Hackattack

Two weeks ago, a hacker somewhere in Greece tried to gatecrash CADWEB’s system. CADWEB, a major provider of document management services for large contractors and developers, fortunately, had a robust enough security system to prevent the intruder gaining entry to the firm’s data centre. “It could have been a disaster,” says CADWEB sales director Francis Newman. “If they had got into the system, they could have changed the administrative password and crashed the whole thing.”

It is a testament to Newman’s confidence in the security of the system that he will admit to an attack. He says the hacker was thwarted because the system has very strong firewalls – hardware devices that protect it from illegal entry.

“They only got to the edge of the moat and fired a few arrows at the drawbridge as it was going up,” he says.

But information security breaches are fast becoming a major concern for firms using the Internet and e-mail. Even mighty Microsoft is not immune. A month ago, its free e-mail provider, Hotmail, was exposed as unsafe when hackers found a back door into the system.

So, with the government pushing e-commerce as the greatest industrial innovation since the railway, and more and more construction projects using extranets and the Internet to exchange documents, perhaps the industry should take a few security precautions.

Raising awareness, but not panic

The Construction Industry Computing Association fears that the industry is not concerned enough. It is about to carry out its own research among major construction firms to find out what they are doing about security.

The CICA plans to publish an outline of the issues that emerge from the study early next year. Managing director Ian Hamilton says: “Part of the problem is making senior people in an organisation aware that it is a problem, but at the same time we have to put it in a neutral tone so it does not become a year 2000 thing and the world will destruct.”

The most pressing concern is securing information held on the Internet. Several document-handling systems – Bovis’ Hummingbird is one – evade the issue by using private networks. These have a high level of security, but are expensive to hire and maintain. CADWEB allows firms to access its project data on the web, but protects it with what is known as tunnelling software. This scrambles data to prevent third parties from eavesdropping.

These measures may not be enough for construction firms with clients that demand very tight security, such as the Ministry of Defence or the police. For example, Laing, whose clients include the MOD and several UK police forces, keeps all project information inside firewalls. But Mervyn Richards, senior CAD and drawing consultant at Laing, admits that he still has “niggling worries”. The biggest of these is a teenager with time on his hands attempting to break into a system just for the fun of it.

The imminent explosion of e-commerce is also prompting concerns: a key one being the safety of users’ accounts when they post their credit card numbers on-line. The government’s e-commerce bill, which has just completed its consultation process, focuses chiefly on how to make credit card payments secure over the web.

Securing proof

But these advanced proposals for protecting information mean nothing if construction firms do not adopt basic security measures. Hamilton is still concerned at the number of firms that do not store backed-up documents off site, in case of fire. “If you have a big business that is totally electronic, it could be a serious problem.”

The CICA recommends appointing a security manager; not necessarily an IT expert, but someone to oversee all aspects of security.

Ove Arup & Partners is one company that has just such an individual, responsible for all aspects of the firm’s security.

There is also a British Standard for IT information security. BS 7799 was updated in May to take on board the increasingly widespread use of the Internet and subsequent problems with hackers and viruses. CADWEB has already gained BS 7799. Firms can also apply for the “c:cure” (secure, get it?) certificate. Firms that can demonstrate that they have implemented procedures to fend off hackers and nip viruses in the bud are presented with a recognised certificate.

The security issue will continue to dominate CICA members’ meetings, as business becomes more and more dependent on electronic data control. Firms such as CADWEB will also continue to find the odd bored teenager attempting to break into their system. But CADWEB will get some form of revenge on the unknown Greek. The hacker left a trail in the form of a traceable e-mail address, which Newman is now tracking down through the e-mail provider, with the promise of getting his or her e-mail connection pulled. But hackers have the advantage in this cat-and-mouse game; there is nothing to stop them setting up a new e-mail address whenever they want.

Security managers certainly have their work cut out.