Cyber-attacks: Limiting the exposure of the UK construction industry

With the prevalence of ransomware attacks regularly dominating the headlines, what does the UK construction industry need to learn from the experiences of other sectors and how exposed is it in the world of cyber security?

Security breaches that expose critical data or cause catastrophic system failures can affect any business, but the proximity of construction businesses to critical and sensitive infrastructure projects make this sector an obvious target for such crimes.

Businesses are understandably becoming increasingly interested in finding out how they can protect themselves from the risk of external cyber-attacks, but the security threat posed by internal breaches is potentially just as damaging and possibly harder to detect. It might come down to simple human error, weak password management or a disgruntled ex-employee having retained unauthorised access to sites and systems when they should not have done, and there is probably more scope for businesses to mitigate these areas of internal risk than those of the external variety.

With the imminent arrival of the General Data Protection Regulation (GDPR), and the implementation of the Security of Network & Information Systems Directive (NIS Directive), there is a step-change in legislation aimed at combatting businesses’ technological exposure, both external and internal. These new laws have clear expectations around compliance and confirm that protecting a business against the risks of cyber-attack does not just start and finish at an individual’s IT device – they also focus on protecting the physical buildings and infrastructure as a key component of technological risk mitigation.

Like many other sectors, the construction industry may feel a bit removed from the more consumer-facing worlds of data-heavy businesses. However, the risk posed by cyber-attack is just as real when you consider the value of security information associated with a building, and how vital that integrity is for buildings that function as key infrastructure locations – housing business-critical data, storage servers and the people who operate and maintain them. The NIS Directive, which was subject to a public consultation by the government that ended on 30 September, is designed to ensure that operators of key infrastructure, such as providers of electricity, transport, water, energy, health and digital infrastructure, have adequately protected their business and service provision against cyber-attack, as well as other risks.

The digital and culture minister, Matt Hancock, has commented that: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.”

Increasingly, therefore, this type of site integrity and the solutions designed to protect such buildings from threats that include environmental hazards, IT and power failures, must be a key part of any construction project. In the same way that a business is required by the GDPR to be able to demonstrate how it protects itself against threats of unauthorised data access, the NIS Directive will require a physical level of protection.

Read more…

Source: PBC Today