Data security in construction

With the world ever more digital, cybersecurity has emerged as one of the most critical elements in every company’s business strategy. For the construction industry, such growth in digital technologies – and, by extension, digital data – comes with significant security risks.

Building magazine, in collaboration with software company Bluebeam, gathered a panel of experts from across the industry to explore data security in construction as part of a roundtable discussion.

The panellists, chaired by Building’s head of content Carl Brown, discussed why our industry has become a top target for cybercriminals all over the world, what construction companies need to do to bolster their defences, and how they can get started.

Brown kicked off the session by asking the experts to explain why construction was such a target and what kinds of attack firms within the sector were particularly vulnerable to.

Why construction?

“One reason the industry is vulnerable is that there has been a little bit of a lag there in technology historically, and that has proliferated its way through to everything,” said James Chambers, global industry development director of the build and construct division at Nemetschek Group. “But the pandemic globally accelerated the use of technology and the industry itself has adopted data and digital practices in a huge capacity over the last two to five years, probably more than it’s ever done in the 30 years before that.”

Chambers said this had created inherent vulnerabilities as it was often being done on a platform or within a corporate culture which might not have taken into consideration the full security ramifications of such a digital expansion. “If you look outside of the construction industry, look into the financial or automotive sectors, and they already had those platforms in place.”

The industry has adopted data and digital practices in a huge capacity over the last two to five years

James Chambers, Nemetschek Group

Andy Black, chief information security officer at Sir Robert McAlpine, said the digitalisation of the end products the industry is now producing has also increased its vulnerability. “When you consider the internet of things (IoT), all the smart tech that we’re all adopting, on smart buildings, on smart motorways – in all of these additional ways – that’s potential risk that we’re introducing into our organisations.”

James Carter, global cybersecurity risk manager at Arcadis, added that the UK construction sector is particularly vulnerable because, while it is behind other industries, it is ahead within its own sector globally. “Britain is a net exporter of standards, and so I think we are also feeling the pain of being a little bit of ahead of the curve in terms of the rest of the world in construction. So we’re getting hit with the teething problems of cybersecurity first.”

What are the big threats?

Charlie Miller, director of information security at Bluebeam, said ransomware attacks are a particular area of concern for the construction sector. “The opportunity value of the construction industry in both the public and private sector is huge. There’s a lot of impact to disruption,” he said.

“There’s a lot of motivation for the victim of a ransomware attack to pay out the ransom and get it resolved quickly, and I think that has led to a lot of attention from threat actors to the construction industry.”

Danielle Hamilton, IT security manager at Wates Group, said the greatest threat is presented by the workforce itself. “Getting people to be emotive about changing behaviour and what’s important to them is fundamentally critical,” she said. “Human error is still the largest – and in my view will always be the biggest – risk to security. No matter what industry you’re in, we’re all people; we’re all fallible.”

There are so many payments flowing in various directions around the tiers. That’s obviously a very attractive proposition for [threat actors] to look at payment diversions

Andrew Knight, RICS

A number of those on the panel also raised the point that the historical fragmentation of the sector has contributed to weak points across the supply chain as firms are often not communicating with each other about their security approaches.

Andrew Knight, global lead for data and tech at the RICS, added that, on top of the fragmentation caused by construction’s long supply chains, the sheer volume of cash moving around in construction makes it a target. “There are so many payments flowing in various directions around the tiers. That’s obviously a very attractive proposition for [threat actors] to look at payment diversion,” he said. “The IP threat that industrial espionage poses is also significant, as well as the fact that many assets being worked on are quite sensitive – and simply just access to floorplans can make construction a target.”

What does best practice look like?

Jussi Valkiainen, head of product and application security at Kone, said it is important for there to be standard approaches across industry. “I’m a big believer in best practice and common frameworks and, most importantly, actually adhering to the same kind of common frameworks, such as ISO 27001,” he said. “It really helps if we are all speaking the same language. But, of course, that only works if people practise what they preach and they are taken seriously.”

Wates’s Hamilton added that improving security is not as simple as having a plan in place or one team concerning itself with data protection. She said it is imperative for firms to embed best practice across the business and for leadership, crisis management and procurement teams to be aware of the requirements on them to protect data and what would be required in the event of a breach

Clear visibility of who we’re working with and what the risks actually are is imperative

Danielle Hamilton, Wates

Like Hamilton, Neil Lovett, technology director at Ridge, said he sees user education as central – but he emphasised the need for it to extend beyond the traditional construction project team. “The education of the end user has got to be key, and it’s got to be the first line of defence. It doesn’t matter what systems you put in; there’s always going to be something that gets through.”

He added: “The phishing and spear phishing – the amount that comes in on a daily basis – is insane, and it only takes one for a breach to occur. This is what I keep trying to get across to people. It only takes one person to do it and then you end up in a difficult situation.”

Sir Robert McAlpine’s Black agreed that best practice requires buy-in from across the business and also the supply chain as it is procured. “People are coming to me now where they didn’t before to say, ‘We were about to go and buy this thing or service and somebody has mentioned I ought to speak to you first to do an assessment before we make that commitment.’ To me that’s progress.”

Security solutions

“So often we talk about shared responsibility [for security], but the only way you get to a shared responsibility is if you’ve got the ability to collaborate and act together,” said John Connolly, professional head of cyber resilience for Atkins of the SNC Lavalin Group. “We’ve got to share information, examples and stories. And sometimes we are going to have to collaborate in a way that says, while we are competing on the same thing here, we’ve got to talk about security stuff, and we’ve got to do something together to make it right for us all. And that’s hard.”

On the collaboration point, Wates’s Hamilton said validating security plans is particularly important right across the supply chain if firms are serious about wanting to manage their data. “Clear visibility of who we’re working with and what the risks actually are is imperative.

It really helps if we are all speaking the same language. But, of course, that only works if people practise what they preach and they are taken seriously

Jussi Valkiainen, Kone

“It’s great to say: ‘Do you have a plan?’ But just because somebody says yes, do we really understand what that looks like? We can all say we’ve got a fantastic ISO 27001-based plan, but it might not actually have been tested.”

She said one of the recent breaches at a UK-based firm was an example of this. “When you get into the nuts and bolts of what happened with them, they fell over on an awful lot of the basics. They were in breach of several policies that they said they had in place from a vulnerability management and access control perspective.”

External resources

In terms of helpful resources, Arcadis’s Carter cited the National Centre for Cyber Security’s (NCCS) Cyber Security Information Sharing Partnership as an invaluable tool. “The access it gives to more privileged information and the amazing amounts of support it provides are fantastic,” he said. “When you’ve got problems or are wondering how to do this or that, you can ask. So that’s a really, really useful tool.”

Sir Robert McAlpine’s Black added that the industry partnership with NCSC, CPNI & BEIS had created guidance for construction firms on topics such as cybersecurity in joint ventures that firms can access for support.

But Bluebeam’s Miller added that it is imperative for solutions not to impinge upon people’s ability to do their job: “If we have guardrails in place that stop people from doing what they want to do, they won’t see a path to success and they will find a way around that.” He said this is where shadow IT comes to the fore, and that it is integral there is the ability to track at the back end – so if someone has been behaving in an unsafe way, they can be spoken to and educated about safe data practices.

As the session drew to a close, Building’s Brown highlighted the prevailing themes of the day as visibility, education and collaboration, saying: “What is really positive is that, while it is clear there is still work to do, this conversation shows we are moving in the right direction.”