In recent years, several high-profile cyber-attacks and data breaches have hit UK- based construction companies, proving cyber incidents to be an increasing threat to the industry. Bam Construct, Interserve and Safestyle UK were just some of the victims that made the news, after facing losses that reached millions of pounds. Cyber-attacks in any form present major operational, financial, legal, and reputational problems, making cyber resilience an essential consideration for every business.
The UK government’s Cyber Security Breaches Survey for 2023 found that whilst construction companies are one of the most likely sectors to fall victim to Cyber-facilitated fraud, they are also one of the least likely to have suitable cybersecurity controls in place. This is particularly relevant for SMEs, who may have never considered themselves a target for this sort of crime. However, with adequate prevention, protection and preparation, construction companies can consider their vulnerabilities and take several steps to mitigate the potential damage caused by a future cyber-attack.
What does good cyber security look like in the construction sector?
For SMEs in particular, cyber security can seem like a daunting issue. Smaller companies may not have the assets or need to outsource their cybersecurity; however, statistics show that small does not equal safe when it comes to cybercrime. The National Cyber Security Centre has partnered with the Chartered Institute of Building to create guidance titled ‘Cyber Security for Construction Businesses.’ This details some of the simple steps that will protect SMEs from the most common cyber-attacks and limit any potential damage. The topics covered in the guidance include backing up data, protecting equipment from malware, keeping phones and tablets secure, using strong passwords, navigating phishing, collaborating with suppliers, and being prepared for the possibility of an attack.
How would an FSWA fit into this?
In addition to the simple steps laid out in the NCSCs guide for construction companies, it is important to make sure your online assets, such as websites, are also secure and not causing any vulnerabilities.
For a smaller organisation, one good option is a First Step Web Assessment (FSWA), one of the affordable services offered by the ECRC. It is a fixed cost service, and a £30 discount is available to charities and micro-organisations. Compared to other forms of vulnerability assessment, it is a light-touch option, making it ideal for companies who would like a general overview of their website security.
The first action a threat attacker would take before targeting a business is reconnaissance, looking for any markers of vulnerabilities they could exploit. The FSWA uses passive and active techniques to examine your website as a criminal would to search for these vulnerabilities. The passive techniques are those which gain information about the website without actively engaging with it, whereas the active techniques include using automated scans to identify vulnerabilities at a high overview level.
The elements assessed by the FSWA include:
• Domain and DNS records
• SSL Certificates
• Email protections
• Security Headers
• Outdated components
• Directory discovery
• Sensitive data exposure
• Vulnerabilities shown through automated scan
At the end of the assessment, you receive a short, non-technical report explaining any risks to the site, as well as mitigation measures you can take to reduce these. This allows you to improve your security and encourages further discussion on additional steps you can take to keep your business secure.
For SMEs, the FSWA is a good option because it keeps the cost to a minimum and is the perfect starting point for those who have not considered their cyber security in detail. It is one of several affordable services provided by the ECRC, the others including Security Awareness Training, Internal Vulnerability Assessments, Corporate Internet Investigations and Security Policy Reviews.
The cost of these services is kept to a minimum to be accessible for SMEs, which is made possible by the fact that they are delivered by students employed by Cyber Path. Through Cyber Path, university students are trained and mentored by senior ethical hackers, to deliver a selection of services and work with staff to build their cyber awareness. This not only benefits the organisations they are helping, but also supports the cyber talent pipeline, giving future industry leaders invaluable hands-on experience.
What should I do now?
Joining the Eastern Cyber Resilience Centre for free is a great first step for those wishing to improve their cyber resilience and bolster their knowledge. As part of your free membership, you become enrolled onto our ‘Little Steps’ programme; a weekly email series giving you steps to improve your cyber resilience, delivered in a way that is digestible and accessible to a non-technical audience. This will help you to implement some of the guidance from the NCSC’s ‘Cyber Security for Construction Businesses’ in increments, allowing you to grow your cyber resilience over time.
Additionally, there are many free resources available that can be accessed here on our website. For example, ‘Exercise in a Box’ was created by the NCSC as a preparation tool for businesses, enabling organisations to find out how resilient they currently are to attacks, and piloting their response to various threat scenarios in a safe environment. The NCSC also have other free resources and frameworks such as their ‘Cyber Action Plan’ and ‘Small Business Guide,’ all of which deliver up-to-date, accessible guidance on staying safe and informed against cyber-crime.
If you are interested in finding out more about how an FSWA could help you, or simply want to know more about cyber resilience and what we do at the ECRC, why don’t you book a chat with us today?
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which is not ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)