Line of Sight: information security

Put information security at the heart of your business, says Aconex

In the wake of last year’s WannaCry ransomware attack, the fallibility of our systems has been exposed. In total, 37 NHS Trusts were among the many organisations affected, leading the wider world to wonder, ‘Who’s next?’

Steve Cooper is the General Manager of Aconex in the UK and Ireland – now the world’s most widely used online collaboration platform for construction and infrastructure. Here, Steve speaks exclusively to UK Construction Online about attitudes to information security post-WannaCry and the construction SMEs in danger of being left behind.

The UK is experiencing a noteworthy rise in the number of cyber attacks. What makes construction more susceptible than other sectors?

I wouldn’t say construction is any more or less susceptible than any other sector. It‘s an industry that is maturing. The rate of technology adoption in construction has historically been very low, but as this increases and more information makes its way onto the cloud, it becomes a very valuable asset indeed.

As for the individuals and organisations that create viruses, I don’t think they’re targeting a particular industry. They are after whoever they can get hold of.

In light of the recent WannaCry ransomware attack, do you feel there is still a lack of awareness around cyber security?

Absolutely. If you think about the construction industry, we have some very large clients who are mature and sophisticated, and you would expect those companies to be very conscious of the risks around cyber security.

But we also have tens of thousands of smaller organisations whose sole focus is securing jobs and they might not be as aware. What version of a browser are they using, for example, and why should they upgrade to the newest version of that browser? They may not have the governance in place to keep their software up to date. Perhaps they’re unable to afford IT personnel, or they have someone doing it part-time.

Ultimately, there is a lot of naivety around information security across all levels of the supply chain. We at Aconex may deal with a project team comprising individuals from a fairly large organisation, and yet – to a certain degree – information security might not come up. Their primary focus is what kind of functionality they can get.

In your experience, is the construction industry receptive to cyber security?

It depends who you talk to. Obviously, there has been a lot of work by the UK government to educate the industry and we are definitely seeing a higher level of demand around information security.

Some businesses are large enough to have their own people in place, while others employ third-party organisations. In fact, one of the big challenges for the marketplace is that these consultants often have very different interpretations of the standards, meaning we’re faced with a very different set of questions depending on the consultants used. But that’s okay, because the core requirements are pretty consistent.

In other cases, we aren’t asked a single question about information security, and so we play educator to those organisations, helping them understand what they need and what they should expect from their systems. We make sure that they have their own information security policies in place.

Central to the success of WannaCry was the amount of outdated software still in use. Windows XP was the operating system of choice for several NHS Trusts despite repeated warnings over security. Do you think the same is true of the construction sector? Are we relying too much on redundant software, and what alternatives are there for companies struggling to cover the cost of an expensive new suite of packages?

The industry as a whole has a lot of internally developed platforms that do niche jobs or use niche applications from small vendors. Those applications may well be sitting on an operating system that doesn’t have the correct patch on it, whether Windows XP or something else. The use of out of date software is probably quite prevalent in our industry, though that’s just my personal opinion. It’s the nature of the industry that we live and work in.

In terms of cost, there are various funds and grants available in the marketplace. Sometimes you don’t need to spend tens of thousands of pounds – £500 to £2,000 might do the trick for a lot of small businesses. But while the UK government can help bridge those gaps, you must have the awareness first before you can solve the problem.

It all comes back to education. If people aren’t aware that there is a severe risk to their data, then they are not necessarily going to do anything about it. If you’re an owner of a small business, for example, you will have a hundred things on your to-do list. But information security only becomes a priority once you actually suffer from a cyber crime – that’s the problem.

What advice would you have for construction firms looking to shore up their online defences? What practical steps can business owners take in the immediate future?

They have got to place information security at a high level within their organisational governance. That’s really quite an obvious thing to say but it also has its challenges. A lot of organisations – even those considered successful, with hundreds of employees – are run by engineers, not technologists. Somehow you’ve got to get that skillset into your business and it’s not always appropriate to bring consultants in, because people with that skillset tend to be quite expensive. They know what value they deliver and charge appropriately.

Perhaps this is an opportunity for an apprenticeship. Young people coming out of schools are technology-aware as far as usability is concerned. They’re probably not very conscious of the technology and information security layer, but they could learn very rapidly.

Ultimately, what would you like the construction sector to take away from the WannaCry ransomware attack? Can this be a catalyst for meaningful change?

The big takeaway is that we are all in the line of sight. You could look at organisations like the NHS and think “that won’t happen to me”, but this could happen to any business, whether large or small.

But how do you get information security onto the agenda, because, to a certain degree, it’s a bit like taking an insurance policy out, isn’t it? There’s no legal mandate; instead, it’s something that you are being advised to do to look after yourself for your business. It’s a choice – but it can be hard to choose information security as a higher priority over something else.

It’s difficult, and it comes back to education and understanding the risks. I’ve said it before, but you tend to find that an organisation that has just suffered from a cyber security breach will put it on the agenda, belt and braces. These organisations don’t risk remaining in the line of sight.

If you would like to read more articles like this then please click here.