James Griffiths is co-founder and technical director at Cyber Security Associates
As the construction sector embraces advances in technology to help manage their supply chain more efficiently, it is easy to overlook the risks that can come with digital transformation. Enabling ‘just in time’ practices and streamlining processes can have a significant impact on the bottom line.
The cost savings can be hugely welcome, especially post-pandemic, as materials, shipping, and increased energy and fuel costs have all had a dramatic effect on margins. These savings can be passed on to customers and make a business more price-competitive.
All of these benefits seem highly attractive. However, we’ve seen a string of tier one contractors – including Interserve, Bouygues UK, Bam and, most recently, Amey – hit by cyber-attacks in the last three years.
Dangers in the supply chain
This increase in attacks, amid the overall global sphere of rising cyber-security threats and the rush to digitalise, means companies are having to pay greater attention to the potential dangers lurking in their supply chain. Contractors need to carry out due diligence and risk analysis on their digital supply chain as stringently as they conduct regular health and safety risk assessments.
The Cyber Security Breaches Survey 2022 paper found that, over the last 12 months, construction firms were among the least likely to have carried out activities to identify cyber-security risks. With complex supply chains and traditionally less mature cyber defences, it’s easy to see why the sector has been highlighted as a potential gold mine by those operating illegitimately in the dark web.
It has been reported that the individual cost of successful cyber-security breaches to medium and large companies is estimated to be £19,400. On top of the financial cost are the impact of delays, business disruption and reputational damage. Taking all of this into account, cyber-security policy and governance can no longer be neglected.
What can you do?
So how can construction bolster its cyber-security posture? When looking at your digital supply chain, consider anything and anyone in it with an online presence. If they are connected to a network or use the internet then there is a potential risk.
For example, as the industry looks to move away from outdated and costly paper-based processes, one of the biggest advancements in this sector is the vast array of digital task management, supply management, and invoicing and data-management tools that have become available. While the benefits of these tools are obvious, their digital footprint opens doors to cyber-criminals.
“Protecting against these risks means building a robust in-house cyber-security policy and governance strategy”
What’s more, supply chains are now global. While it is reported that only 20 per cent of the materials used by contractors are imported from the EU and internationally, this percentage is far higher than it was decades ago. Unfortunately, legislation around cyber-security practices varies from country to country and so geographic location needs to be a consideration when sourcing third-party partners.
It is important to highlight each step and every person in your supply chain – whether they are suppling goods and materials or offering a third-party service – and the way they are delivering those services to you when assessing your cyber-security defences.
Protecting against these risks means building a robust in-house cyber-security policy and governance strategy, which can be led by your in-house chief technology officer or in consultation with an experienced agency. As part of this strategy, first highlight the areas of your business that are potentially at risk. Create a Risk Register, which is updated and maintained to show what the risks are, and how they are being accepted, treated or mitigated.
Take it seriously
Included in this cyber-security policy and governance, ensure the third parties you are working with take cyber-security as seriously as you do. There is no point locking all the doors and leaving a window open. Carry out due diligence on your suppliers at the point of contracting. And understand your suppliers’ level of information security before accepting their services.
What’s more, you need to ensure you are using the services of a cyber-security agency with experience in your sector. Having specialist cyber-security knowledge internally is hard to achieve, so having relevant advisers who understand and can advise on the ever-changing threats is key. While a lot of experts may claim to have the correct software and policies in place, every industry is different and has its own pitfalls.
Lastly, as part of your governance, have a clear ‘reaction and response’ procedure, which includes staff training. The need has never been greater to equip your staff with the skills to recognise potential threats in the supply chain, and to have a robust response policy in place that is tried and tested. Business continuity and disaster recovery plans should include cyber-security, and specifically scenarios that include a third-party compromise. This will also drive business impact assessments.
With threats becoming far more intelligent and potentially damaging, contractors need to carry out their own supply-chain threat analysis, just as they would any other risk assessment and – importantly for securing new business – be seen to be doing more to sure up their cyber-security posture.
Read more about Cyber Security Associates.