Peter Hodgson, UK engineering director at Viewpoint, takes a look at how the right mindset and strategic approach can make all of the difference in protecting your contracting organisation
We often hear about super-sophisticated cyber attacks on corporations originating from criminal masterminds or teams of hackers operating on the dark web, but these really are the tip of an iceberg. Most cyber attacks are very basic in nature and are carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your car door to see if it’s unlocked.
What most astute companies soon realise is that they need a way of reassuring themselves (and their customers) that they have locked the car door and have fitted a car alarm and maybe a GPS tracker. An independent certification is a great way of doing this. It not only provides some confidence, but also can act as a deterrent. Simply seeing that “this car is fitted with an alarm and GPS tracker” sticker will put most casual criminals off and they will go and try someone else’s car door.
To get the best value from these certifications, three things are vital:
- First, you must start with the attitude that you want to improve and verify your cybersecurity defences and not just to get a certificate to pin on your wall (or website).
- Second, you need to choose the right certification for your business and where you are on your construction cybersecurity journey.
- Third, you need to choose a reputable, helpful certification body and get the right advice
The right attitude
There are absolutely no shortcuts here. Having the right approach to construction cybersecurity is so important. It’s a journey that never ends and you need to set out knowing that it will be a long term commitment. The first steps are important, and the sooner you take them the better.
A certification body can only check that you are meeting a certain standard and doing all the right things when they evaluate your organisation, so it’s up to you and your company to keep doing all the right things, every day.
The right certification
Cyber Essentials is generally where UK businesses start in terms of demonstrating their cybersecurity commitment to themselves and their customers. It’s a simple but effective cybersecurity scheme for construction backed by the UK Government. It aims to help companies of all sizes protect their organisations against a whole range of the most common cyber attacks.
It’s recommended you renew these certifications annually. Things move on rapidly when it comes to cybersecurity and you need to be assured that your defences are keeping pace. Regularly renewing certifications again demonstrates your commitment.
There are two levels of certification, as outlined by the National Cyber Security Centre:
- Cyber essentials — This is the basic level of certification and requires you to answer a detailed security questionnaire that is then cross-checked by an authorized certification body to ensure you meet the minimum requirements. Costs vary according to the certifier and some offer pricing based on your company size.
- Cyber essentials PLUS — This is the advanced level of certification and requires you to answer the detailed security questionnaire (the same as Cyber Essentials) but also involves a hands-on audit of your IT devices by an auditor and an external penetration test of your public-facing website(s).
Once you have these under your belt, subsequent annual renewals should become a little more familiar and straightforward. You might then want to think about wider international certifications like ISO 27001.
The right advice
Don’t be afraid to seek advice and ask for help. Use the free Cyber Essentials Readiness Toolkit. It will start you thinking about the right areas for your business and will help you with some good initial actions.
I’d also recommend, if possible, talking to someone who has already been through the process of certification. Find out about the certification body they used and ask how it went. Ask about what was difficult and any tips they might have.
Viewpoint UK recently renewed its own Cyber Essentials PLUS certification using IT Governance as our certification body. We’ve used IT Governance before. It was a different experience to our previous years’ certification when the auditor came to our site to undertake the testing of our IT equipment.
This year, due to Covid-19 restrictions, the audit and device testing was done remotely. However, IT Governance was extremely helpful in guiding us through how that would be done and what we needed to prepare in advance so that when the audit day arrived things went smoothly.
Some cybersecurity evaluation points to consider
When you talk to a certification body, ask about how they can tailor their services to your company. Most good certification bodies can offer different levels of assistance depending on how much cybersecurity experience you have in your construction company.
If you have experienced IT staff and some good cybersecurity practices already in place, you may feel quite comfortable doing the majority of the work yourselves. If you don’t have this luxury, you may feel more confident getting the certification body to provide more assistance and guidance, and perhaps a day or so of consultancy to ensure you are on the right track.
If you are going for Cyber Essentials PLUS the certification body needs to test a number of your devices — laptops, desktops, phones etc. — that have access to your network. The sample size that they will test depends on the variety of operating systems these devices are running. So if you have a lot of different versions of operating systems more samples will be needed and this can push up the costs. It’s generally a good idea to standardize the operating systems your devices are running anyway. Less variety means less work maintaining these because dealing with one or two operating systems is far easier than dealing with dozens.
You also don’t want to be running any operating systems that are no longer supported by the manufacturer. So old versions of Windows or old versions of iOS or Android on mobiles phones should be upgraded to avoid a failed test. Encourage or require anyone using a mobile device that can access your network to keep the version current and turn on auto-updates. Do a few spot checks (get a screenshot of the software version the user is running).
Finally, think about your suppliers too. Who does your company rely on for business-critical products and services? What cybersecurity certifications do they have? This is especially important if you are entrusting your data to them. It’s easy to check — simply go to https://www.ncsc.gov.uk/cyberessentials/search and enter the supplier name.
How to get started
Whatever the size of your organization or the level of experience you have with cybersecurity it’s vital that you take that first step. The National Cyber Security Centre we noted above is a great place to start. It has a comprehensive overview of Cyber Essentials, where to get started and FAQs.