Charles Maurice is a partner at law firm Stevens & Bolton
Businesses and individuals across all sectors are increasingly falling prey to cyber attacks. Strategies to combat these risks are of course freely available, as are various commercial products and services. But a working understanding of the risks and vulnerabilities in a particular sector or type of business can go a long way to mitigating commercial risk.
“Larger volumes of traffic may place a greater requirement on ensuring that systems are set up in a manner to handle it”
The construction industry is no different, and like many other sectors there are specific features of the sector that are worth considering for businesses looking to shore up their approach to cybersecurity.
One of the more obvious features is the way the construction industry has evolved to embrace the digital economy. That evolution is evident in the systems and procedures used in various design and build phases, and the processes deployed by construction companies in the way they operate. While this creates a range of opportunities, it can also create vulnerabilities, including for businesses and their operations as well as the works on which they are engaged.
This topic has been given increased prominence in the sector over the past few years, with the National Cyber Security Centre’s guidance on cyber security for construction businesses -published in partnership with the Chartered Institute of Building – being particularly valuable reading.
But the risks inherent in the sector are not uniform for all businesses and can differ quite considerably depending on the role a business takes. It is tempting to consider that a larger organisation may automatically assume greater risk from an information security perspective, but this is not always the case. It is possible for smaller, more specialised organisations to attract disproportionate risk from a cybersecurity standpoint, so understanding some indicative factors can be really helpful. Some or all of the following may be worth considering, particularly in terms of the contrast between larger and smaller organisations.
Interacting with customers, contractors and other suppliers
The volume of different counterparties with whom construction companies interact can vary quite considerably. Contrast the role here of the tier one general contractor with a smaller specialist. Larger volumes of traffic may place a greater requirement on ensuring that systems are set up in a manner to handle it and in a way that preserves security measures. This may also go hand in hand with understanding and tracking supply chains, which may inherently be harder for larger or more diverse businesses.
The same goes for operational data, and aspects such as the payment process deployed can also generate significant attention. High cashflow businesses receiving and making multiple payment requests over time can represent an attractive target for phishing and fraudulent payment scams.
Sophistication of systems
The systems that a construction business might have access to will differ across the sector, but general contractors may have access to more than just the systems they themselves have supplied or implemented. Regulating access may therefore be important depending on the nature of the systems involved and the relative impact of unauthorised access.
Data protection
Like any business, construction companies are likely to need to consider the types of data they collect and process. Where this data includes personal data (i.e. data from which living individuals can be identified), thought should be given to the role the business takes in processing it. This might include ensuring that processes and procedures are in place for these activities and that relationships with any subcontractors that process personal data are appropriately documented.
A tier one business might be a controller of certain data in its own right, or it might be a processor acting on behalf of the end client. Smaller entities acting in a subcontracting role might in turn be sub-processors of the relevant data and therefore assume a different risk profile, particularly when it comes to contractual liability to the end client.
Resource, culture, and training
Organisations may wish to consider what good practice looks like from an information security perspective and the resources in place to drive that. Getting all internal stakeholders on the same page can be challenging, particularly if personnel are not used to working within an information security framework. Larger businesses often have something of a cultural advantage here, especially where corporate policies are in place governing how personnel should operate.
Understanding cyber risk can be a real challenge. The differences between larger and smaller organisations are interesting to compare, though the message to both is similar. Actively mapping, mitigating and testing risk factors may be some of the most important investments a business can make.
