The National Cyber Security Centre (NCSC) has recently partnered with the Chartered Institute of Building (CIOB) to produce expert guidance, aimed at helping small to medium sized construction businesses protect themselves against cyber threats.
The NCSC is part of the Government Communications Headquarters (GCHQ), providing export guidance and consultancy to a variety of government and industry sectors, including construction. Their aim is to make the UK world-class when it comes to working safely and securely online.
Like most other industries, construction has experienced a digital transformation in recent years, embracing new technologies that have revolutionised how construction firms operate. With this has come an increase in cyber crime committed against construction businesses, prompting the NCSC and CIOB to partner up to offer guidance to reduce the risk of construction firms becoming the victim of cyber attacks.
NCSC & CIOB Cyber Security Guidance for the Construction Industry
The NCSC and CIOB’s guidance for construction companies wanting to protect themselves against cyber threats falls into seven categories;
- Backup and recovery of data.
- Protecting office equipment from malware.
- Keeping portable devices safe and secure.
- Utilising password protection to protect your data.
- Effectively dealing with phishing and other email threats.
- Collaborating with suppliers and partners.
- Preparing and responding to incidents.
Below, we’ll take a brief look at the seven areas covered within the guidance, with the full guidance available to download at the end of this article.
Backup & Recovery
Data is the lifeblood of any business, and it’s imperative it’s protected. Not only from cyber attacks such as ransomware or other malware, but also from things like theft of equipment or even flooding or fire.
Construction businesses should identify the data most crucial to their business and start there. Its important data is backed up away from the network where the original data exists. This could be as simple as a memory stick or external hard drive, or potentially backing data up in the cloud.
It’s also important to make backup part of your daily processes, and ensure that only the appropriate people have access to the backup, and know how to recover data should something happen.
Protecting Office Equipment from Malware
Malware is malicious software which, once in your system, can cause serious issues including stealing, deleting or encrypting your data, locking devices and making them unusable, obtaining passwords to access your software and services, and even using your software to attack other businesses.
To protect against malware, it’s important you use antivirus software, only download approved apps to your devices from trusted sources, and maintain IT hardware and software. For example, ensuring your operating system is always the latest version with the latest security features. New cyber threats emerge all the time, so it’s important that your software is up to date.
It’s also important to restrict the use of portable media such as USB sticks and external hard drives which could be affected and subsequently affect your business devices when plugged in. Finally, it’s important to collaborate with any third parties who access your systems and software, to ensure that access is granted securely, and is monitored to prevent it becoming an easy route for cyber attacks.
Keeping Portable Devices Safe & Secure
Businesses increasingly use portable devices to ruin their operations and access their data. It’s extremely important to ensure devices aren’t left unattended when unlocked, are password or pin protected, and can be located or wiped remotely if lost or stolen.
It’s also essential to keep software on portable devices up to date. It’s all too easy to delay a suggested software update, in the knowledge that the device will likely require a restart and become unusable for a short period of time. These updates however often provide the latest security features, and should always be actioned immediately.
Finally, it’s important when connecting to public Wi-Fi that you are fully confident that you are connecting to the service that you think you are. This could be as easy as simply asking a member of staff in the coffee shop you are working in.
Utilising Passwords to Protect Your Data
This seems like a no-brainer, but password protection and password storage are commonly overlooked within businesses. All devices should be password or pin protected, and devices should log users out after a period of inactivity. It’s also important not to use predictable passwords. Sounds obvious, but you’d be surprised how many people’s passwords are “password”.
Passwords should also never be written down or exchanged in email or messaging apps. They should be stored in secure password vault software, with many free versions available (the most commonly known being LastPass). These types of software allow passwords to be securely stored and shared between users.
Finally, advanced password protection, 2 Factor Authentication (2FA) can be used. 2FA adds an additional layer of security by forcing the user to complete a second step in order to gain access to their software. This could involve the user receiving a text message with a code required to access the software, or an app they visit on their device that offers a unique code that changes regularly.
Effectively Dealing with Phishing and Other Email Threats
Phishing is when criminals use email, SMS, phone calls or social media to trick their victims. Most commonly, this involves scam emails containing a link. The email might look and feel like it has come from a legitimate source, for example the recipient’s bank.
Once clicked, the link in the email might trigger malware to be downloaded to the recipient’s device, or navigate to a website that also looks legitimate but isn’t, where the recipient is asked for personal details like passwords, bank account or card details.
The best way to protect you and your business from phishing is education. It’s important that everyone within the business understands what to look out for. Phishing emails often look like they’re from legitimate sources, but closer inspection of the sender’s email address can quickly identify them as fraudulent.
These types of emails often contain requests with a sense of urgency attached, fooling the recipient into thinking they need to carry out the required action quickly. They might even evoke emotions with employees, for example, fooling someone into thinking they will get into trouble at work if they don’t carry out the request.
As well as educating employees, it’s important that attempts at phishing (successful or not), are reported to the NCSC. It’s also possible to make yourself a harder target by tightening up privacy settings across publicly accessible platforms like social media so that criminals don’t have access to information about you or your business they could use to make their contact appear genuine.
Collaborating with Suppliers and Partners
Construction businesses often have a large number of suppliers and partners, and it’s important to point out that an attack on them can be as serious as an attack on your own business. An attack on your business could also directly affect them, meaning it’s in everybody’s best interests to ensure cyber security is a must, and not just a consideration.
With a large supply chain, construction businesses should start with their highest priorities (generally suppliers and partners who they share the most sensitive data with). Ensure they have the necessary procedures and systems in place to limit the potential for cyber attacks.
Many construction businesses do this by encouraging their suppliers to get Cyber Essentials certified, a government backed industry scheme designed to support organisations to protect themselves from cyber threats.
It’s essential that you and your suppliers have agreements in place as to who is responsible for what, and what to do in the event that either party falls victim to a cyber attack.
Preparing and Responding to Incidents
Malware (and ransomware) attacks are becoming increasingly common in the construction industry, so it’s important to prepare your business and respond to any attacks quickly and efficiently.
By implementing all the steps we’ve already spoken about, you can provide some protection to your business, but inevitably, cyber attacks can still happen. Although impractical to prepare a response for the multitude of cyber attacks out there, there are ways you can prepare yourself.
One of these is to utilise the NCSC’s Exercise in a Box product. The NCSC’s Exercise in a Box is a toolset enabling organisations to run table top and micro-exercises on cyber incidents or attacks.
It offers an organisation the ability to find out, in a safe environment, how prepared and resilient they are against cyber threats—allowing them to practice responses to critical events.
Reporting helps them understand where they are most at risk and where they need to improve and how they can better manage these situations.
Here at Eventura, we’re extremely proud that we took part in the testing and feedback stage of the NCSC’s Exercise in a Box, and even received a mention in the NCSC – Annual Review 2020.
One of the most important things when it comes to preparation from cyber attacks is spotting the signs that you’re actually under attack. The following list are some of the common ways to spot a cyber attack has happened or is happening;
- Your computers are running slowly.
- Your employees are locked out of their accounts.
- You can’t access your files and data.
- You have received messages asking for a ransom to restore access.
- People have received emails from you that you didn’t send.
- Redirected internet searches.
- Payment requests you don’t recognise.
- Any other unusual account activity.
If you do fall victim to a cyber attack, it’s important that you resolve the issue as quickly as possible. This could be internal IT responding, or it could mean third-party managed IT partners being contacted immediately. Your aim is to get things back to normal as quickly as possible to avoid further problems. This might include;
- Restoring services and data from backups.
- Patching software.
- Replacing compromised hard drives.
- Changing passwords and access rights.
- Cleaning infected machines.
Finally, it’s important to learn from the incident, assess how it happened and how you responded, and put further measures in place to prevent a repeat incident.
To read the full NCSC guidance on cybersecurity for construction please click here.
Eventura – Construction & Cyber Security Experts
Here at Eventura, we have a long standing relationship with a number of construction clients. From implementing robust ERP systems such as Sage 200, with industry specific modules for construction, to providing best-in-class managed IT, cyber security, hosting and backup, we understand construction.
We know all of the challenges construction firms face (including cyber security), and provide game-changing solutions that can revolutionise how a construction business operates.
If you would like to speak to one of our Sage 200 Construction or cyber security experts, you can request a free call back here.