Cybersecurity isn’t something traditionally associated with the construction industry. But, as the industry moves forward, it’s no longer just a case of making sure offices and building sites are secure from thieves
Construction software specialist, Viewpoint takes a look at everything you need to know about information security in the construction industry.
Whether you are in the construction industry or not you are likely to be aware that cybersecurity threats are on the increase, with the worst cases featuring in the media with alarming regularity.
Lower profile issues impacting smaller companies rarely make headlines which could lure you into the misconception that data breaches only affects the big corporations. However, Verizon Data Breach Investigations Report (DBIR), noted that 43% of cyber-attacks in 2019 were targeted at small businesses.
As the construction industry moves forward, rapidly embracing new technology almost every day, the risks are becoming more pervasive. It’s no longer just a case of making sure offices and building sites are secure from thieves.
The digitisation of the construction industry now means vast amounts of highly-sensitive data including building models, documents, drawings and personal data are being processed, stored and shared. Industry processes are increasingly built on software systems and rely on the availability of those systems to ensure swift communication and auditable records. Outages and data breaches can have severe consequences. Among them: business interruptions and loss of revenue; time and productivity; operational stability; and brand equity.
The increase in highly sensitive data has required more attention and action. The construction industry, after lagging behind for many years saw an increase in spending on cybersecurity of 188% in 2018-19, according to government data analysed by Specops Software. Increase in spending is positive news but ultimately having a well thought out risk mitigation strategy is key to minimising exposure.
Cybersecurity is no different from any approach in business; there isn’t a gold standard way of doing things that will work across all companies and industries. Your strategy needs to be appropriate to the size of your business and the potential risks you may encounter. This being said, we will look at the action you should consider taking as a starting point.
Certification by independent authorities is a good way to increase your own confidence and minimise risks. For example, the UK government’s National Cyber Security Centre (NCSC) provides the Cyber Essentials scheme, which provides a solid framework to assess your cybersecurity defences and gain a certification which will help protect your business against threats. Importantly it will also give you, your staff, suppliers and customers a level of confidence in your commitment to cybersecurity. The basic certification can be achieved with as little as £300 investment (at the time of writing).
A more comprehensive certification is also available called ‘Cyber Essentials Plus’. This is a more in-depth assessment that involves auditors visiting your site and testing your internal assets. Initial attempts to meet the standard should not be seen as failures but rather as a methodology to uncover weaknesses and improve. Knowing where your weak points are is part of the path to improvement. It’s important to keep going.
Certifications under Cyber Essentials last a year and you will need to be re-certified to help ensure your cyber defences are kept up to date – further demonstrating your on-going commitment. The five technical controls within the basic scheme when implemented helps protect your organisation from a majority of common cyber-attacks and tighten security. These five basic controls are firewalls, secure configurations, control user access, anti-malware and phishing.
If you already have these certifications, it may also make sense to attain internationally recognized certifications but note that these require significant investment and on-going commitment. Two examples are:
- ISO 27001 – ISO/IEC 27001 is widely known, providing requirements for an information security management system. Using this enables organisations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
- SOC 2 – SOC 2 defines criteria for managing customer data based on five “trust service principles” — security, availability, processing integrity, confidentiality and privacy.
Another important aspect to consider is your supply chain. The old adage about a chain only being as strong as the weakest link holds true. Importantly, when choosing a partner or supplier — especially those that will be entrusted with key processes or data — it’s vital to make sure they take information security seriously. In one example from several years ago, retailer Target was the subject of a breach where hackers compromised network login credentials from a third-party vendor — an HVAC subcontractor that had done work on a number of Target stores.
Often the simplest way to verify a supplier is to ask for proof of their certifications to the key cybersecurity and information security standards. Furthermore, ask if THEIR suppliers or subcontractors are certified because you will want to be able to ensure security across the length of the supply chain.
Selecting a technology vendor you can trust
As highlighted in this blog the importance of cybersecurity applies for any size business and is becoming vital in the construction industry as companies need to protect their highly sensitive data. The number of attacks is also on the up and continues to rise with insurer, Hiscox noting that more than 60% of companies reported one or more cyber-attacks in 2019 compared with 45% in 2018. In line with that, average losses resulting from cyber breaches shot up by 61% from £176,000 to £283,722.
It is vital you select a vendor that is trusted to deliver products that are certified when it comes to security. Viewpoint UK has recently been awarded the Cyber Essentials Plus certification, further adding to its existing security certification portfolio. Viewpoint For Projects (VFP) is Viewpoint’s cloud-based document and information management solution that enables you to share, control and collaborate on project documents with dispersed project teams. A component which gives Viewpoint a competitive advantage in the software market is its certifications and the security and certifications of its supply chain. The below highlights our commitment to delivering secure products across our entire supply chain.