Construction Firms Grapple with Escalating Cybersecurity Risks

Increasingly Frequent and Sophisticated Attacks Raise Urgency for the Construction Industry to Shore Up Cyber Defences.

As cyber threats continue to surge in both frequency and sophistication, construction firms find themselves at the forefront of a growing menace. Despite escalating warnings from global leaders, a considerable number of construction companies are lagging in adopting cybersecurity measures, raising concerns about the industry's overall vulnerability.

Presidential Warning Amplifies Concerns

Following Russia's invasion of Ukraine, President Joe Biden issued a stark caution to business leaders about the imminent risk of cyber attacks. This advisory resonated across the Atlantic, with the UK's National Cyber Security Centre (NCSC) reinforcing the message. The heightened alert comes in the wake of a cyber readiness report by insurer Hiscox, placing construction among the top five industries facing increased threats.

Government Mandates and Cybersecurity Tools

While Cyber Essentials is a government requirement for key public contracts, its application to subcontractors remains limited. Cyber Essentials, alongside ISO 27001, the international standard for information security management systems, provides a robust cybersecurity framework. ISO 27001 not only complements Cyber Essentials but also grants exemptions from certain auditing requirements of the new building information modelling (BIM) standard, ISO 19650, emphasising security-minded information management.

James Carter, Global Cybersecurity Risk Manager at consultant Arcadis, highlights the evolving nature of cyber threats, with both frequency and sophistication on the rise. Targeted attacks, considering construction companies as lucrative targets, are becoming more prevalent. These attacks may be directed at construction firms directly or as part of a broader supply chain assault on a client.

Challenges Unique to Construction Sites

Construction sites, by their very nature, pose unique challenges for implementing robust cybersecurity measures. With a diverse array of players, from tier one contractors to one-person SMEs, each with its policies and IT standards, creating a unified security framework can seem daunting. Ian Davis, Head of Information Security at management consultant Gemserv, emphasises the vulnerability of construction sites, calling for cybersecurity to match the focus on physical security.

Addressing the Human Element and Supply Chain Risks

A significant challenge lies in balancing cybersecurity measures with business productivity, as limiting staff access can be perceived as restrictive. Davis underscores the importance of recognising the site as a primary and vulnerable source of threats, urging businesses to grasp the potential risks posed by contractors and suppliers to a project.

Government Initiatives and Industry Collaboration

The UK government is actively promoting best practices by requiring site cybersecurity and information security plans for many public contracts. Assessments of contractors and suppliers become crucial in understanding potential risks and establishing a common cyber governance framework. Collaboration and information sharing within the industry can bolster collective cybersecurity resilience.

Industry Insights from Willmott Dixon

Willmott Dixon, a major construction company, identifies phishing emails as a significant cybersecurity threat. Steve Witty, the firm's Head of Security and Compliance, emphasises data protection and combating phishing attacks as top priorities. The company aligns its cybersecurity strategy with the NCSC's 10 steps to cybersecurity guidance, holding certifications to the government-backed Cyber Essentials Plus scheme and ISO 27001.

Human Firewall and Industry-wide Responsibility

Witty stresses the need for a collective effort in cybersecurity, viewing it as everyone's responsibility within the organisation. He likens cybersecurity to routine safety practices, highlighting the role of individuals as the "human firewall." Extending this responsibility to the supply chain, Witty emphasises the importance of awareness and guidance, as evidenced by the recent highlighting of NCSC guidance for construction SMEs on the company's blog.

Cost Barrier and Urgency for Cyber Protection

Recognising the operational challenges faced by construction businesses, the NCSC acknowledges the perceived cost barrier to cybersecurity investments. However, the spokesperson emphasises the vital importance of implementing the right protections to mitigate the risk of cyber attacks. The potential consequences of falling victim to an attack, including operational halts and increased costs, underscore the urgency for businesses, regardless of size, to fortify their cybersecurity defences.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).