This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
Article:

Assessing cyber risk in construction

27 April 2020

Leon Fouche , National Leader, Cyber Security |

Cyber security remains a key concern across industries and to insulate themselves from increased threat, construction companies should be looking at building a cyber resilience strategy. While it’s getting harder to maintain total control over the likelihood of a cyber event due to the changing technology landscape, a cyber resilience strategy will help manage the impact of an incident. This is becoming increasingly apparent as the construction industry are moving to a more remote workforce due to the impacts of COVID-19.

By implementing the right controls and testing them thoroughly to ensure they are sufficient, organisations have a better chance of recovering from an incident and ensuring business continuity – decreasing the overall impact on their finances and reputation. Construction companies should be assessing the potential cost of a cyber incident and the most effective ways to avoid it. 

Based on the results of the Construction Survey 2020  and aligning these with the recently released BDO and AusCERT 2019 Cyber Security Survey Report, there are two areas where key decision-makers can be taking a proactive approach to threat-based cyber security in their mission to establish resilience – this involves implementing cyber insurance and taking an inward-looking approach to training staff at all levels.

Cyber insurance

The BDO Construction Survey results show that of those surveyed, 63% of respondents do not have a cyber insurance policy in place.

In our experience, not adopting a cyber insurance policy is a strong indicator that those businesses have not qualitatively assessed the potential cost of a cyber incident and the most effective ways to avoid one. This often occurs due to a lack of awareness that this type of insurance exists, or there is a belief that it is not needed with other policies such as self-insuring or being covered under another policy will suffice.

These findings closely correlate with the number of cyber incidents experienced, suggesting there may be uncertainty if respondents had or had not suffered a cyber-attack.

Staff training

The willingness and capability for organisations to recognise and adjust to the modern way of operating will be critical to the future of construction. This acceptance is evident in the number of participants who expressed an increase in the uptake of technology moving forward. Cyber security education, training, and awareness among employees should go hand-in-hand with the implementation of technologies and be consistently reviewed.

In recent years, organisations have been highly concerned about the risk of third-party data breaches, often prioritising it as cyber risk. In response, many organisations are ensuring they are assessing the risks of their third-party security through audits. This is reflected in the findings of this report with several participants undertaking a third-party audit at least annually; and in the BDO and AusCERT 2019 Cyber Security Survey, which showed approximately 60% of respondent organisations across all industries were actively auditing, risk assessing, and setting baselines for their supply chain’s cyber security. Given the complex nature of the construction industries' supply chains, this is a positive finding. However, while supply chain risk is important, our Cyber Security Survey’s found that data breaches were more likely to be caused by trusted insiders – such as a contractor working in the office, or a supplier with internal access to the network, as opposed to an intrusion of a vendor’s networks alone. In particular, the prevalence of Business Email Compromise and Payment Redirection Fraud are areas where businesses should be investing time, resources and funds to manage risks.

With this in mind, construction companies must look internally to address issues where their infrastructure may be compromised. Given that many companies lack a resilience strategy, there is an identifiable gap in staff training and education about the safe use of technology.

Access the BDO Construction Survey 2020

If you would like further information on how creating a cyber-resilient strategy, contact our team.