Cyber risks and GDPR: How does it affect the construction industry?

Construction is a hands on industry; building infrastructures, mining, quarrying, forestry, supply of products, as well as maintenance and disposal, for both B2B and B2C clients. It’s also big business; construction output in the UK is more than £110 billion per annum and contributes 7% of GDP[1]. So it might be surprising to hear that an industry that constructs so much offline, is in fact one of the highest at risk online.

According to UK government statistics, in 2015, 15% of construction business premises were affected by online crime. That means 1 in 6 constructions firms.[2] A study from The Home Office from that same year shows there were 77,000 incidents of online crime against construction companies, in which 71% were computer viruses and 10% to hackers.[3]

Construction industry data is more valuable than you think

Think about a construction company client base, the current, past and future projects and all the information they hold. ‘The leaking of market-sensitive information, intellectual property or other confidential information could have serious financial consequences.’[4]

One of the most publicised and embarrassing security breaches came back in 2013, when hackers believed to be working from China stole a construction company’s blueprints for the building of the new Australian Security Intelligence Headquarters.[5]

It isn’t just hackers you need to be protecting yourself against either, multiple sets of employees, consultants and contractors, could all provide an element of risk when it comes to a data breach. Don’t forget, it is a legal requirement for construction companies to ensure that all data is held securely and is used in the correct way.

GDPR and Construction

Be aware of GDPR (General Data Protection Regulation) and what it means to you. As the construction industry faces a migration towards more digitalised, integrated and complex systems such as BIM and Procore, the potential impact and risk to the data being held by companies is increasing.

GDPR is coming. In an effort to make sure companies are doing everything they can to protect their data – this EU legislation is coming in to force from May 2018 and companies need to be ready. Bringing penalties of up to €20 million, or, if higher 4% of total revenues for those who don’t comply.

Building a safer cyber environment

Keeping systems up-to-date, having back-ups, secure Wi-Fi, installing anti-virus and building an internal policy to educate staff all helps to reduce risk. Perhaps start by having a frank discussion with your IT support provider to ensure you are doing everything you can.

Here are a few more tips to help protect your business:

  • Consider getting the ISO 27001 certification, which proves you are following the necessary security policies and procedures.[6]
  • Make sure your finance team are well trained and kept on high alert for phishing scams.
  • If you have multiple connected users, make sure you install a privileged account security solution on each device. It will help to reduce your chances of sensitive data being accessed. It also makes it easier to control should a device be mislaid or stolen. Installation of software that provides real-time protection and automatically receives the most up-to-date malware definitions.[7]
  • ‘Establish Incident Response Plans. Prepare a plan for responding to an incident.’[8]
  • ‘Establish Lines of Communication. In responding to a cyber-attack and its aftermath, communication is key.’[9]

If the worst happens, ensure that lessons are learnt to help protect you from attacks in the future.

[1] https://www.designingbuildings.co.uk/wiki/UK_construction_industry
[2] http://www.infrastructure-intelligence.com/article/may-2016/one-six-construction-firms-affected-cyber-crime
[3] http://www.theconstructionindex.co.uk/news/view/cyber-criminals-target-construction
[4] http://constructionblog.practicallaw.com/it-is-not-a-matter-of-if-but-when-cyber-security-in-the-construction-industry/
[5] http://www.independent.co.uk/news/world/australasia/chinese-hackers-steal-blueprints-for-australian-spy-hq-8633757.html
[6] https://www.itgovernance.co.uk/blog/how-iso-27001-can-help-to-achieve-gdpr-compliance/
[7] http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/
[8][9] https://www.bradley.com/insights/publications/2016/03/cybersecurity-for-the-construction-industry