PCB Today speaks with José Pinos, head of security at Atech, about cyberattacks in construction and the approaches to take to prevent them
Construction is a sector with increasingly challenging margins; however, the industry has invested heavily in digitisation which has created leverage for cost savings and efficiencies. On the technology front, the sector is making use of rapidly developing technologies around digital twins, and there is the emergence of IoT (Internet of Things) in improving the built environment, coupled with a longstanding proliferation of smart devices. It is fair to say that digitisation has also resulted in increasingly complex environments and proliferation of endpoints.
Guidance for cyberattacks in construction
The guidance issued by the National Cyber Security Centre and the Chartered Institute of Building outlines the measures that are needed to create better data governance and stop businesses from being targets for cyberattacks in construction. The guidance and acting on it may however be out of reach for those who, like the mid-market in general, currently struggle with accessing technology skills. The is a huge cybersecurity skills shortage, and a challenging market to recruit in, meaning the mid-market struggles to attract or attain the skills needed to drive a robust and proactive security strategy.
With the strain that the construction industry has been under during the pandemic, it is no surprise that de-prioritised investment in security has contributed to statistics showing that 60%* of medium-sized firms have experienced a hack. The proliferation of devices is a real issue, especially considering that research shows that up to 77% of SMEs (Small and Medium-sized Enterprises) use insecure smart devices in work settings.
Cyberattacks in construction are increasing and getting more complex
The threat landscape is getting more complex, and attacks are increasing in sophistication and frequency. Firms must combat varied threats like DDoS (Distributed Denial of Service) attacks, phishing attempts, remote-access Trojans, and spyware, just to name a few. Moreover, ‘plug and play’ hacking tools are available to purchase for as little as £40 by cybercriminals, signalling that cybercrime is now a formalised industry.
Remote work means that organisations need to consider the risks posed by workers always being connected. Remote working has caused the perimeter to widen and grow porous from personal devices and unsecured networks accessing company assets. In assessing the cost of a breach, breaches where remote work was a factor cost businesses 24% more.
Recent data showed 60%* of medium-sized firms have experienced a hack, costing around £9,000 each time, and incidences of ransomware have exploded** since 2020. Worryingly, compromised IT systems are consistently under-represented in surveys.
The fact that an attack like WannaCry is now on its fifth anniversary tells us that old threats die hard, with malware by email still being the most common threat vector. But today the volumes of attacks are simply different from 5 years ago. A holistic threat detection strategy looks at the full spectrum of security events and illustrates the increased frequency.
“On one client tenant, we saw 34M events in the space of 30 days, generating alerts of 118 separate incidents – each of which needed to be categorised as high, medium, or low priority and remediated accordingly.” – José Pinos, Head of Security, Atech. This was in an organisation with 60 employees. It is clear to see that the volumes are such that without the right technology it is not possible to respond let alone be proactive.
Research suggests that, while 87%*** of compromises happen in minutes, 68% go undiscovered by IT teams for months. Up to 43% of those who experienced an attack, needed new measures to stop future attacks. As attacks are changing, so should security strategies.
Being able to see the impact is a key part of understanding how your business’ security strategy can and must evolve. Gaining near real-time visibility of events empowers an organisation with insights that they can act on. Automated remediation backed with threat hunting means businesses can take action to protect data, and operationalise security, which means overcoming the skills gap within their existing IT team.
Planning for cyberattacks in construction
Implementing improved data security based on an operational security roadmap means that every improvement has a measurable impact on the business, and the admin burden is as low as possible. Digitisation presents an opportunity to transform the technology strategy so that it is implemented with cybersecurity at its core. These are the approaches to consider:
View security as a journey
Business leaders must evolve their view of security governance to an ongoing process. Traditional perimeter-based approaches are ill-equipped to deal with today’s threats.
Zero-trust mindset
Zero-trust networks are the new standard of security governance. The aim of this security model is to ensure no single employee or device has access to the whole network. In practice, IT teams establish Least Privilege Access and Privileged Identity Management solutions to control access to company resources.
Least Privilege Access allows employees to have access to the resources they need but no more, while Privileged Identity Management prohibits access rights from creeping up over time. Zero-trust network models also help combat vulnerabilities from employees’ own devices, public wi-fi networks or sign in attempts from suspicious locations.
You could argue that Zero Trust is not just for an organisation’s environment – it is a mindset that needs to be adopted to deal with the current security landscape.
Mandate fraud works because supply chains in construction are complex, with multiple third-party contractors and sub-contractors. The work environment is fast-paced, there’s little time for checking that an invoice comes from a genuine supplier, the invoice is genuine, and the payee details are correct. The attack affects several parties, making its way up and down the supply chain. It is not limited to firms with immature digitisation and can be surprisingly difficult to intercept.
Start with data, then processes
After conducting an IT security audit, it can be difficult to decide on your most pressing cybersecurity priorities. Controlling access to and protecting your data is the most important aspect of your security governance plan.
Mandate fraud exploits some of the more traditional procure to pay processes being used by some firms. Something as simple as setting up an email forwarding could open your firm to an attack. Digitising the procure to pay process with e-invoicing via an EDI (electronic data interchange) is recommended by some vendors to secure the process. Of course, EDI alone does not make for a security strategy.
It does, however, highlight how one of many data processes within a construction firm can be secured and should stimulate ideas around how creating an audit trail of how data moves around the business and controlling who has access to the data can do so much more than introducing governance and protect against cyberattacks in construction.
A managed security service provider can build a solution that considers the way your business operates and what your business objectives are.
In addition to customer data, your firm may also hold intellectual property and information on legal matters that, if leaked, could affect your market position or brand. Even if hackers brute-force their way into your server or attempt a ‘man in the middle attack,’ your data cannot be interpreted or misused.
How to secure your data
You can secure your data using end-to-end encryption and multi-factor authentication. Each is a staple of security within a zero-trust model, helping to protect your data and prevent leaks.
End-to-end encryption encrypts your data at-source, during transmission and upon arrival, ensuring your data is only readable/usable by those within your network and who have permission to use it. Multi-factor authentication creates a multi-tiered sign-in process wherein attempts to access your data is verified against multiple benchmarks, including passwords, biometric data or known devices.
You should also protect your data by staying up to date with the latest security patches and validating data inputs during access attempts.
Train employees for reliable security governance
Social engineering attacks do not necessarily have to rely on any technology at all. Phishing attacks alone account for 80% of business data breaches
For this reason, it is crucial to train your staff on data security. By empowering your employees to identify and avoid threats, you can establish comprehensive security protections and limit the likelihood of breaches.
How to communicate security governance effectively
Senior leaders must be mindful when communicating the necessity of IT security monitoring to their employees.
Some employees may feel frustrated when suddenly having to request access to routine files and software tools just to perform their job. Others still may feel uncomfortable about having data logged on their computer activities.
You can demonstrate how easily data breaches occur by sharing examples of sophisticated spear-phishing examples. You can also display the urgency for new tools to protect your business by highlighting the impact of data leaks on revenue generation. For example, 20%*** of organisations lose customers during cyberattacks, and 30% lose revenue during an attack. The impact on long-term revenue and brand reputation is clear.
By onboarding your employees to the new security plan, you can establish sustainable security governance standards across your entire organisation. Moreover, identity management and access-based tools can help streamline security protocols, so security does not cost productivity.
Cybersecurity is a dynamic environment, not a static achievement. Firms cannot rely on one-time IT security audits or updates— no matter how comprehensive — to establish the level of protection needed. A security strategy should be intrinsic to your IT strategy so that it can deliver on the business’s strategic objectives. Ultimately, improved security can be key to powering your growth.
References: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2021 **https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html ***Risk Based Security Report, 2017; Cisco 2017 Annual Cybersecurity Report; Juniper Research Cybercrime & The Internet of Threats, 2017; Verizon Data Breach Investigations Report 2018https://www.ncsc.gov.uk/blog-post/construction-businesses-understanding-the-cyber-threathttps://www.yorkshirepost.co.uk/business/why-construction-firms-are-being-targeted-by-online-criminals-3543238
*