Cyber risk for construction

Cyber security, cyber threats, cyber attacks, ransomware, phising and hacking – lions and tigers and bears, oh my! These are phrases we hear repeatedly in the news today.

The high profile worldwide ‘wannacry’ attack of 2017, opened a lot of eyes to the potential of cyber crime and left a lot of businesses reeling from how exposed they could be to cyber criminals.

Construction businesses are targets for cyber attackers due to the sensitive data they hold and high-value payments they handle.

While data and digital technology is helping to make the construction industry more productive, competitive and sustainable, alongside this new technology comes threats that businesses must be wary of and take action to defend themselves from.

The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health and wellbeing. As such, managing data and digital communications channels is more important than ever.

Last year, a survey by the Department for Digital, Culture, Media and Sport of all types of businesses found more than a third of micro (37%) and small businesses (39%) reported falling victim to a cyber security breach or cyber attack in the previous year, with this increasing to 65% for medium-sized businesses.

With the majority of businesses in the construction industry falling under the small and medium-sized categories, it’s time that the construction sector took full stock of cyber threats.

In this article, we talk with Peter Erceg, Senior Vice President for Global Cyber and Technology at Lockton about the key risks and considerations.

Why do construction firms so often fall victim to cyber attacks?

There is a false perception that cyber criminals only focus on industries that hold and process a huge volumes of consumer data, or are perceived to be more technologically advanced – such as financial services companies or software firms. This is no longer the case. The construction industry has become far more digitised in recent years, with far more sophisticated operating systems. But firms in the sector don’t see themselves as such, and under estimate the threat of cyber crime. This is particularly true when it comes to small-to-medium firms.

Where is the industry vulnerable?

As an industry, construction relies heavily on third parties and contractors, who are necessary to carry out even some of the smallest projects. Each contractor or external provider carries with them their own operational risks and set of data that could be of interest to cyber criminals. This makes the supply chain particularly vulnerable.

What do you consider to be the biggest threats to businesses in the construction sector?

Ransomware is without doubt the biggest cyber threat – not just in construction, but in a whole range of sectors. This is when an attacker – or attackers – threaten to remove, block access to or publish important or personal data, unless a ransom is paid. We’ve seen ransoms hit six to seven figures and happen multiple times in quick succession. Ransomware attacks such as these are becoming more commonplace, causing business interruptions for unprepared firms, often during processes such as tendering for business, which can result in large payoffs.

Other examples include spear phishing – the practice of sending seemingly specific and targeted phishing emails to individuals – and data hacks. With data hacks, we often see cyber criminals go after the national insurance and banking data of employees, as well as information regarding a company’s upcoming projects and contracts.

What are the impacts of a cyberattack or cyber threat? How seriously should construction businesses be taking it?

The consequences of weak cyber security should not be underestimated. Cyber threats, hacks and attacks can all have a truly devastating impact on:

• The construction programme – disruption to existing systems can lead to delays, which have knock-on impacts for future projects.
• Business reputation – if a business is known to have suffered a cyberattack, it may weaken their commercial reputation and ability to secure contracts.
• Third party relationships – dealing with third party provider information is not uncommon in the sector, and if this data isn’t handled with care and falls into the wrong hands, relationships with other contractors might be at stake.
• The built asset itself – hackers can disrupt the information needed to carry out a project to the highest standard, which might result in a building or structure that is substandard and, at worst, unsafe to people’s health and wellbeing.
• Revenues – all of the above, on top of the fact that banking data is a prime target, means that a business’s revenues will be significantly impacted by a cyberattack or threat.

Why do you think the partnership between the National Cyber Security Centre (NCSC) and the Charter Institute of Builders (CIOB) has happened now? What will it achieve?

It’s fair to say that, historically speaking, the construction industry has lagged quite far behind the curve when it comes to cybercrime. Cyber considerations should have been far further front of mind for the last 15 years at the very least.

The NCSC and CIOB partnership is a good (albeit long overdue) starting point, but it will need to continue to be nimble to adapt to a quickly changing cyber landscape. We welcome the collaboration and recognition, as it will drive awareness of the many cyber risks facing the sector. At its best, it will give the sector a platform to help navigate these threats, which we know to be seriously disruptive.

What are the insurance implications?

The fact that cyberattacks are rising is making it much more difficult for firms to secure full insurance cover in an already hard market. The knock-on impact is that premiums are spiking to levels we haven’t seen for many years.

Given the scale of the issue, and the increasing incidences of attacks we are seeing, insurers will be laser focussed on cyber for the next few years and beyond. In order to receive full insurance cover, construction businesses will need to show that they are making considerations and taking steps to protect themselves from cyberattacks.

Any final remarks?

Understanding the role of cyber security is a minimal survival requirement for all professionals and organisations of all sizes within the construction sector. Over time, we are likely to see the market soften slightly, as capacity will come back to more normal levels. Insurance premiums should come down as a result, but we believe the controls needed to obtain insurance and minimise the risk of a cyber incident are here to stay.

If you would like to read more stories like this, then please click here