The impacts of a successful cyber-attack can be wide-reaching and long-lasting, wreaking havoc to emails, systems and accounts. For a smaller business, particularly one with no resilience in place to respond and recover, these attacks can be crippling. In recent years, construction companies have been some of the most targeted by cyber criminals, and unfortunately the nature of construction as a practical business mean they are also some of the least prepared.
Why are construction firms a target?
As is the case with almost all businesses these days, technology is integral to construction. Not only is there an increasing convergence between operational technology (OT) and information technology (IT), but construction firms work between various mobile spaces, moving information across offices and jobsites. The collaboration between builders, engineers, surveyors, architects and various others as they work towards a finished project means there exists an intermeshed web of potential doorways for criminals to exploit if proper cybersecurity practices are not enforced.
Whilst construction companies do not store vast amounts of financial information like a bank would, they still hold and process data that is considered valuable to criminals. Further to this, the reliance of these firms on their relationships with suppliers and sub-contractors means that making high-value payments and transfers is a regular work practice. This can be exploited to the advantage of criminals, who use clever social engineering methods to trick employees into making fraudulent payments or providing them with administrative access to systems.
Despite these firms being a target, cybersecurity is often a neglected consideration, particularly within smaller companies. Whereas other sectors such as banking and healthcare have had cyber regulations and recommendations imposed on them, construction companies have not. This means that good standards of practice are not being enforced across the industry and many firms are unaware of what they should be doing to protect themselves and prepare for an attack.
Further to this, without a clear understanding of the threat landscape, there is no clear motive for business owners to invest in improving their cyber hygiene. After all, why would you choose to spend money replacing your computers that are ‘obsolete’ in terms of their security, when they still fulfil their day-to-day purpose fine? If you’re running a one man company, or employing a small number of people, why would cyber security even cross your mind? Unfortunately, the consequences of being relaxed about cyber security or, as is the case for many, being unaware about the risks and realities of today’s cyber-crime landscape, is leaving many construction firms as an easy target for criminals.
What can a cyber attack look like for a construction company?
The biggest cyber threats towards construction firms come from phishing, ransomware, and data theft.
Ransomware is a form of malware that wreaks absolute havoc to a company. Commonly, attackers will encrypt vital devices and files, holding them hostage for a sum of money. Once paid, they may release whatever is held, although there is no guarantee of this. Additionally, once your data and devices are released, there is still nothing to stop whatever was accessed being stolen and published onto the dark web. Ransomware is often delivered via the method of phishing, where malicious links and attachments are embedded in emails that are disguised as legitimate requests from familiar organisations.
What is Cyber Essentials and what does it do?
Cyber Essentials is a government-backed scheme that assists business with putting technical controls in place that protect their organisation from cybercrime. At its most basic level, it is a checklist to follow, that helps you defend against common cyber threats such as malware, ransomware and phishing. The end result is a certification that leaves your partners, customers, and client base assured in the knowledge that you have considered the cyber security of your company, identified any existing vulnerabilities, and worked proactively to change this. Most cyber-attacks target those businesses that do not have basic technical controls in place, these technical controls are the ones that you must have to be Cyber Essentials certified. Whilst this does come at a small cost to your business, it is very affordable, and a fractional investment in comparison with the potential costs of a cyber-attack.
How can the ECRC help?
Becoming a free member of the Eastern Cyber Resilience Centre ensures that you are supported in making the small changes that make the biggest difference.
As part of your membership, you become enrolled onto our ‘Little Steps’ programme; a weekly email series giving you steps to improve your cyber resilience, delivered in a way that is digestible and accessible to a non-technical audience. For those looking to become Cyber Essentials certified in the future, following this series will leave you compliant with many of the criteria. This allows you to improve your cyber security in increments, which is ideal for businesses working on busy schedules and juggling various priorities.
If you decide to go through with becoming Cyber Essentials certified, the ECRC have several Cyber Essentials Partners who are able to facilitate the accreditation process. However, there are companies all over the UK that can do this for you and there is no requirement to use one of our partners.
Additionally, the ECRC also offers various affordable student services, designed to help you assess, build and manage your online networks. Delivered through Cyber PATH, these services can help those who feel unaware of their potential vulnerabilities online and assist with developing the right strategies to respond to potential incidents in the future.
If you are unsure or simply want to know more about cyber resilience and what we do at the ECRC, why don’t you book a chat with us today?
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day, 7 days a week.
Reporting a cyber-attack which isn’t ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)