Cybersecurity in Construction
Cybersecurity is an important aspect of any business, but there are particular aspects to the construction industry that mean that those in the sector need to have cybersecurity central to their business plans.
All too often, of course, this isn’t the case, and cybersecurity falls by the wayside, pushed away as more immediately-pressing needs take precedence. Doing so can lead to huge issues later on, as those who have suffered significant cyberattacks can attest.
Like most things, it pays to be prepared and have your cybersecurity policies and protection in place long before it becomes a problem.
What is cybersecurity?
The core of cybersecurity is in keeping unauthorised people from accessing your IT systems. In construction, this is of particular importance, and also of particular vulnerability.
Construction is an industry where the sharing of files and data is layered throughout a project’s life. From initial tenders and reports, through BIM data, collaborative project management and more, the level of software infrastructure that makes larger construction projects possible is considerable. At each of these moments of data transference, the system is somewhat vulnerable to attack.
Not only that, but the on-site nature of contractor work means that often laptops, tablets and phones are connected to unsecured wireless networks, or even left physically unattended. These are then later brought back to main offices where they are reconnected to the main system and potentially bring damaging malware with them.
For these reasons, it is especially important that solutions are put into place to mitigate any disasters. Firewalls, security software, and dedicated training on the risks are all important steps to ensuring a safe system.
What damage is done due to weak cybersecurity?
The variety of cyber attacks, and the ways that we rely on IT infrastructure means that there are many areas which cybersecurity can help protect.
Perhaps one of the most frightening and headline-making attacks on your computer systems is that of ransomware. This malicious software encrypts and locks you out of your own software and data, then demands a payment to the culprits in return for access once more, such as happened to Canadians Bird Construction, and French firm Bouygues in 2020.
Ransomware is particularly effective because it seems to come with a ‘fix’ – that of paying the ransom. Psychologically, this has a strong impact, putting business owners in a quandary. After all, if you are being coerced into paying £10,000, yet the alternative is to lose ten times as much in valuable data and time, doesn’t paying the ransom seem sensible? This can lead you into a desperate situation, feeling that you must accede to the demands.
What is important to remember in these situations is that the criminal demanding the ransom is nothing more than a bully looking for victims. Pay once, and you become a more lucrative target for future attacks. Not only that, but other factors (such as trusting that once paid, the data will be released, or wondering what other activities the money will go on to fund) make paying that ransom a particularly bad idea.
Thankfully, restoring your data from a backup can mitigate much of the damage from a ransomware attack. It may put you back as much as a day or two, depending on when the last backup was completed, but that’s substantially better than the alternative.
You have an obligation to protect sensitive data that is held on your system. The GDPR (General Data Protection Regulation) law was brought into force in May 2018 and regulates what data you may hold on individual and companies, and the security that you should have in place to secure it.
Any sort of hacking or systems breach that violates the regulation could be more than inconvenient and see the company liable for potentially devastating lawsuits.
Further to that, the files that you hold are likely to contain sensitive information that can damage not only your business, but those of your collaborators and clients, were it to no longer remain confidential.
There is a safety net possible through insurance. Business liability insurance will limit the damage such that your business may financially survive, but the reputational damage could stretch beyond that and cause problems for years to come.
Damage to your systems and data will have a heavy effect on your current ability to work. Projects may have to be held or postponed, and the knock-on effect of delays is significant in the construction industry, where timelines are often tight.
Again, this can damage your reputation and put your company in a position where future bids are harder to secure.
While most of cybersecurity is focussed on data and office-centric software, there are aspects of cyber attacks in the construction industry that can have a very real physical impact.
With greater use and reliance on autonomous equipment and smart systems, the construction industry is now in the position where a systems attack can lead to tangible consequences, from property damage to the very real threat of human injury.
Companies with an investment in automated systems need to pay particular care to firewalls and other system security components to ensure the integrity of their equipment and systems.
What can construction companies do to improve their cybersecurity?
An emphasis and understanding of dedicated IT personnel
Many smaller companies consider a dedicated IT team as unnecessary, and see them as involved in less system-critical things, such as desk-level problem solving, or website development. The truth is that professional IT personnel are an important part of any expanding construction company, and should be considered as an integral part of growth.
Not all general IT specialists are well-versed in cybersecurity, of course. It may be necessary to expand the team, or to provide training resources for current employees in order to keep up-to-date with cybersecurity risks and procedures.
Many third-party consultant companies exist, meaning you do not have to bring your IT and cybersecurity in-house if it doesn’t make sense to do so.
At the very least, an IT team will set up firewalls, develop a sensible back-up solution and provide training for non-IT staff.
Training for all staff
Alerting all employees to the threats presented by cyber attacks, and teaching them basic principles behind cybersecurity is essential.
A lot can be done to limit weaknesses in the system through training. Educating your team about phishing, for example—where emails, text messages, or web sites entice you to click on links or open attachments that can do damage—can close the door to many would-be hackers.
Developing a comprehensive strategy for security
Rather than relying on fixes after the event, a detailed strategy for cybersecurity should be in place. This would include such things as:
- Ensuring off-site backup systems are in place;
- Installing dedicated firewall systems for all networks;
- Using trusted cloud data storage where appropriate;
- Regularly changing passwords for all staff;
- Revising security access when employees leave the company;
- Applying multi-factor authentication to mitigate exposure should a mistake be made;
- Vetting third-party companies and contractors to ensure they have adequate security;
- Securing web-site applications and ensuring all software is up-to-date.
By being prepared, the vast majority of cyber risks are quickly reduced. Like all crime, the criminals will seek to target easy victims, and are unlikely to put in considerable amounts of effort to infiltrate and damage a company that takes its security seriously.
Ensign and cybersecurity
Ensign systems are all developed with security in mind. Our data is rarely mission-critical, but nonetheless we understand the need to keep quotes and other quantity surveying data under careful lock and key, encrypting it as appropriate.
Our development team work constantly to improve the software, including its security, with our cloud-based solutions offering an extra layer of encryption and backup to keep you safe.
To see how our software can work as part of your secure infrastructure, order a demo today.