As the use of technology in construction grows rapidly, there is a very real danger that a lack of investment in protection is leaving projects and companies exposed – and cyber criminals are taking note.
A recent Government survey identified that over a third of business in the UK had experienced a cyber breach in the last year but only 33% have cyber security policies in place.
A report from the Department of Health noted that the WannaCry cyber attack on the NHS cost the organisation £92 million and was largely blamed on the use of old software systems that had simply not been updated.
The growth of BIM has had a dramatic effect on modern construction and is expected to have been adopted by 90% of the companies in the next three to five years. As a computer based control system, it allows shared access for contractors and creates a central repository for huge amounts of data.
It doesn’t take an expert to understand the effect of an attack on a large construction project if information and control systems are closed down for days or weeks or designs amended without signoff from the design team. That’s why it is surprising that two thirds of companies have no cyber security policy in place to mitigate the risk, leaving themselves incredibly vulnerable.
In an industry where risk is carefully managed it would be interesting to know how often cyber security is identified and reviewed on project risk registers.
Cyber criminals see the potential for success in targeting construction because the combination of extensive document sharing using cloud services and a supply chain of many third parties makes it attractive.
While most businesses now have at least basic firewall and network security, the majority of attacks are phishing or social engineering based, or simply employee negligence.
Although most now have technical IT measures in place to secure networks, they need to recognise that humans are always the weakest link. A human has to make the decision to invest (or not) in solutions that mitigate risk and commit the business to maintaining a secure environment. You can have as many steps in a technical authentication process as you like, but how can you legislate for the staff member who clicks a link in a sophisticated phishing email or plugs an infected USB stick into a network device.
Every project needs to have a minimum IT standard for all of the supply chain, along with a digital risk assessment that is reviewed on an ongoing basis. That will take care of the technical aspect, but it should also be supported by a clear staff policy promoted to everyone involved in the project with continuous education and awareness programmes.
Hopefully it won’t take a successful cyber attack on a high profile construction project for the sector to recognise that a robust cyber risk management programme should be at the top of the agenda on every project.