After all, the industry's focus is on physical work with bricks and mortar. Surely digital activity is fairly minimal and unlikely to attract cyber criminals - isn't it?
Here on the Eastern Cyber Resilience Centre, we have seen that the construction industry has shown a significant reliance on technology over the last decade. There have also been seismic shifts in relation to project delivery and how organizations operate. From office operations to activities on-site, technologies such as cloud storage, email and smartphones are commonplace.
Digital tools, such as Building Information Modelling (BIM), are becoming increasingly commonplace at the design stage, along with technology such as 3D-printing, remote building monitoring systems, brick-laying robots, and other automated techniques. It is quite clear that the sector is unquestionably operating in a modern, digitized and connected way.
But as the industry progressively embraces modern technologies it cannot afford to ignore the corresponding risks.
If unmanaged, cyber risk ultimately threatens to outweigh the benefits gained from continued technological advances. It is a common misconception that because the industry doesn't regularly deal with personal data that it is not a target for cyber criminals. But unfortunately, this is not the case. The industry presents a wide range of attractive opportunities for cyber criminals.
From controlling critical services, to the theft of trade secrets, there are many reasons that a construction sector organization could fall victim to cyber-crime. Tracking cyber incidents can be tricky, especially as a lot of incidents still go unreported. And while the construction sector may experience cyber-crime, unless a breach conforms to strict reporting requirements, the majority will not be publicised. This lack of knowledge-sharing can lead to underestimates of the true nature and scale of cyber exposures. If the industry is unaware of common vulnerabilities, it presents low-hanging fruit for cyber criminals.
The average cost of a data breach currently sits at nearly four million US dollars.
Imagine, for example, that your entire library of CAD drawings was encrypted and ransomed, or simply deleted.
What would it cost to recommission and replace them all?
Then, add the wide range of associated business interruption costs, such as delays to on-going projects and employee overtime.
You then begin to see the true impact of a potential cyber incident.
How are the Government helping?
The government and the Eastern Cyber Resilience Centre fully understand the critical place that construction fills within the UK and regional economy, and the vulnerabilities that the sector now faces. To meet these challenges, they have created a new sector specific guidance package which can be accessed here: Cyber security for construction businesses - NCSC.GOV.UK
This simple guidance package is the first-ever cyber security guidance aimed at UK construction industry issued by GCHQ’s National Cyber Security Centre
Due to online threats facing the sector, the NCSC advises firms that cyber security measures are as vital as wearing a hard hat on site.
Guidance has been launched in association with the Chartered Institute of Building and is aimed at small and medium-sized construction businesses
We fully support the guidance package and would recommend that all construction businesses take the time to read and it and carry out the activities recommend within.
But this is just the start of your cyber journey, and we would also recommend that you also look to adopt the Cyber Essential accreditation.
So, what is Cyber Essentials?
Cyber Essentials is a simple and effective Government-backed scheme, supported by industry experts and the Cyber Resilience Centre Network, which will help you put measures in place to protect your organisation, against a range of the most common cyber-attacks. This includes protecting against threats such as malware, ransomware, and phishing. Read more here: Cyber Essentials & Plus Training & Certification ¦ ECRC (ecrcentre.co.uk)
A company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks.
The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.
So, what can I do?
Here at the centre, we would advise you to do three things now
Join our free core membership by clicking through to https://www.ecrcentre.co.uk/core-membership-sign-up. You will be supported through implementing the changes you need to make to protect your business and your customers through the free Little Steps pathway
Read the Cyber security for construction businesses guidance - Cyber security for construction businesses - NCSC.GOV.UK
We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.
Further guidance & support
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.
Policing led – business focussed.