clients and their delivery teams. As a result, information relating to sensitive assets and critical infrastructure is exchanged every day across a vast, often international, supply chain.
More than a third of construction-related companies still treat cyber-security as a lesser business priority.– Paul Shillcock, Operam
Such information, if lost or stolen, could create huge financial and reputational damage for dozens of companies at once, not to mention risk the safety of the people who operate and user those assets. Yet most organisations have poor or non-existent information security processes and technology in place.
An easy target
Cyber-criminals are like electricity – when it comes to finding a target, they want one that offers the path of least resistance and unfortunately, most construction companies are currently very appealing targets.
The latest government cyber security breaches report found that more than a third (36%) of construction-related companies still treat cyber-security as a ‘lesser business priority’, while only a fifth (20%) have a board member responsible for cyber-security.
Most worrying of all, nearly two-thirds (35%) have failed to carry out any basic activities to identify cyber-related risks such as investing in monitoring tools or carrying out penetration testing. All of these figures are significantly below the national average and present a picture of an industry that is consistently downplaying the importance of its digital assets.
Who’s hiding in your supply chain?
This casual attitude to cyber-security essentially lays out the welcome mat to hackers, especially when exchanging information with dozens – potentially hundreds – of partners and suppliers. Some of the biggest breaches in history have all happened due to weak controls in place at subcontractors or privileged vendors, so while large Tier 1 companies might have decent protections in place, the chances are most of their supply chain do not.
As a result, if cyber-criminals managed to get into the network of a small supplier, they could most likely access a wealth of information relating to the design, construction or operation of critical infrastructure and hold them for ransom. Such scenarios could impact the delivery or operation of the asset while potentially causing catastrophic financial damage, not to mention long-term reputational harm.
And the threat is increasing: ransomware attacks are on the rise with the head of GCHQ’s cybersecurity arm branding it a bigger threat to the UK than hostile states. Partly this is because the barriers to entry are dramatically lower than before. Today, novice hackers can buy tools to aid them in creating a ransomware attack for as little as $10 online. This has helped create a tidal wave of attacks, with numbers up by 150% in the last year, alongside a 300% spike in the how much victims are being forced to pay.
What does a security-minded approach look like?
The problem for organisations is that getting a handle on information security is a huge challenge. Even smaller companies have information scattered across so many locations – in the cloud, on personal laptops, on USB sticks, for example – that it can feel like an impossible task to get control of it all.
One mistake many organisations make is to try to cover everything at once.– Chris Waynforth, Imperva
One mistake many organisations make, especially asset owners, is to try to cover everything at once. Instead, by adopting processes such as ISO 19650-5, organisations can put in place clear strategy, plans and requirements for security-minded information management, by identifying which assets are deemed sensitive and therefore ensure the associated information is adequately protected.
Beyond that, companies need to know that the information they are responsible for is safe, especially when it’s outside of a CDE. This means taking preventative steps such as deploying auditing and security monitoring tools on any local environment where sensitive information is stored or produced and doing routine information discovery checks.
Equally important, businesses need to create rigorous processes for checking the security credentials of suppliers, including auditing their cyber-security framework before and throughout the project as well as verifying they have proper cyber-liability insurance in case the worst happens.
Finally, it is essential to put in place a comprehensive security breach/incident management plan to address a breach or cyber-attack that also covers subcontractors’ activities or negligence.
Building a security-minded approach
The nature of cyber-threats is evolving rapidly, and the slower the construction industry is to react, the more attractive it becomes to hackers. With BIM becoming ever more important to businesses across the supply chain, everyone needs to make sure they are championing a security-minded approach, not just internally but with partners, vendors, and subcontractors too.
Fortunately, there is a wealth of information and resources out there, such as ISO 19650-5, which can provide the foundations on which to build an effective security strategy that reduces the risk of attack as well as minimising the damage should a breach ever occur. Right now, the industry is at risk of falling behind, but with a few simple steps, firms can put in place the processes to prevent disaster.
Image: 211252528 © Anyaberkut | Dreamstime.com