Industry experts gathered to discuss the importance of data security in construction and how best to achieve it, at a recent roundtable hosted by 黑洞社区 and software company Bluebeam

shutterstock_1590824860

With the world ever more digital, cybersecurity has emerged as one of the most critical elements in every company鈥檚 business strategy. For the construction industry, such growth in digital technologies 鈥 and, by extension, digital data 鈥 comes with significant security risks.

黑洞社区 magazine, in collaboration with software company Bluebeam, gathered a panel of experts from across the industry to explore data security in construction as part of a roundtable discussion.

The panellists, chaired by 黑洞社区鈥檚 head of content Carl Brown, discussed why our industry has become a top target for cybercriminals all over the world, what construction companies need to do to bolster their defences, and how they can get started.

Brown kicked off the session by asking the experts to explain why construction was such a target and what kinds of attack firms within the sector were particularly vulnerable to.

headshots matrix

Clockwise from top left: Bluebeam鈥檚 Charlie Miller, Danielle Hamilton of Wates, Sir Robert McAlpine鈥檚 Andy Black, Neil Lovett of Ridge, Atkins鈥檚 John Connolly, James Carter of Arcadis, the RICS鈥檚 Andrew Knight, and Jussi Valkiainen of Kone; and in the centre James Chambers of Nemetschek

Why construction?

鈥淥ne reason the industry is vulnerable is that there has been a little bit of a lag there in technology historically, and that has proliferated its way through to everything,鈥 said James Chambers, global industry development director of the build and construct division at Nemetschek Group. 鈥淏ut the pandemic globally accelerated the use of technology and the industry itself has adopted data and digital practices in a huge capacity over the last two to five years, probably more than it鈥檚 ever done in the 30 years before that.鈥

Chambers said this had created inherent vulnerabilities as it was often being done on a platform or within a corporate culture which might not have taken into consideration the full security ramifications of such a digital expansion. 鈥淚f you look outside of the construction industry, look into the financial or automotive sectors, and they already had those platforms in place.鈥

The industry has adopted data and digital practices in a huge capacity over the last two to five years

James Chambers, Nemetschek Group

Andy Black, chief information security officer at Sir Robert McAlpine, said the digitalisation of the end products the industry is now producing has also increased its vulnerability. 鈥淲hen you consider the internet of things (IoT), all the smart tech that we鈥檙e all adopting, on smart buildings, on smart motorways 鈥 in all of these additional ways 鈥 that鈥檚 potential risk that we鈥檙e introducing into our organisations.鈥

James Carter, global cybersecurity risk manager at Arcadis, added that the UK construction sector is particularly vulnerable because, while it is behind other industries, it is ahead within its own sector globally. 鈥淏ritain is a net exporter of standards, and so I think we are also feeling the pain of being a little bit of ahead of the curve in terms of the rest of the world in construction. So we鈥檙e getting hit with the teething problems of cybersecurity first.鈥

Shutterstock data graphic

What are the big threats?

Charlie Miller, director of information security at Bluebeam, said ransomware attacks are a particular area of concern for the construction sector. 鈥淭he opportunity value of the construction industry in both the public and private sector is huge. There鈥檚 a lot of impact to disruption,鈥 he said.

鈥淭here鈥檚 a lot of motivation for the victim of a ransomware attack to pay out the ransom and get it resolved quickly, and I think that has led to a lot of attention from threat actors to the construction industry.鈥

Danielle Hamilton, IT security manager at Wates Group, said the greatest threat is presented by the workforce itself. 鈥淕etting people to be emotive about changing behaviour and what鈥檚 important to them is fundamentally critical,鈥 she said. 鈥淗uman error is still the largest 鈥 and in my view will always be the biggest 鈥 risk to security. No matter what industry you鈥檙e in, we鈥檙e all people; we鈥檙e all fallible.鈥

There are so many payments flowing in various directions around the tiers. That鈥檚 obviously a very attractive proposition for [threat actors] to look at payment diversions

Andrew Knight, RICS

A number of those on the panel also raised the point that the historical fragmentation of the sector has contributed to weak points across the supply chain as firms are often not communicating with each other about their security approaches.

Andrew Knight, global lead for data and tech at the RICS, added that, on top of the fragmentation caused by construction鈥檚 long supply chains, the sheer volume of cash moving around in construction makes it a target. 鈥淭here are so many payments flowing in various directions around the tiers. That鈥檚 obviously a very attractive proposition for [threat actors] to look at payment diversion,鈥 he said. 鈥淭he IP threat that industrial espionage poses is also significant, as well as the fact that many assets being worked on are quite sensitive 鈥 and simply just access to floorplans can make construction a target.鈥

What does best practice look like?

Jussi Valkiainen, head of product and application security at Kone, said it is important for there to be standard approaches across industry. 鈥淚鈥檓 a big believer in best practice and common frameworks and, most importantly, actually adhering to the same kind of common frameworks, such as ISO 27001,鈥 he said. 鈥淚t really helps if we are all speaking the same language. But, of course, that only works if people practise what they preach and they are taken seriously.鈥

Wates鈥檚 Hamilton added that improving security is not as simple as having a plan in place or one team concerning itself with data protection. She said it is imperative for firms to embed best practice across the business and for leadership, crisis management and procurement teams to be aware of the requirements on them to protect data and what would be required in the event of a breach

Clear visibility of who we鈥檙e working with and what the risks actually are is imperative

Danielle Hamilton, Wates

Like Hamilton, Neil Lovett, technology director at Ridge, said he sees user education as central 鈥 but he emphasised the need for it to extend beyond the traditional construction project team. 鈥淭he education of the end user has got to be key, and it鈥檚 got to be the first line of defence. It doesn鈥檛 matter what systems you put in; there鈥檚 always going to be something that gets through.鈥

He added: 鈥淭he phishing and spear phishing 鈥 the amount that comes in on a daily basis 鈥 is insane, and it only takes one for a breach to occur. This is what I keep trying to get across to people. It only takes one person to do it and then you end up in a difficult situation.鈥

Sir Robert McAlpine鈥檚 Black agreed that best practice requires buy-in from across the business and also the supply chain as it is procured. 鈥淧eople are coming to me now where they didn鈥檛 before to say, 鈥榃e were about to go and buy this thing or service and somebody has mentioned I ought to speak to you first to do an assessment before we make that commitment.鈥 To me that鈥檚 progress.鈥

shutterstock_1095422036

Security solutions

鈥淪o often we talk about shared responsibility [for security], but the only way you get to a shared responsibility is if you鈥檝e got the ability to collaborate and act together,鈥 said John Connolly, professional head of cyber resilience for Atkins of the SNC Lavalin Group. 鈥淲e鈥檝e got to share information, examples and stories. And sometimes we are going to have to collaborate in a way that says, while we are competing on the same thing here, we鈥檝e got to talk about security stuff, and we鈥檝e got to do something together to make it right for us all. And that鈥檚 hard.鈥

On the collaboration point, Wates鈥檚 Hamilton said validating security plans is particularly important right across the supply chain if firms are serious about wanting to manage their data. 鈥淐lear visibility of who we鈥檙e working with and what the risks actually are is imperative.

It really helps if we are all speaking the same language. But, of course, that only works if people practise what they preach and they are taken seriously

Jussi Valkiainen, Kone

鈥淚t鈥檚 great to say: 鈥楧o you have a plan?鈥 But just because somebody says yes, do we really understand what that looks like? We can all say we鈥檝e got a fantastic ISO 27001-based plan, but it might not actually have been tested.鈥

She said one of the recent breaches at a UK-based firm was an example of this. 鈥淲hen you get into the nuts and bolts of what happened with them, they fell over on an awful lot of the basics. They were in breach of several policies that they said they had in place from a vulnerability management and access control perspective.鈥

External resources

In terms of helpful resources, Arcadis鈥檚 Carter cited the National Centre for Cyber Security鈥檚 (NCCS) Cyber Security Information Sharing Partnership as an invaluable tool. 鈥淭he access it gives to more privileged information and the amazing amounts of support it provides are fantastic,鈥 he said. 鈥淲hen you鈥檝e got problems or are wondering how to do this or that, you can ask. So that鈥檚 a really, really useful tool.鈥

Sir Robert McAlpine鈥檚 Black added that the industry partnership with NCSC, CPNI & BEIS had created guidance for construction firms on topics such as cybersecurity in joint ventures that firms can access for support.

But Bluebeam鈥檚 Miller added that it is imperative for solutions not to impinge upon people鈥檚 ability to do their job: 鈥淚f we have guardrails in place that stop people from doing what they want to do, they won鈥檛 see a path to success and they will find a way around that.鈥 He said this is where shadow IT comes to the fore, and that it is integral there is the ability to track at the back end 鈥 so if someone has been behaving in an unsafe way, they can be spoken to and educated about safe data practices.

As the session drew to a close, 黑洞社区鈥檚 Brown highlighted the prevailing themes of the day as visibility, education and collaboration, saying: 鈥淲hat is really positive is that, while it is clear there is still work to do, this conversation shows we are moving in the right direction.鈥

Download a free data security e-book to learn how to protect valuable project data

QR code

 

Round the table

Chair: Carl Brown, head of content, 黑洞社区

Andy Black, chief information security officer, Sir Robert McAlpine

James Carter, global cybersecurity risk manager, Arcadis

James Chambers, global industry development director for the build and construct division, Nemetschek Group

John Connolly, professional head of cyber resilience, Atkins (part of the SNC Lavalin Group)

Danielle Hamilton, IT security manager, Wates Group

Andrew Knight, global lead for data and tech, RICS

Neil Lovett, technology director, Ridge and Partners

Charlie Miller, director for information security, Bluebeam

Jussi Valkiainen, head of product and application security, Kone Corporation