From illegal access of personal information to ransomware attacks that can take out an entire supply chain, the construction industry is extremely vulnerable to the threats of cyber security. In this article, Quentyn Taylor explains why companies must start thinking about not if, but when it will happen to them and how they can protect against threats.
A lot has changed when it comes to data security in the last ten years and the industry has made good strides to ensure all data is held to the correct standards. However, with the General Data Protection Regulation coming into effect on the 25th May 2018, considerably tougher penalties will be put in place compared to existing rules. If breached, organisations can expect fines of up to four per cent of annual global turnover or €20M – whichever is greater.
It is not just personal data that is important to keep safe, but data held across the industry is extremely valuable, from blueprints to intellectual property and client databases, the leaking of any of this information could be detrimental when trying to remain competitive, not to mention financially secure.
It was only recently that the ‘Petya’ ransomware attack hit companies across Europe and the US. With huge disruption to organisations, the cyber-attack showed the scale of damage that can be unleashed if the right security protocols are not put into place.
The construction industry encompasses a wide range of companies, from one-man bands to multi-national enterprises, and if the right security isn’t in place, the smaller companies can have significant effects on the larger ones.
According to a report by Osterman Research, 22% of businesses with less than 1,000 employees that experienced a ransomware attack in the last year had to stop business operations immediately, with 15% losing revenue.
The construction industry is at the mercy of its supply chain when it comes to data security. With many large construction companies relying on subcontractors to make up the bulk of contracts, their priorities are unlikely to be checking what security infrastructure these businesses have in place. It only takes one ransomware attack on a subcontractor to have a detrimental effect on a whole project including loss of delivery times and building plans, leading to the primary contractor facing serious financial consequences.
Once internal processes have been put in place, the next step is to ensure all employees are educated on these as well as the IT they are using. Investment in training can be beneficial, as well as applying strict processes that standardise employees’ behaviours – from how to share information with colleagues to not saving documents on individual devices.
Ensuring that employees feel confident when using business technology means CIOs and their companies can make huge efficiency gains as well as building awareness of the importance of data protection and IT security.
Compared to other industries, construction could be seen to have a higher risk as it perceives itself as not having IT dependencies but in fact it heavily relies on technology. Many day to day activities revolve around technology, from receiving and responding to bids and tenders, to being able to print building plans and email suppliers for crucial equipment.
Companies need to start thinking about security in the same way they think about other important aspects of their businesses and start to scenario plan. For example, if all capabilities were lost tomorrow, how would resource planning be carried out or staff and suppliers be paid. Thinking in this way will help build resilience into everyday practices.
It’s often said that when it comes to process, culture and technology that technology is generally last in the line of priorities. Construction companies cannot afford to think like this as technology holds the data, managing its processing and its movements.
Can you afford to work even a few days without access to your IT systems? Attacks are taking place daily and if you’re not prepared, it will only be a matter of time until your business is hit.