UK construction should continue to set the bar for BIM practices, but the industry must ensure customers’ information is in safe hands

Steve Cooper

The WannaCry cyber attack put cyber security on the front pages and the top of news bulletins in the UK and beyond. The outages mass ransomware attack was a serious wake-up call for all business leaders, whether in the largest or smallest organisations.

The construction industry, in particular, needs to view the WannaCry moment as a catalyst for some much-needed change.

Cyber threats should matter to the sector because of the rise in digitisation, and the significant increase in sensitive asset data as a consequence of the increased adoption of building information modelling (BIM) strategies. A common data environment (CDE) unlocks the full potential of BIM. It can help to handle all information processes concerning the plan-build-operate lifecycle, and it’s all about capturing, structuring and sharing data.

However, a trend towards digitisation isn’t necessarily keeping pace with the need for stronger data security to prevent or mitigate the effects of an attack. In fact, the sector is lagging behind other parts of the economy in cyber security. The UK government’s Cyber security breaches survey 2017 by the Department for Culture, Media and Sport (DCMS) reveals senior manager involvement in cyber security issues is particularly lacking among construction firms. While 67% of senior managers in construction view cyber security as a high priority, this compares badly to senior managers in finance or insurance (90%) and professional, scientific or technical firms (86%). What’s more, 41% of senior managers in construction never update management on potential concerns.

Of course, the fact that a bank looks after its data better than a construction company is perhaps not surprising. However, the changing nature of cyber crime does threaten construction firms and consultants more directly. For example, a ransomware attack that prevents access to critical data or applications could be seriously disruptive to a construction team.

Construction firms and consultants can take steps to tighten up information security. ISO27001 certification is the highest international standard for information security management. It helps to distinguish how information is handled and protected, including processing, storage, transfer, and archiving.

While this standard is important, the digitisation trend in construction requires much more from a construction firm or consultant. And the pressure to improve cyber security is coming from government and public policy internationally.

On one hand this is about how governments are requiring suppliers of construction and building services to meet much more stringent cyber security standards. The best known examples are the Federal Risk and Authorization Management Program (FedRAMP) in the US, the UK’s 14 Cloud Security Principles and the Information Security Registered Assessors Program (IRAP) in Australia. These standards apply to asset owners, general contractors, engineering, procurement and construction (EPC) firms, and project managers involved in the design and construction of government infrastructure projects.

However, the greater pressure on the sector to take cyber security more seriously is the new Data Protection Bill, which will transfer the European Union’s General Data Protection Regulation (GDPR) into UK law. When GDPR comes into effect in May 2018, this legislation will require all organisations operating within Europe to amend their existing privacy notices and terms. Further to this, data breaches must be reported to regulators within 72 hours, or businesses could be subject to fines of up to £17m or 4% of global annual turnover. As the construction industry becomes more digitised, GDPR highlights the growing risk and potential impact surrounding the data that companies hold.

At a time when cyber security is such a sensitive subject, cloud technology can offer a salve. Some cloud-based platforms and providers facilitate compliance with higher cyber security standards and enable collaboration; they manage access to the sensitive data shared between owners, contractors, design teams and subcontractors. With constantly evolving challenges within cyber security, asset owners and their project teams also benefit from cloud vendors’ continuous review of best practices and investment. Cloud-based solutions are in a position to implement change in compliance, governance and data protection, and to maintain the confidence of authorities and customers alike.

The DCMS report very publicly reveals UK construction’s shortcomings: construction firms must play a more active role in ensuring their own data is secure, along with that of their customers and extended supply chains. Compliance standards are both a challenge and an opportunity to modernise and update an organisation. The UK construction industry should continue to set the bar for successful BIM practices, but it must also better reassure customers that their information is in safe hands. After all, the data-driven nature of our industry is here to stay.

Steve Cooper is general manager, UK & Ireland, at Aconex