Cyber Risk: Don’t lose sight of the information

The construction industry is notorious for its reliance on complex supply chains. Entire ecosystems of partners and suppliers collaborate to produce the urban landscapes of tomorrow. Unsurprisingly of course, there’s a comprehensive legal and regulatory ecosystem that’s grown up with it, along with mature frameworks for managing traditional forms of risk.

But what about cyber risk? We know from experience that the supply chain often represents a hidden back door by which cyber threats can wriggle their way into the organisation and cause untold mayhem (trawl the Internet and you’ll find horror stories of air conditioning suppliers compromising corporate networks, or of business partners deleting critical shared information due to human error).  We also know that even the most cyber-mature organisations can struggle keeping their supply chains secure. In essence, the problem is that while an organisation might have gone to considerable lengths to secure information under its own direct control, in many cases it might have limited capacity to do so beyond its corporate perimeter. Unless, that is, the right mix of risk management, legal, and technical safeguards are put in place. And that’s the tricky bit.

Side note: Just because you’re using a complex cloud-based system, don’t assume it’s secure! McAfee* recently revealed that the number of remote attacks targeting cloud services increased by 630% between January and April this year.

Let’s go back to basics for a moment. Irrespective of the futuristic labels that festoon the cyber world and the security technologies that accompany it, don’t forget that really it’s still all about information. Since the dawn of mankind information has accrued value for its owner. It delivers competitive advantage. It’s intelligence about our customers that enables us to sell services to them without incurring undue risk. It’s the blueprint for the self-sufficient eco-development that earns plaudits from urban planners and design gurus alike. But information has a nasty habit of seeping all over the place. Think of information as water that trickles throughout the arterial canals and rivulets of your organisation. Well channelled and protected, it enables the business to thrive. Leave a sluice gate open inadvertently and – to mix metaphors – you’re toast.

My main point here is that in industries such as Design and Construction, no business can afford to lose sight of its critical information assets – whether they’re under your own direct control, shared with a business partner, or sitting in the ether somewhere as part of some cloud-based solution. So irrespective of how well you think you’re on top of the cyber threat, make sure – at a minimum – that your business is acting on the following:

  1. Embark on an information discovery exercise. At its simplest, this might start with a simple map of your key business processes and information systems that support them. Don’t forget to explore instances where information is stored in the Cloud and – just as importantly – to identify where information is shared outside the organisation.
  2. Once you have your basic map of what information lives where in your organisation, it’s a good idea to have a crack at valuing it in some way – in stark business terms. What information – whether it be designs, operating plans, databases… anything – is critical to your business’ success? Only once you know this does it make sense to assess the adequacy of cybersecurity measures needed.
  3. Check whether you’re sharing valuable information with suppliers or business partners. Can you be confident they’re protecting it adequately once it moves beyond your control? This is where fit for purpose contracts are really important – as you might need to set out minimum levels of security the third party should work to, and in more critical cases it’s usually a good idea to reserve the right to audit their cybersecurity arrangements.
  4. Take the temperature on your basic cybersecurity hygiene by asking the following questions:
  • Do you understand the nature of the cyber threat in the context of your own business and the information it holds?
  • Do you have a fit-for-purpose cybersecurity policy?
  • Do employees understand the cybersecurity policy, and do they behave in a cyber-secure way?
  • Are all systems kept patched, and is anti-malware software kept updated?
  • Are staff provided with access to systems only if they really need it?
  • Is particularly sensitive information encrypted?
  • Are backups taken and tested regularly?
  • Do you have business continuity and disaster recover procedures (even if basic) that support ‘business as usual’ in the event of an incident? (Covid-19 has rammed the importance of this one home!)
  • Have you commissioned a penetration test of your systems, and applied any recommendations made?

What is listed here represents a minimum set of activities any business should be undertaking if it’s even mildly serious about cybersecurity (and of course many large organisations will be doing way more in terms of cyber governance and risk management). If you’re not sure your business could answer any of the above questions confidently, maybe it’s time to take a much closer look.

About the author


Simon Rycroft
Co-Founder & Director, CRMG
simon.rycroft@crmg-consult.com