Industry Insight No. 19: Cybersecurity and the construction industry
This article was first published on Lexis®PSL Construction on 11 August 2017.
Construction analysis: Sarah Schütte of Schutte Consulting Limited looks at the relevance of cybercrime to the construction industry, why the industry is particularly vulnerable and the steps organisations can take to avoid attacks.
What is cybercrime and what is its relevance to the construction industry?
Cybercrime comprises the illegal activity carried out by hackers for financial gain. It is a major area of concern in the UK construction industry—an economic workhorse worth £110bn per annum and contributing 7% of GDP. Some sobering statistics:
• In its National Security Strategy 2010, the UK government recognised cybercrime as a ‘tier one security risk’;
• The construction industry is the second hardest hit industry for cyberattacks in the UK, after the pharmaceutical and biotech industry, according to designingbuildings.co.uk, which tracks industry trends;
• Crime against businesses: findings from the 2015 Commercial Victimisation Survey a Home Office study found in 2015 that 15% of construction businesses reported 77,000 incidents of online crime (71% were computer viruses and 10% hackers);
• The economic impact of cyberattacks on the construction industry is c. £1.7bn (compare with industrial espionage, which accounts for £20m), according to McAfee, an anti-virus software developer Net Losses: Estimating the Global Cost of Cybercrime.
Putting these statistics into context, in the UK, the cost of cybercrime in 2016 was c. £29bn, according to business international service provider Beaming. Around the globe, the current estimate of the cost of cybercrime is estimated at £400bn.
What are the common types of cyberattack?
Spear phishing remains the highest-occurring type of cyberattack. It is a scam email that appears to be from one of your contacts, only it is not. The email address is a clone email of one of your contacts. Spear phishers use it as a means of extracting private data and information from the individuals to whom they target.
Recent examples of spear phishing in the construction industry include:
Finnish crane maker Konecranes lost £19.2m when a hacker used identity theft to coerce a foreign subsidiary to make unwarranted payments
Japanese equipment manufacturer Komatsu was attacked when a cybercriminal created a clone of the company’s website and then asked people for private information (ie personal data) and used it to apply for false employment opportunities
US based giant contractor Turner Construction was a prime target of a spear phishing scam that affected all employees in 2015. An employee submitted individual tax information to an account, which was a fraudulent clone of a real account
Why is the construction industry in particular vulnerable to attacks?
In my opinion, and experience, there are five main reasons:
The increased use of cloud-based services, including shared project information hubs and planning software (such as project portfolio management (PPM) and building information modelling (BIM) software) are driving huge and new efficiencies. However, research shows they are vulnerable to attack by hackers, due to accessibility through the internet
The construction industry uses, develops and relies upon intellectual property and proprietary information such as drawings, plans, schematics and methodologies for delivering projects
Post-handover, the user operates the facility with reference to operation and maintenance (O&M) manuals, which are often stored online
Modern buildings contain security systems or building management systems (BMS), which, if compromised, could require the user to shut down operations to preserve health, safety or security
Like all businesses, wider corporate information, such as employee, corporate, banking and financial data is also vulnerable to attack
What steps can organisations take to prevent cyberattacks?
Here are some easy and practical tips to keep you and your clients safe:
Keep systems up-to-date
Secure your WiFi
Educate staff and have an internal policy
Implement ISO 27001 (discussed below) to ensure you are following the necessary policy and procedures to safeguard against security breaches
Educate your finance team on spear phishing and other online threats
Make sure you have account security solutions in place on each device
Install real-time protection software, such as an anti-virus, with up to date malware definitions
Implement incident response plans and proper procedures in the event of a cyberattack.
What is ISO 27001?
ISO 27001 is the international best practice standard for information security. It covers people, processes and technology. Accreditation for ISO 27001 demonstrates that organisations have deployed a top-tier certifiable information security management system which provides 24/7 risk monitoring and identification. It includes the following benchmarked criteria:
Encryption of personal data
The ability to restore personal data swiftly and efficiently in the event of a physical or technical incident
Assurance as to the confidentiality, availability and integrity of processing systems and services
Periodic assessment and testing of the effectiveness of security processing measures and protocols
Independent audit of an organisation's information security management system (ISMS), whereby security of data is managed
Preparation for the forthcoming General Data Protection Regulation, Regulation (EU) 2016/679. (article coming soon!)
ISO 27001 is integral to ensuring the businesses are prepared for a cyberattack, which is a ‘when’ not an ‘if’. Construction sector organisations of all shapes and sizes should seriously critique their systems (perhaps with independent, expert help) and consider implementing it. The benefits include:
Help to prevent cybercrime
Protection of a valuable asset (ie data)
Gives users of your services confidence in your use of their data
Reduction of corporate risk
Financial savings in dealing with security breach
Preparation for the GDPR
Integration into all areas of business operations, as everyone can be affected by cybercrime