Construction firms are being offered tailored advice on how to protect themselves from cyber attacks and other online threats in new guidance from the National Cyber Security Centre (NCSC), the cybersecurity arm of intelligence agency GCHQ.
The new ‘cyber security for construction businesses’ guide is designed to provide practical advice to organisations in the construction industry on how to protect businesses and building projects from cyber threats.
The report warns that the construction industry faces threats from cyber criminals, ransomware gangs, malicious insiders and nation-state hacking operations.
“Recent high profile cyber attacks against the construction industry illustrate how businesses of all sizes are being targeted by criminals,” NCSC said. Construction businesses are seen by cyber criminals as an “easy target”, the guide said, as many have high cash-flows, while the extensive use of sub-contractors and suppliers involving large numbers of high value payments makes construction businesses an attractive target for spear phishing.
“As construction firms adopt more digital ways of working, it’s vital they put protective measures in place to stay safe online – in the same way you’d wear a hard hat on site,” said Sarah Lyons, NCSC director for economy and society resilience.
“By following the recommended steps, businesses can significantly reduce their chances of falling victim to a cyber attack and build strong foundations for their overall resilience,” she added.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
Guidance offered includes advice on securing office equipment from malware and other cyber attacks, including that IT equipment is kept up to date with the latest security patches, ensuring that only approved apps are downloaded and that there are controls around how USB sticks and other removable media are used, as well as controls around how IT equipment can be accessed by third parties and suppliers.
Other guidance includes avoiding the use of predictable passwords, changing default passwords, using multi-factor authentication across all important accounts and other techniques which can help businesses avoid falling victim to phishing emails and other cyber attacks.
Organisations should also make plans around incident response, including regularly updating offline backups and to establish plans on how they would deal with different cyber attacks, should they face them.
The NCSC suggests that construction firms can do this using their free ‘Exercise in a Box’ product, which provides businesses with a means of testing their resilience and preparedness based on real cyber threat scenarios.
The guidance is designed to be easy-to-understand in order to provide the construction, building suppliers and related industries with information that can protect them from the most common cyber attacks. Senior members of the industry, as well as IT departments are urged to take the opportunity to examine now they can improve their cybersecurity defences to help avoid becoming a victim.
“The consequences of poor cyber security should not be underestimated. They can have a devastating impact on financial margins, the construction programme, business reputation, supply chain relationships, the built asset itself and, worst of all, people’s health and well-being. As such, managing data and digital communications channels is more important than ever,” said Caroline Gumble, Chief Executive of the Chartered Institute of Building (CIOB),
“This guide provides a timely opportunity to focus on the risks presented by cyber crime,” she added.
MORE ON CYBERSECURITY