How switched on is the UK construction industry to its role in the fight against cyber-attacks? Emma Roe, Partner and Head of Commercial at law firm Shulmans, takes a look
With the prevalence of ransomware attacks regularly dominating the headlines, what does the UK construction industry need to learn from the experiences of other sectors and how exposed is it in the world of cyber security?
Security breaches that expose critical data or cause catastrophic system failures can affect any business, but the proximity of construction businesses to critical and sensitive infrastructure projects make this sector an obvious target for such crimes.
Businesses are understandably becoming increasingly interested in finding out how they can protect themselves from the risk of external cyber-attacks, but the security threat posed by internal breaches is potentially just as damaging and possibly harder to detect. It might come down to simple human error, weak password management or a disgruntled ex-employee having retained unauthorised access to sites and systems when they should not have done, and there is probably more scope for businesses to mitigate these areas of internal risk than those of the external variety.
With the imminent arrival of the General Data Protection Regulation (GDPR), and the implementation of the Security of Network & Information Systems Directive (NIS Directive), there is a step-change in legislation aimed at combatting businesses’ technological exposure, both external and internal. These new laws have clear expectations around compliance and confirm that protecting a business against the risks of cyber-attack does not just start and finish at an individual’s IT device – they also focus on protecting the physical buildings and infrastructure as a key component of technological risk mitigation.
Like many other sectors, the construction industry may feel a bit removed from the more consumer-facing worlds of data-heavy businesses. However, the risk posed by cyber-attack is just as real when you consider the value of security information associated with a building, and how vital that integrity is for buildings that function as key infrastructure locations – housing business-critical data, storage servers and the people who operate and maintain them. The NIS Directive, which was subject to a public consultation by the government that ended on 30 September, is designed to ensure that operators of key infrastructure, such as providers of electricity, transport, water, energy, health and digital infrastructure, have adequately protected their business and service provision against cyber-attack, as well as other risks.
The digital and culture minister, Matt Hancock, has commented that: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.”
Increasingly, therefore, this type of site integrity and the solutions designed to protect such buildings from threats that include environmental hazards, IT and power failures, must be a key part of any construction project. In the same way that a business is required by the GDPR to be able to demonstrate how it protects itself against threats of unauthorised data access, the NIS Directive will require a physical level of protection.
Like businesses in other industries, those in the construction sector must be alive to the fact that they could play an unwitting role in providing a potentially easier route for cyber hackers into many different businesses. With access to its clients’ key sites and security information, construction businesses and those in property and facilities management who fail to protect against unauthorised access could find themselves the target of cyber-attack, not for their own data, but as a means of obtaining access into the businesses for which they work. Increasingly, clients will be asking what processes and checks are in place to ensure the contractor isn’t unintentionally providing an open back door to its key infrastructure data.
As so many recent cyber security breaches demonstrate, there is both a technological solution to this area of risk and a personnel solution. Clearly, ensuring firewall protection and software patches are kept up to date and actively maintained must be the groundwork of any effective cyber security strategy.
However, it is also worth thinking about internal training and talking regularly with staff about vigilance, not just on basic site security, but also about what to spot in the online and email side of their client interactions. Many of the risks in this space can be mitigated with improved staff awareness and training on how security breaches happen, what to look out for and how to act when faced with an authorised request for access or information transfers. As with so many compliance areas in the online world, technology alone cannot provide the solution to the cyber risk posed.
Emma Roe
Partner and Head of Commercial
Shulmans LLP
Tel: +44 (0)113 288 2817
Twitter: @ShulmansLLP