Whitepaper: Cyber crime and the construction industry
Cyber security presents one of the biggest challenges for businesses across all sectors, including construction. In 2016, in the UK 2.9 million businesses were affected by it – and the numbers are only increasing as criminals find more ingenious and effective ways to bypass security systems and exploit vulnerabilities. Cyber crime is not a victimless crime and certainly not one without tangible impact – the cost of cyber crime to British companies last year was £29.1 billion. That’s why it has become crucial for every business, no matter how small, to have measures in place to protect against the threat of cyber crime.
In this white paper we will examine the potential impact of cyber crime, the most potent threats and the importance of protecting data. We will also look specifically at the context of cyber security in the construction industry, the duties construction businesses have to ensure they are adequately protected and the steps that can be taken to make this happen.
The global impact of cyber crime
No business is immune to the efforts of cyber criminals. The last couple of years have demonstrated that even the biggest and highest profile organisation are not impenetrable to being attached, from LinkedIn and Tumblr, to the US Department of Justice. The battle against cyber criminals is constant. As soon as security is upgraded a new wave of attackers begin to try and find its weaknesses and loopholes. Cyber criminals are often focused and highly talented with a wide range of resources and the time and motivation to succeed. They are agile and difficult to catch up with, especially for victim businesses that don’t specialise in tech systems.
Perhaps one of the most troubling aspects of the growth of cyber crime is the targeting of smaller businesses and enterprises. The motivation is data, something that every business has, no matter what size it is. Personal, sensitive data is highly confidential – and so valuable to scammers and hackers – and businesses need to act to protect data, such as customer details, and confidential project information to avoid potentially serious consequences.
The key threats
Phishing, computer viruses, hacking and ransomware are the top four threats to cyber security for businesses in the UK.
Phishing – this involves emails that are designed to look as if they have come from a reputable company but which have been created by a cyber criminal. The email may direct the recipient to a fake website where they are asked to enter personal details, to a malicious website – or the link itself may be malicious and designed to drop a programme to give an attacker access to files or to encrypt them when clicked.
Computer viruses – these are pieces of code that are able to copy themselves and which cyber criminals can use to infect an entire system. Once inside a system they can have a number of malicious functions, including corrupting and destroying data.
Hacking – hacking is the work of groups or individuals who work to gain unauthorised access to systems, networks or computers. Once inside they may steal data, lock out the owner or users of a system, or start leaking or destroying data.
Ransomware – ransomware functions maliciously to lock a person or business out of a system or encrypt data until a ‘ransom’ has been paid to release data or return access.
Ransomware – the most pressing threat?
While ransomware ranks as the lowest threat in terms of the number of organisations impacted, it comes top of the list with respect to the financial losses it creates. It is the most pressing cyber threat because it’s so popular with hackers – ransomware such as WannaCry and Goldeneye have shown how software weaknesses can be exploited by cyber criminals for enormous profits. Perhaps the most unnerving element of ransomware is the fact that it offers no guarantees. Although the ransom might have been paid in full, affected businesses have no control over whether their systems and data are restored to them and no right of complaint if they are not.
Phishing – the broadest risk?
Phishing affected 1,299,178 businesses in 2016, making it the most common type of cyber attack in the UK. It is perhaps the easiest type of attack to succeed with because, although not as sophisticated as some other methods of stealing data, it only needs one person to fall for the fake link to succeed. For a business with networked computers and multiple staff there is a big risk – if one person hasn’t had their coffee yet and is momentarily fooled by the link that’s all it takes to open the door. That’s why it’s so crucial that businesses are aware of this risk, from the most junior staff to top level management.
We live in an age of big data – which is fast becoming as valuable as oil. In the construction sector, despite the fact that much of the work is done offline, there is still a sizeable volume of data that is appealing to cyber criminals. Personal customer data, including addresses and payment details, as well as sensitive project files make the construction industry an obvious target. Compromising this data, even temporarily, – or losing it altogether – can have a number of severe consequences, including:
- Loss or compromise of data, such as initial designs, safety procedures, financial documentation, plan changes, and analysis of project risks can cause project delay or stop it altogether
- Confidential information and ideas can be exposed
- Reputational risk is high – customers don’t want to work with businesses that can’t protect their data
- There may be legal implications – data that has not been properly protected can leave businesses open to being pursued legally
- Costs can be high, whether that’s paying a ransom, cleaning up after an attack or being forced to take emergency steps to get help
Customer expectations have changed
The threat of the cyber attack is no longer something that consumers see as happening to faceless businesses or to people they don’t know. Media coverage of attacks that have taken place on a national and international scale has put fears about cyber crime firmly to the front of the minds of consumers. As people have begun to realise that it’s not just their own actions that can make their data vulnerable – but those of the businesses who hold it too – consumers are becoming increasingly cautious about who they pass their data to. This impacts in the construction industry in terms of how customers choose who to work with. There is now an expectation that businesses know how to manage and protect data – some customers may even ask for evidence of this before signing on the dotted line.
Security is an important factor in brand appeal
Security concerns now play a much bigger role in construction partner selection than they used to. The process of assessing project design and completing and managing the build process requires customers to provide access to ideas, internal data and sensitive project-related information. Few customers will do this lightly with a business they don’t perceive to be on top of data security. Questions about how data is protected and managed are now top of the list at initial meetings and it may be necessary to be able to provide proof of how a business manages the data that it holds in order to win business and keep clients.
Construction businesses can’t afford not to protect data
The loss or compromise of data during the process of construction can bring everything to a grinding halt. Delays can be incredibly costly and if the business is at fault in terms of the loss of the data it may be difficult to justify passing any consequent costs on to the customer. Problems with data security also break down relationships and destroy trust, which can make working conditions difficult and shatter the possibility of potential future projects. Work or data that has been lost or compromised may need to be done again – this not only wastes time and money but could produce a slightly different result second time around that could send the entire project off balance.
The legal implications of poor data security
The GDPR (General Data Protection Regulation) is a very hot topic right now. This European regulation is enforceable after 25 May 2018 and significantly upgrades the responsibilities for data protection, the accountability for a lack of data security and the penalties that may come into play where data has not been properly taken care of. There are good reasons why the law protects data and why there are penalties for those businesses that don’t properly protect the data in their care. However, the GDPR is set to take this to a whole new level, which is why construction businesses – like every other type of business – must be ready when the regulation comes into force in the UK.
Protecting a construction business against cyber crime
In 2015, 1 in 6 construction firms were affected by a cyber attack. Overall in the UK – according to figures from the Department for Culture, Media and Sport, almost half of UK businesses suffered a cyber attack in 2016. That’s a 1 in 2 chance of detecting a cyber attack against your business. Cyber criminals have significantly changed their focus in recent years, moving from targeting big, valuable brands that have the resources to spend on their security, to small and medium sized businesses that are much more vulnerable. Many SMEs don’t even have data protection in place, which makes them an easy target for hackers and scammers.
Why are smaller businesses now so at risk?
The lack of security comparative to larger firms is a big factor. Cyber criminals may be able to make more cash by targeting a lot of smaller businesses than a single large organisation. Just like big businesses, small enterprises hold a lot of data and it’s that data which makes them both valuable and vulnerable. The data itself is rarely inherently valuable. However, if access to that data is lost then the impact is significant and the need to regain access to it is what makes smaller businesses vulnerable – and valuable as targets to cyber criminals.
The biggest threat is human error
Phishing is the most common type of cyber crime against businesses for a reason – it bypasses security systems and relies on human error. One sleepy staff member – or someone who hasn’t been trained to spot a phishing email – can click on a malicious link and this could infect an entire system. Networks can be paralysed and a ransom demanded simply because of a single mistake. It’s crucial for businesses to consider the potential issues that can arise from human error and take steps to ensure staff understand the threat.
How to protect a business against cyber crime
- Educate and train staff – ensure that they know how to identify phishing emails, to avoid anything that looks suspicious and to ask for help at the right time
- Limit access – ensure that staff only have access to limited volumes of data to reduce unnecessary risks of exposure
- Set strong passwords – make sure these are changed regularly, at least 16 characters long and different for every person and application
- Back up data – this is one of the simplest ways to avoid being trapped by cyber crimes such as ransomware. If your data is backed up then you can retrieve it
- Stay on top of the latest threats – sign up for updates or newsletters or just keep up to date with the news so that you know what the latest scam is and how to spot it.
yourself once any security breach has been dealt with without having to pay a ransom. At RG Group, for example, we back up all our data on a regular basis so that personal correspondence and project information are always secure and accessible.
What does the future hold?
The threat from cyber crime and cyber attacks is unlikely to diminish in the near future. Even in an industry like construction where only limited parts of the sector are online and digitally vulnerable, it’s important that steps are taken to protect a business. It doesn’t take much for a small amount of compromised data to bring entire operations to a grinding half – online and off. So, what are the key areas construction companies should focus on now, and in the near future?
The very specific threat to the construction industry
Government departments, banks and technology firms might seem like the more natural targets for cyber criminals. However, that’s simply no longer the case and construction firms must recognise that. Construction contributes 7% of the UK’s GDP, which makes the industry a high value target.
Construction projects can be very attractive targets for hackers and criminals, either for the data that they provide access to or the buildings, people and companies associated with the projects. For example, in 2013 blueprints for the new Australian Security Intelligence HQ building were stolen by hackers and leaked. The hack caused enormous embarrassment but also created a very real security risk – anyone looking to attack or damage the new Australian Security Intelligence HQ building now had a map that essentially showed them where to do it. The construction company involved faced some serious questions about the security it had in place and no doubt suffered reputationally. Why would other high profile clients looking for careful handling of sensitive projects want to work with a business that had made such a big mistake?
The necessity of data compliance and protection
When the GDPR comes into force in May 2018 there will be no more room for error when it comes to data protection. The consequences of failing to do this will be put into monetary terms – fines can be as high as £17 million or 4% of the business’ total revenue for the year before. The GDPR is designed to get businesses to think about the evolution of data security and the challenges presented by new systems and integration. The ultimate aim of the regulation is to motivate every individual business to take its own steps to protect data to the best of its abilities. The GDPR is the first piece of law that has really made poor data security a serious issue with severe financial implications. So, preparation for its implementation must feature in future plans for construction businesses.
Preparation and awareness of vulnerabilities
The best approach for most businesses when it comes to cyber crime is to hope for the best but prepare for the worst. Attacks are highly likely as cyber criminals increasingly look for ways in which data could be used to extort cash from companies. Being one step ahead, identifying those potential vulnerabilities and preparing for them in advance creates a big advantage.
- Have a clear data protection policy in place
- Ensure that everyone with any access to data is aware of their responsibilities and the consequences of not adhering to them
- Introduce a reliable and easy to access way to recover data to avoid the full impact of ransomware
- Upgrade security measures – cyber crime is likely to become automated soon, which could increase the frequency of attacks and so leave no room for vulnerability or error for businesses who want to avoid the worst
- Get certified to ISO 27001 standards, both to ensure high standards and to reassure customers
- Implement regular training to help staff identify and act on potential attacks
- Install virus protection and malware and security detection systems – make sure that someone in the business actually knows how to use them
- Get the basics right – restricting access, using password software and complex passwords, and ensuring all your software is always up to date are three of the most basic ways to protect against the threat of cyber attack
The RG Group take the security of our own data and our customers’ confidential information seriously, and are constantly looking at how we can improve our security to protect against cyber threats. You can give us a call on 01732 526 850 to discuss your upcoming project today.