Is your system safe?

Recent high-profile cases show corporate hacking is on the increase and holding business to ransom. In August last year, two hackers were arrested for penetrating the financial news and information company of American billionaire Michael Bloomberg and threatening to cause chaos in world financial markets if he refused to pay $200,000 (£140,000). In June 2000, 19-year-old Raphael Gray from Clynderwen, West Wales, was arrested for hacking into hundreds of internet sites and obtaining access to 23,000 credit card details. All this from an £800 PC set up in his bedroom.

And in case you think cyber crime is victimless, a PricewaterhouseCoopers survey recently estimated that hacking and computer viruses such as the Love Bug and Melissa cost business approximately £1.1 trillion worldwide last year.

Testing vulnerability
For contractors, hacker activity means sensitive project information stored electronically is at risk from rival companies or from someone who bears a grudge. Construct IT, the industry-owned IT research organisation, has found its members are so worried about hacking that it is drafting a guide for senior managers on IT and internet security.

If you have some cash to spare, you can have a penetration test performed on your IT systems. This involves paying a company to try to access your systems, not just through technical means such as computer hacking, but also by, for example, calling your office and requesting your password by pretending to be a relative. The National Computing Centre in Manchester charges about £2000 for a basic scan. But a full-scale intensive report of a large company costs tens of thousands . One large contractor is currently undergoing this test, but is reluctant to talk about it for obvious reasons.

The government is taking the problem of e-crime seriously. In April, Home Secretary Jack Straw launched the National High-Tech crime unit, the first law-enforcement agency devoted to tackling cyber crime. And the Terrorism Act 2000, which came into force this February, classifies hacking as terrorism.

A survey by the Communications Management Association in April showed that its members – information and communications professionals – believed their own companies to be vulnerable to attack from cyber crime. The Express on Sunday reported in April that British firms were so worried by news of their insecure systems getting out that they are failing to report incidences of hacking and giving in to extortion from gangs (see factfile).

With project information being shifted to the internet and the increasing use of electronic tendering, the risk of hackers obtaining sensitive information has grown. Alternatively, someone with a grudge could paralyse or deface company websites, as happened with a Swedish government site where a disgruntled voter replaced official information with pornographic images.

Paul Vlissidis, head of risk services at the National Computing Centre, says any company with a public profile is at risk. "Any brand name is at risk from hacking; particularly those involved in politically sensitive areas. Any company, for example, building on the green belt may find themselves at risk from the type of hacker called a 'hacktivist', who uses the internet to make a point. Animal rights activists, for example, are using this technique against Huntingdon Life Sciences, who test on animals. It is perceived as a victimless crime because nobody gets physically hurt, and is increasingly the way this kind of direct action is being carried out."

But it's not just large national firms that have to be on their guard, says Vlissidis. "Smaller companies in a larger company's supply chain could also find themselves being hacked. We had a case of a company's system being hacked into and used as a platform to disrupt the systems of a larger company they worked for."

Human element
The mobile technology used by construction companies can also jeopardise security. "Using mobile devices and remote computers can be very risky if they are used to exchange data over the internet without a secure connection," says Vlissidis.

He advises that it's not necessary, or desirable, to turn your systems into Fort Knocks, but warns against complacency. "I wouldn't advise doing only the legal minimum to protect your information, but it's up to individual companies to decide. How important is the information that is at risk? It's just like protecting any asset; give it as much protection as it would cost you to replace and have back up systems in place."

The human element should also be considered, Vlissidis says. "People give out their passwords, can be bribed to disclose information or inadvertently put confidential information on the internet. All these things have happened to companies that we deal with. Staff need to be made aware of the risks involved, particularly with email. It is a legally binding form of communication, which most people don't realise. They treat it as they would a phone conversation. But Norwich Union was sued because of what was written on an email about a competitor."

Ian Hamilton, managing director of the Construction Industry Computing Association, says most construction companies should be more worried about email than hackers. "Most sizeable firms have thought about IT security and formed a policy, whether that is to put very stringent measures in place or just try and be careful. The big danger for the smaller firms, whose systems are less likely to be hacked into, is downloading viruses from email."

While hacking is high profile and may grab the headlines, record falsification is an equally important area of consideration. With more and more construction projects being run electronically, knowing your documents can be moved without fear of tampering is paramount to the success of your project. And if construction is fully to realise the efficiencies in electronic project management, and eliminate paper-based projects altogether, the electronic version has to be secure.

Construction Industry Trading Electronically, the industry-owned e-business organisation, has formed a legal issues and security group to deal with these issues. It is running trials for software called Signit, which digitally encrypts signatures.

"People need to have the confidence to work collaboratively on the internet without having to keep a paper copy," says Tim Cole, community manager at CITE. "And if the records are needed in court, you need to know they haven't been tampered with."