James Griffiths is co-founder and chief technical officer at Cyber Security Associates
As the construction industry embraces technological advancements to more effectively manage its supply chain, it’s easy to overlook the risks that can come with digital transformation. Enabling just-in-time practices and streamlining processes can have a significant impact on results.
Cost savings can be extremely welcome, especially post-pandemic, as materials, shipping, and rising energy and fuel costs have all had a dramatic effect on margins. These savings can be passed on to customers and make a business more price competitive.
All of these benefits sound very attractive. However, we have seen a series of Tier 1 contractors – including Interserve, Bouygues UK, Bam and, more recently, Amey – hit by cyberattacks over the past three years.
Supply Chain Hazards
This increase in attacks, amid the global global sphere of rising cybersecurity threats and the rush to digitalization, means companies need to pay greater attention to potential dangers lurking in their supply chain. Contractors should perform due diligence and risk analysis on their digital supply chain as rigorously as they perform regular health and safety risk assessments.
The 2022 Cybersecurity Breach Survey report found that over the past 12 months, construction companies were among the least likely to have conducted activities to identify cybersecurity risks. With complex supply chains and traditionally less mature cyber defenses, it’s easy to see why the sector has been touted as a potential gold mine by those operating illegitimately on the dark web.
It has been reported that the individual cost of successful cybersecurity breaches for medium and large businesses is estimated at £19,400. Added to the financial cost are delays, business interruptions and reputational damage. Given all of this, cybersecurity policy and governance can no longer be overlooked.
What can you do?
So how can construction strengthen its cybersecurity posture? When looking at your digital supply chain, consider anything and anyone with an online presence. If they are connected to a network or using the Internet, there is a potential risk.
For example, as the industry seeks to move away from outdated and costly paper-based processes, one of the biggest advancements in this sector is the wide range of digital tools for task management, supply management, invoicing and data management that have become available. . While the benefits of these tools are obvious, their digital footprint opens doors for cybercriminals.
“Protecting yourself against these risks requires building a solid internal cybersecurity policy and a governance strategy”
In addition, supply chains are now global. While it is reported that only 20% of the materials used by contractors are imported from the EU and the world, this percentage is much higher than decades ago. Unfortunately, legislation around cybersecurity practices varies from country to country, so geographic location should be considered when looking for third-party partners.
It’s important to highlight every step and every person in your supply chain – whether they provide goods and materials or offer a third-party service – and how they provide those services to you when outsourcing. assessment of your cybersecurity defenses.
Protecting against these risks means having a strong internal cybersecurity policy and governance strategy in place, which can be led by your in-house CTO or in consultation with an experienced agency. As part of this strategy, first highlight areas of your business that are potentially at risk. Create a risk register, which is updated and maintained to show what the risks are and how they are accepted, addressed or mitigated.
Take it seriously
As part of this cybersecurity policy and governance, ensure that the third parties you work with take cybersecurity as seriously as you do. No need to lock all the doors and leave a window open. Perform due diligence on your suppliers when contracting. And understand your vendors’ level of information security before accepting their services.
Additionally, you should ensure that you use the services of an experienced cybersecurity agency in your industry. Having specialist cybersecurity knowledge in-house is hard to come by, so having skilled advisors who understand and can advise on ever-changing threats is essential. While many experts can claim to have the right software and policies in place, every industry is different and has its own pitfalls.
Finally, as part of your governance, have a clear “reaction and response” procedure, which includes staff training. The need has never been greater to equip your staff with the skills to recognize potential threats in the supply chain and put in place a robust, proven response policy. Business continuity and disaster recovery plans should include cybersecurity, and specifically scenarios that include a third-party compromise. This will also lead to business impact assessments.
With threats becoming more intelligent and potentially damaging, contractors should perform their own supply chain threat analysis, as they would any other risk assessment and, important for securing new business, be perceived as doing more to secure their cybersecurity. – security posture.
Learn more about Cybersecurity Associates.