Neil Hare-Brown, director of computer security consultant QCC, is familiar with the pattern. "When you walk into most companies' offices you see well-arranged filing cabinets. Then you look at their network …"
The fundamental issue is that many construction businesses do not realise that their main product is information – and if they do, they underestimate its value. As Hare-Brown says, the significance of project management to the sector means that a company's biggest asset is often its intellectual property. "Would you really want a competitor to know how your company ensures its projects are delivered on time and on budget?"
Hare-Brown knows his stuff. He spent five years in the security systems branch of the metropolitan police, was technical consultant to Scotland Yard's computer crime unit – the first such outfit in the world – and did a three-year stint as data security manager for Charterhouse Bank.
He compares the current state of computer security in the construction industry with that of the banking sector 10 years ago. In the early 1990s, banks were heavily reliant on proprietary systems and computing was handled at the departmental level. "As far as security goes, that's a nightmare," he says.
And it is not just companies' main networks that need attention. They also have hundreds of small, portable nightmares in the form of their laptop computers. Hare-Brown cautions against the attitude of one construction firm he could mention, which expressed the opinion that there was "nothing important on them apart from our presentations". So how much would you like to see a competitor's presentation? And what if someone has also downloaded the project appraisal programme that took 10 man years to develop? And in an industry in frantic competition with itself for a host of government contracts, a reputation for security would surely be a strong selling point.
Limiting computer access
Computer security is more than protecting your data from external sources. It can be just as important to regulate how your own staff use their computers. "Companies must have a policy that states what is allowed and informs staff that any conduct which falls outside this framework is disciplinary," says Hare-Brown.
When you walk into most companies’ offices you see well-arranged filing cabinets. Then you look at their network …
Neil Hare-Brown, director of computer security consultant QCC
There are strong legal reasons for this. Consider the question of staff access to the internet. If a member of staff downloads defamatory or obscene material, it will almost certainly remain on the system for a long time, exposing the company or individuals to civil or criminal liability.
There are three fundamental principles to include in a computer security policy, says Hare-Brown: confidentiality, integrity and accessibility. The first concerns access: is it limited to the right people? He refuses to name names, but one London branch of an overseas bank had (until he pointed out the error) given the computer privileges of a security officer to all of its 400 staff. Any member of staff could roam the computer system at will, with the potential to cause both intentional and accidental chaos.
Integrity covers everything from programs for updating software to preventing pornography. Are there proper procedures in place?
Hare-Brown tells a cautionary tale about one construction firm where senior management were concerned that their IT staff could be poached. In an attempt to prevent that happening, they awarded significant pay rises to eight of them. One, the telecommunications manager, having been told that the pay review was confidential, was surprised the next day when faced with a delegation of colleagues who had not been given rises.
It was revealed that a member of staff in human resources had let slip news of the review. And once someone started to search for details, it didn't take long to find them stored on an Excel spreadsheet called "payrise.xls". Furthermore, this spreadsheet was in several places on the system, having been emailed around the company. The real sting in the tail for the company was that the culprit could not be disciplined because it did not have a computer security policy.
Last in Hare-Brown's list of fundamental principles comes accessibility – can information be recovered if there is a problem? In the context of a proper policy, these three elements provide an audit trail that creates accountability.
Even if these policies are in place, however, companies still need to ensure that IT literacy runs all the way through it. Too often, Hare-Brown, notes there is a great deal of technological ignorance at the highest levels within companies. A North Sea oil company found that some of its control systems were failing and the in-house IT team was brought in to investigate. It was reported that the failures were the work of a hacker. Hare-Brown's team was called in and discovered what had really happened.
It transpired that one of the same IT team had made a change to the system without following proper procedure, then made up the hacking story in an attempt to deflect blame. Lack of board-level expertise meant they nearly got away with it.