James Griffiths, co-founder and technical director at Cyber Security Associates warns that with the construction sector increasingly becoming a target of cybercriminals, firms need to be watchful of their supply chain security
Construction is big business, despite the looming recession. And it’s big business for cybercriminals too. High cash flows and complex supply chains of sub-contractors and suppliers all hold valuable customer data and are the equivalent of cyber gold.
In the last two years, construction firms, including Bouygues UK, Bam Construct and Interserve, have all been victims of a cyber-attack. At the end of 2021, infrastructure management firm Amey was hit after hackers used ransomware to access documents, including Government department correspondence. In October, Interserve was fined £4.4m by the ICO for its breach, caused by a phishing attack, which enabled hackers to steal the personal information of 113,000 employees. It’s a costly mistake if not adequately protected.
These figures demonstrate that no construction firm is immune to the kind of attacks we are seeing by cyber hacker groups, many of which expose weaknesses in the supply chain, one of the biggest risks to businesses overall. The latest Government annual Cyber Security Breaches Survey 2022 reported that only 13% of businesses had assessed their supplier cyber risks.
Further research has identified that construction has been named the fifth most at-risk industry for a cyber attack and is still not doing enough to prevent being hit in the future.
It’s easy to see why construction is a target. Firms often have complex supply chains, and many outsource key functions such as HR and finance to other 3rd party suppliers – all of which pose a huge risk.
Historically, contractors have focused on health and safety as a priority over cyber defences. But they must carry out due diligence and risk analyses on their supply chain the same way they stringently conduct regular health and safety risk assessments.
The acceleration of digital transformation across the industry has reshaped working practices and enabled teams to work more productively, collaboratively, and cost-efficiently. Yet it requires skills, practices and processes to manage securely.
Steps to take to protect your supply chain security
From a technology perspective, ensure that all systems have up-to-date malware protection, a policy ensuring strong passwords or backing up data via a cloud service. Set up multifactor authentication, and ensure that it’s turned on and enforced by all third parties and applications used.
Undertake a penetration test of the network at least every month, and, for those organisations with foreign links especially, they need to check that they’re patched and multi-authentication enabled. Staff are always aware of what is happening on the network and company devices. It’s no use having all these things in place if the activity isn’t monitored properly.
From a supply chain security perspective, construction firms need to start identifying and reviewing their supply chain, which is often much larger and more complex than most organisations realise. In the first instance, firms should review and ensure that all departments share who their supply chain suppliers are to have a clear view.
Next, undertake a business impact assessment which is important to highlight what the organisation has in its supply chain. Find out what is perceived to be your supply chain and what it is. Often, every team has its own perspective on this, and it’s important to check what is written into contracts. Map out what the business has in the chain, who the vendors are, who provided it and who has access. And not just the technology but the people and the processes within an organisation. Build out the supply chain information and map this to your critical applications.
Once this has been identified, ask what are the possible risk scenarios. What would happen if your 3rd party supply chain was compromised? What level of access could the intruders have? Also, think about the bigger chain – are there suppliers above your organisation in the chain? Most likely. Your organisation may not be the real target but a conduit to get to a bigger target. This is something that a lot of organisations fail to consider.
The digital supply chain
When looking at your digital supply chain, consider anything and anyone in it that has an online presence. Technologies such as GPS tracking, task management systems such as invoice and data management tools, barcodes, smart labels, location-based data and wireless sensor networks all play a part in a digital supply chain. While these technologies offer many benefits, if they are connected to a network or use the internet, there is a potential risk of opening the door to cyber criminals.
Many supply chains operate globally, which should be considered when sourcing third-party partners from other territories. Legislation around cyber security practices differs from country to country, so geographic location needs to be considered.
The NCSC has recently published guidance to help organisations assess their suppliers’ cyber security following the recent rise in supply chain cyber-attacks, which offers some helpful advice.
Are you cyber-insured?
According to the latest research from Aviva, more than one in three (34%) SMEs said they have no cyber insurance coverage, despite more than one in five (21%) having suffered a cyber incident or attack in the past 12 months.
Having cyber insurance is the best way for organisations to transfer the cost of an attack to an insurance company, but it has to be correctly in place. Due to the increasing regularity of cyber attacks, recent times have seen many insurance companies seeking guidance from cyber security professionals to update policy questionnaires and requirements and rejecting companies – some who have been customers for many years – unless they put more robust cyber defences in place. The risk is just too great.
And for those firms that are starting with a new policy, insurers are being very choosy when handing out cyber insurance to contractors – often refusing those with poor online protection and failing to meet the insurance underwriter’s minimum requirements.
Holding a Cyber Essentials certification is the best way to demonstrate compliance. This, in particular, applies to construction firms bidding for public sector contracts as a key requirement. At the same time, increasingly, organisations in the supply chain will require it to win commercial contracts.
The NCSC also publishes other useful guidance to help the construction industry improve the security and resilience of their business against cyber threats.
To protect against risk, a good governance strategy must be in place at the board level
A Risk Register, one that is regularly updated, will highlight the areas of the business that are potentially at risk, show what the risks are and how they are being accepted, treated or mitigated.
A clear Reaction and Response procedure is essential, and this includes staff training. Never has there been a greater need for employees to be equipped with the skills and knowledge to spot potential threats and be able to act rapidly with a robust policy that has been tried and tested. All Business Continuity and Disaster Recovery plans (BCP & DR) should include cyber security and specific scenarios that include a third-party attack.
Due Diligence on suppliers is a must at the point of contracting. It’s critical for firms to ensure that any third parties they are working with take cyber security as seriously as they are. Otherwise, all the hard work will be undone. Understand the suppliers’ level of Information Security before accepting their services.
Lastly, it is highly recommended to have trusted advisors with specialist cyber security knowledge on hand to offer counsel when needed. This is generally hard to achieve internally, and having the right experts with deep sector knowledge will pay off and help to keep firms secure in the ongoing fight against cybercrime.
