黑洞社区

Digital security risk has not traditionally been associated with the construction industry. But with information technology becoming commonplace across the sector, the importance of acknowledging such risk 鈥� how it might affect the industry鈥檚 work, and how to protect against it 鈥� cannot be overstated.

According to recent research, breaches at small organisations total fewer than half of those at large ones, but this is changing; incursions by hackers increasingly affect smaller firms. This makes the issue particularly pertinent for construction, with its extended supply chain and large number of SMEs.

With this in mind, 黑洞社区 together with software specialist Egnyte convened an online roundtable of experts to explore key trends in and approaches to digital security risk, the rise of data-sharing management, and the importance of ensuring data security is maintained throughout the supply chain.

A silver lining or just the cloud?

Meeting chair and 黑洞社区鈥檚 special projects editor Jordan Marshall kicked off proceedings by asking the group to spell out their main concerns around digital security.

The recent advent of cloud technology opened up how most of us store everything from complex documents to basic images, and similarly revolutionised how companies view data security, said HLM Architects鈥� associate and IT manager Craig Charlesworth.

鈥淚鈥檝e spent my entire career focusing on the endpoint, the internal network, segmentation, creating safe places for data. And then the cloud comes along 鈥� and all the great practices we鈥檝e got, it鈥檚 out in the wild now.

鈥淢aking that boundary leap from 鈥榯his is ours, we鈥檙e controlling it鈥� to putting it out into someone else鈥檚 domain is quite something. Essentially we鈥檙e making the vendor of these applications responsible for our data, and it鈥檚 been a hard thing to evolve into,鈥� Craig added.

There had also been a significant shift in how firms procure software, inevitably affecting how firms control data, according to Indi Singh Sall, technical operations director at NG Bailey IT Services. 鈥淗istorically a business unit would go to its IT department and request something like an essential application, and the controls for those systems would be managed by the ICT [information, communications and technology] guys.鈥�

The advent of cloud technology meant ICT was becoming more of a procurement operation, said Sall, yet vigilance was still required. 鈥淵ou need to understand the governance process, ensuring that contractually you can use these new cloud applications properly. You have to make sure that the applications and systems being used are compliant with your policies. At NG Bailey we鈥檝e created governance teams within our business units to ensure the data is being managed appropriately.鈥�

Creating a system of controls was crucial, said Tom Willcock, director in charge of surveying innovation at Hollis Real Estate Consultants 鈥� also ensuring a business had robust back鈥憉p strategies in place. 鈥淲e鈥檙e not just talking about sharing data. There鈥檚 also possible manipulation of data and the threat of contamination getting into your core networks. You need to avoid this, and understand how it could be compromised. What is your data classification? How is your data stored? Is it segregated? It鈥檚 a multifaceted area.鈥�

鈥淵ou鈥檝e got an IT department which understands technology, and a facilities department which understands how to operate a building. They need to be brought together.鈥�

Indi Singh Sall, NG Bailey

One factor that can never be ruled out in the digital risk arena is human error. Alinea partner Cameron Baylis said: 鈥淵ou can train people, you can advise people, but if someone clicks on a [virus] link there鈥檚 not much you can do about that. We put a lot of effort into trying to prevent as much of this as we can, educating as much as we can. And then it鈥檚 a case of keeping on top of the people, regularly advising them not to do things like clicking on these links.鈥�

Data flow pitfalls

Businesses experience internal tensions around the need for security and the desire to collaborate. Steve Yates, Egnyte head of marketing, defined the problem as 鈥渉aving the right amount of security to allow people to collaborate 鈥� because you want people to have access to anything from anywhere, on any device 鈥� but also to consider the difficulty of managing that from a security perspective鈥�.

He also questioned the implications of sharing data. 鈥淎t some point sharing isn鈥檛 really sharing, in the world of data. Very often, sharing just means 鈥業 make a copy and I give it to you鈥�. This creates inherent problems in that when I give you a copy I no longer maintain ownership of that data. I can鈥檛 manage it, I can鈥檛 control it any more, and I鈥檝e no visibility of it. So we often talk about sharing, but it鈥檚 not really sharing. It鈥檚 not always a case of 鈥榳e give something to somebody, then they do something with it and then we take it back鈥�.鈥�

How data is used in buildings, particularly for sensors and to assess the use of space, was another issue raised. Willcock highlighted how data flows and the use of a building could affect the valuation of the building. 鈥淏ut what if that can be manipulated? What if you have spoof devices that can affect that?鈥�

HLM鈥檚 Charlesworth added: 鈥淭his is a potential problem being stored up for the future. You鈥檝e got all these sensors around the building to make it smart, but what鈥檚 the lifetime on them? What鈥檚 the projected upgrade schedule on these devices? Are companies locked in for five years, 10 years, 50 years, to keep these things up to date and patched and make sure they鈥檙e not vulnerable? Or is there a responsibility to continually change these devices? And does the owner of the building understand this aspect when they take ownership of it at the end of the project?鈥�

This raised another potential tension, said NG Bailey鈥檚 Sall. 鈥淵ou鈥檝e got an IT department which understands technology, and a facilities department which understands how to operate a building. In many cases there are demarcations, when really they need to be brought together. Operators need to understand the actual building is sitting on a network and that the facilities and the IT departments need to come together and recognise that there is a problem to fix.鈥�

Accreditation 鈥� all it鈥檚 cracked up to be?

The panel acknowledged that many firms were going down the ISO route, particularly ISO 27001, a specification for an information security management system (ISMS) which was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving that ISMS.

But Hollis鈥檚 Willcock said such accreditations were only any good if they were carried out in practice. 鈥淚t鈥檚 vital you have those control frameworks in place and follow them properly. I鈥檝e come across ISO 27001-accredited companies that had standard admin passwords on servers. A directive control framework is just a bit of paper. You really need to have all the proper elements actually in place if you want to cover yourself effectively.鈥�

Many firms also obtain Cyber Essentials鈥� accreditation, the government-backed scheme developed and operated by the National Cyber Security Centre (NCSC). But accreditation schemes cannot solve some of the challenges that firms face, according to Charlesworth.

For all the effort that he and his IT colleagues at HLM put into educating staff about the need for security, at the end of the day 鈥渢hey just want to build buildings. They鈥檙e not that bothered if we get hacked, or how. But it鈥檚 important to get them to understand that they should be bothered,鈥� he said.

The end user was probably his HLM鈥檚 biggest risk, said Charlesworth. 鈥淭hey can get to one part of the network and another that we鈥檝e allowed them to, and they can cross that bridge and transfer data to somewhere it shouldn鈥檛 be, because they needed to get the work done.鈥�

Support 鈥� for whom and from where?

黑洞社区鈥檚 Marshall wondered where firms were getting the most up-to-date security information and guidelines for their operations to be as secure as possible. Alinea鈥檚 Baylis said a third party looked after all his firm鈥檚 IT systems. 鈥淭hey make sure that we are up to date, that our servers are all running perfectly. We meet up with them every week, just to make sure that we are all aligned and that our equipment, all laptops and so on, are fully up to date.鈥�

NG Bailey鈥檚 Sall said his firm also had third parties for support 鈥渋n terms of keeping us up to date on the latest threats. We also have a lot of technical engineers, and pre-sales teams, and they are tuned into the security threats, especially on systems.

鈥淲e manage a lot of systems for our customers, so our operational teams are tuned in with the latest threats to ensure that we鈥檙e updating the software. And we work very closely with vendors to get updates as well.鈥�

HLM鈥檚 Charlesworth raised the issue of responsibility: 鈥淚f it鈥檚 your organisation setting up a common data environment, and you鈥檙e giving a third party access to that data, are you then responsible for that third party鈥檚 training and constant monitoring of their account?

 

鈥淒oes their organisation need an effective policy in place to ascertain whether a particular member of staff is adhering to what has been agreed? We find that we鈥檙e an IT team which seems to be helping other companies access certain data which is not necessarily within our network anymore. So where do those boundaries lie in terms of help and support?鈥�

Sprawling data

And as 鈥渄ata sprawl鈥� 鈥� where data spreads out across networks and to different users 鈥� increases, firms must be vigilant. How do staff mitigate the risks of sending out data 鈥� such as documents 鈥� while doing their day job to the best of their abilities?

It depended on the risk involved and what was being potentially compromised, said Hollis鈥檚 Willock. 鈥淏IM鈥檚 got some really interesting challenges ahead, particularly as it moves forward into the golden set of data. That is going to form the whole thread moving forwards, and it needs to get sent to the regulator. But what happens if that data got compromised?鈥�

Willcock said that while BIM was all about collaboration, he wondered about the controls in place to make sure no one was going in and changing things. 鈥淲hat would happen if a hacker got in and made all the steel girders 30cm shorter before they were fabricated, just because they could? Somebody has then spent millions of pounds of stuff that can鈥檛 be used on site. It鈥檚 a fascinating set of risks.鈥�

Egnyte鈥檚 Yates said data sprawl reflected storage being cheaper than ever. 鈥淲e can get access to terabytes and terabytes of storage in many places for very little. That鈥檚 a concern, because then I think, 鈥榃here is the latest version?鈥� Are we all working to the latest versions of the documents?鈥� This is intellectual property; is it in the wrong hands? The thought of important data being on someone鈥檚 phone on a WhatsApp session is frightening.

鈥淪prawl is made easy by the fact that storage is cheap, so we don鈥檛 tend to care. But ultimately, it creates a security risk. Are people being asked for more in terms of security? Are people being required to adhere to new regulations? Are there changes being asked for to keep [risk] insurance premiums the same, or have they gone up?鈥�

鈥淲hat would happen if a hacker got in and made all the steel girders 30cm shorter before they were fabricated, just because they could?鈥�

Tom Willcock, Hollis

Said NG Bailey鈥檚 Sall: 鈥淲e鈥檙e on a number of frameworks and recently we鈥檝e been sent a whole load of terms and conditions to sign regarding cybersecurity, because the premiums for cybersecurity are going through the roof.鈥� As a result, NG Bailey sits down with insurers, Indi said, 鈥渁nd we do a deep dive into our business with them, so they can understand the risk, and what mitigations that we鈥檙e putting in place. It鈥檚 about building a really good relationship with them.鈥�

Insurers would normally be very interested in understanding a firm鈥檚 risk and control framework and talking through what is done in practice about these things, said Willcock.

Speed of change

Meanwhile the global pandemic has accelerated change across the construction industry, and Marshall wondered how that had changed the risk profile and the kinds of threats that firms were concerned about? Had they adapted relatively quickly?

鈥淲e basically said if we offer our people a form of 鈥榮mart blend working鈥� where they can work wherever they want, we will be responsible for the technology they use,鈥� said HLM鈥檚 Charlesworth. 鈥淪o we鈥檝e essentially given everybody a laptop that is still under our control, which has mitigated quite a lot of the risk and worry for home kit being VPN-ed into the networks and all of the chaos that that potentially brings.鈥�

Alinea鈥檚 Baylis agreed. 鈥淲e pretty much did the same; everyone has a work laptop, run by the IT departments, and accessing it outside the office is all via VPN with appropriate authentication. Otherwise it鈥檚 about limiting people鈥檚 access, making sure they only have access to folders they need.鈥�

Willcock agreed, adding that security had been tightened at his firm. 鈥淭hat鈥檚 happened across the board, from access to systems and IP tracking, monitoring, data loss prevention tools, network benchmarking, all of these things have really come to the fore, because before it was everyone sitting in an office. Now suddenly, everyone鈥檚 working from home so there is a substantial change in terms of risk profiles.鈥�

Supply chain challenges

As with any other type of risk in construction, guarding against data risk is best achieved when relationships between supplier and customer are at an optimum. NG Bailey conducts quarterly reviews with suppliers, assessing their data security policies, said Sall. 鈥淲e work with them, instead of beating them up. We鈥檙e trying to help them as a business, but also understand some of the risks and can they manage that risk from a data perspective. If they can, great; if they can鈥檛 then we don鈥檛 work with them.鈥�

鈥淲hat I see more often than not is an insider threat. People maliciously compromising data or through neglect or a lack of training. Did they share the wrong file with the wrong people?鈥�

Steve Yates, Egnyte

The consulting side of the industry has to take a different approach to data security. Said Alinea鈥檚 Baylis: 鈥淕iven how we work, our supply chain is very different to Indi [Sall]鈥檚, where our supply chain is more consultants who will be working with us. They鈥檒l get a company laptop and will need to adhere to all our policies. They don鈥檛 become staff, but they get treated as if they were a member of staff. They have to adhere to all our policies, and if they don鈥檛 then we call them up on it.鈥�

HLM also takes the approach of effectively regarding suppliers as members of staff, said Charlesworth. 鈥淲e have an approved supplier route, and they have to be vetted. First they get added to an internal list that we can use and don鈥檛 deviate from. If we were to use people who aren鈥檛 on that list, they won鈥檛 get paid.鈥�

At any point anyone could create a problem, said Egnyte鈥檚 Yates. 鈥淵ou can鈥檛 just say on day one: you鈥檙e secure, therefore you鈥檙e secure forever. You have to continually assess. For me security is so much more than 鈥榠t鈥檚 just an external network problem鈥�. A lot of people think cybersecurity is just 鈥楬ow do we secure our network? How do we stop people from getting in? How do we stop bad actors from accessing the data?鈥�

鈥淏ut what I see more often than not is an insider threat. People maliciously compromising data or through neglect or a lack of training. Are they clicking on what they should? Did they share the wrong file with the wrong people?鈥�

The future?

So what of the future, 黑洞社区鈥檚 Marshall asked. How can risks to data security best be tackled? There appeared to be a consensus around one starting point: the attitudes of staff.

Hollis鈥檚 Willcock said people were the most important and potentially influential factor. 鈥淧eople think data risk belongs to the IT department. But it is everyone鈥檚 problem. Your most likely point of compromise is going to be the people within your organisation. So ensuring that people remain vigilant, and are adequately trained, is crucial.鈥�

NG Bailey鈥檚 Sall agreed. 鈥淭each your people, continuously remind them of their responsibilities for the data they鈥檙e managing, make sure they understand the risks and remind them through regular evaluation, not just a one-off 鈥極h, yes, we鈥檝e done the assessment鈥�. It is a continuous process of improvement.

鈥淎nd that includes the supply chain. It鈥檚 got to involve everybody who touches our data set; it鈥檚 vital they understand that.鈥�

And while Alinea鈥檚 Baylis agreed that education and training were vital, he pointed out that sometimes it wasn鈥檛 enough: 鈥淭he biggest factor is going to be human error. As I mentioned earlier, you can train people as much as you want, but if someone decides to click on that link, there鈥檚 not much you can do about it.鈥�