In the last few years, a West Midlands based construction firm fell victim to a cyber-attack and they are not alone. There have been many high-profile cyber-attacks against the construction industry, showing how businesses of all sizes are of interest to cybercriminals. The industry is a leader in embracing and adopting digital ways of working and with this comes an increased risk of being vulnerable to a cyber-attack. As a result, it’s more important than ever that you do what you can to protect your business.

Man in high vis looking at tablet with digital drawings on screen

The National Cyber Security Centre’s recent cyber security guidance for the construction industry details that businesses in the industry, specifically need to take the cyber threat seriously for the following reasons:

• Construction businesses are seen by cyber criminals as an easy target, many of which have high cash-flows. Perhaps understandably, smaller, and mid-sized businesses have a ‘We’re only a small business, it won’t happen to us’ attitude towards cyber security, and are reluctant to invest time, money, and training into what they perceive an unlikely threat.
• The extensive use of sub-contractors and suppliers involving large numbers of high value payments makes construction businesses an attractive target for spear phishing, which is when attackers send a targeted email that’s pretending to be from a legitimate organisation, in an attempt to trick the construction business into paying money into a criminal’s account.
• Although construction businesses don’t store the same kind of financial information a bank does, they still store (and have access to) valuable data. Criminals could be looking for details about the company’s next bid (or building design) in order to gain an unfair advantage. Cyber criminals might be looking for sensitive employee data, like national security numbers, bank account numbers and payroll data, in order to engage in identity theft, or to craft realistic authentic-looking emails for phishing attacks.
• Even if you don’t lose money directly, a data breach (which is when information held by an organisation is stolen or accessed without authorisation) or a ransomware attack could cause a temporary shutdown of your business whilst the breach is investigated, and systems are recovered, as well as reputational damage with customers and partners. It could also leave you open to an investigation (and fines) from the Information Commissioner’s Office (ICO).

The digital windows, doors, and locks for your firm’s cyber security

There are 3 key stages to a construction programme or project that cybercriminals are interested in, they are design, construction, and the handover phrase. Each of these phases all involve extensive digital workflows, making them all a risk to your company.

The early stages of the construction process, such as the tender process, will generate for example, detailed quotes and signed contracts. A cyber-attack at this stage might prevent a business from being able to win current tenders for work, and impact on future opportunities. By implementing the guidance in this document, your business will be in a more secure and resilient position against cyber attacks. You’ll also find it easier to obtain related certifications (such as Cyber Essentials and ISO27001) which can demonstrate a degree of cyber maturity which some government contracts require.

You also need to consider how:

• You look after critical documents and data so that you have a system in place to receive, track and store electronic and paper-based documents.
• You train your employees on cyber security and communicate cyber security requirements with your employees, both on site and at any remote locations. The importance of - for example - wearing a hard hat, is self-explanatory. By contrast, explaining the danger of clicking on links within suspicious emails might be a harder sell, especially within a construction business where the IT function is less prominent.
• You would complete a cyber security risk assessment, much like your risk assessment would cover slips, trips and falls. You should add cyber security at the outset of the project as it allows you to identify what cyber security risks your business might face, and to build in precautionary steps you can take.
• You can secure construction sits and high-tech equipment such as drones and GPS equipment that create detailed models and visualisations. While some equipment may not be especially expensive to replace (for example a camera or GPS device), the data stored on them could be very valuable to a cyber attacker.
• You should consider how IT equipment used on construction sites differs from equipment in the office. For example, the premises themselves may be less secure, or they might be limited/no space to securely house your IT equipment.
• You would consider what personal data is stored on a construction site. For example, details of individuals and their emergency contacts, biometric data, and health and safety incident reports. Remember that this information is personal and covered by data protection legislation and should be protected accordingly.
• You would handover all installed building management systems to the client so that they can continue to secure the building and any digital-based systems it might contain (for example BMS, BACS, BEMS and IACS).

If you are a construction firm or supply products, materials or services to the industry and you would like to know how the Cyber Resilience Centre for the West Midlands could support your business, get in touch with us via www.wmcrc.co.uk/contact-us.