It’s every construction firm’s biggest nightmare: criminals taking control of their data and holding them to ransom. Ben Wallbank, Trimble, shares some best practices to mitigate cyberattacks
Cybersecurity and cybercrime often conjure up images of hackers in dark hoodies, sneaking in the digital back door. In reality, nearly 90% of corporate cybercrime, such as phishing or ransomware attacks, is a result of employee error.
The UK construction industry is no exception and could be an even greater target than other industries. Protecting massive amounts of data, including warranty and latent defect remediation periods, makes contractors attractive to cyber criminals. Cybersecurity is so crucial to construction that the National Cyber Security Centre produced a construction industry-specific guide, along with the Chartered Institute of Building (CIOB).
Cybercriminals who target the construction industry usually do so by accessing, copying and sharing data illegally or by installing malware on a company’s computers and network, taking control of files and holding them for ransom. It’s called ransomware, and it’s probably the most common and one of the most debilitating types of cybersecurity breaches in the construction world.
Each year, we hear of new cyberattacks, taking critical infrastructure offline and crippling construction businesses worldwide, including many here in Europe. These attacks cost billions of pounds a year and can cause whole cities, businesses and services to grind to a halt.
UK contractors should follow these best practices to safeguard against cyberattacks and improve outcomes in case of an attack.
Create a business continuity plan
Preparing for the worst puts your business in the best position moving forward because you can act quickly and have more control of the outcome. A solid cyber security disaster plan can get quite detailed. It should be consistently reviewed, practised and updated to net the best results in case of an incident. At a minimum, a business continuity plan should include the following:
- Name of a leader to act as a central resource to manage disaster recovery across multiple departments.
- A communication plan for sharing key messages and managing crises with employees, clients and additional project stakeholders.
- A maintenance plan for a continually updated (and backed up) list of employee contact information and asset inventory.
Backup all data
A crucial aspect of any good cyber security plan is to make sure that everything is backed up, preferably on the cloud or physically on an offsite server that’s not on your network. Backups should be frequent and automated, so ask your IT provider to set them up so that they either happen in real time (if you’re backing up to the cloud) or that they run daily after everyone has left the office.
Secure mobile devices
Mobile devices are more challenging to secure than other data systems, but just as critical. Utilising an enterprise management platform, such as Cisco Meraki, allows you to maintain enterprise-level control over all of your devices. These kinds of platforms ensure that individual devices are still managed centrally, and contractors can limit software installation, track devices using GPS, disable devices and more.
Find many more articles like this in AEC Magazine
👉 Subscribe FREE here 👈
Protect software and servers
When it comes to software and security risks in construction, contractors should choose platforms and software providers that take security seriously. Granular permissions, user-friendly management systems and multi-factor authentication, for instance, are all must-haves in any construction software.
By using cloud-based, connected construction software, contractors shift the responsibility of maintaining servers, ensuring SOC 2 Type II compliance, and data backup and storage. Project and business data backups happen automatically, providing daily protection, with costs often included or rolled into users’ subscription costs. New software features and security functionality are also rolled out automatically.
By coupling the backups with cybersecurity protections, cloud vendors use the latest technologies to thwart cybercriminals and provide an extra level of protection not otherwise achieved through in-house backups. When shopping for business software, make security one of your first discussion points.
Additionally, your web and email servers need to be properly protected to avoid online attacks. Physical network servers need to be secured, and you need to ensure that any cloud-based solutions you’re using also implement rigorous security protocols.
Assure employee buy-in
Cybersecurity protection in construction requires every employee at every level to be fully engaged and actively vigilant. There are several steps to take to make that happen:
- Ensure all employees receive regular cybersecurity training, especially if online workflows or procedures change.
- Welcome feedback from team members and update cybersecurity policies and processes as needed.
- Counsel employees on everyday things to look for before opening email, like spelling and grammar errors, verifying sender’s email address, and never opening unexpected attachments.
Take the first step: get started
The most important step is the first one. The UK government offers two certifications – Cyber Essentials and Cyber Essentials Plus – that are crash courses in the basics to keep businesses safer from cybercrime. While they don’t replace a cybersecurity risk assessment, they will show you how to do one and how to select the security measures your business needs.
Anywhere your data is stored or used is a potential entry point into your company’s digital existence. It only takes one slip to allow malicious code or ransomware in, and once it’s there, it can cause millions of pounds worth of damage.
About the author
Ben Wallbank is a BIM strategy and partnerships manager for Trimble.
