Construction Best Practices

Information Security in the Construction Industry — What You Need to Know


Cyber Security on Mobile Device
The construction industry saw an increase in cyber security spending of 188% in 2018-19.

Cyber security isn’t something traditionally associated with the construction industry. Whether you are in the construction industry or not you are likely to be aware that cyber security threats are on the increase, with the worst cases featuring in the media with alarming regularity. Lower profile issues impacting smaller companies rarely make headlines which could lure you into the misconception that data breaches only affects the big corporations. However, Verizon Data Breach Investigations Report (DBIR), noted that 43% of cyber-attacks in 2019 were targeted at small businesses.

As the construction industry moves forward, rapidly embracing new technology almost every day, the risks are becoming more pervasive. It’s no longer just a case of making sure offices and building sites are secure from thieves. The digitization of the construction industry now means vast amounts of highly-sensitive data including building models, documents, drawings and personal data are being processed, stored and shared. Industry processes are increasingly built on software systems and rely on the availability of those systems to ensure swift communication and auditable records. Outages and data breaches can have severe consequences. Among them: business interruptions and loss or revenue; time and productivity; operational stability; and brand equity.

The increase in highly sensitive data has required more attention and action. The construction industry, after lagging behind for many years saw an increase in spending on cyber security of 188% in 2018-19, according to government data analysed by Specops Software. Increase in spending is positive news but ultimately having a well thought out risk mitigation strategy is key to minimizing exposure.

Cyber security strategy

Cyber Security with Group Silhouette
Creating a comprehensive cyber security strategy can help keep contractors' data and operations safe.

Cyber security is no different to any approach in business, there isn’t a gold standard way of doing things that will work across all companies and industries. Your strategy needs to be appropriate to the size of your business and the potential risks you may encounter. This being said, we will look at action you should consider taking as a starting point.

Certification by independent authorities is a good way to increase your own confidence and minimize risks. For example, the UK Government’s National Cyber Security Centre (NCSC) provides the Cyber Essentials scheme, which provides a solid framework to assess your cyber security defenses and gain a certification which will help protect your business against threats. Importantly it will also give you, your staff, suppliers and customers a level of confidence in your commitment to cyber security. The basic certification can be achieved with as little as £300 investment (at the time of writing).

A more comprehensive certification is also available called “Cyber Essentials Plus.” This is a more in-depth assessment that involves auditors visiting your site and testing your internal assets. Initial attempts to meet the standard should not be seen as failures but rather as a methodology to uncover weaknesses and improve. Knowing where your weak points are is part of the path to improvement. It's important to keep going.

Certifications under Cyber Essentials last a year and you will need to be re-certified to help ensure your cyber defences are kept up to date - further demonstrating your ongoing commitment. The five technical controls within the basic scheme when implemented, helps protect your organisation from a majority of common cyber-attacks and tighten security. These five basic controls are firewalls, secure configurations, control user access, anti-malware and phishing.

ISO 27001 Cyber Security Certification Badge
Attaining internationally recognized certifications like ISO 27001 can provide peace of mind for clients that their data is protected.

If you already have these certifications, it may also make sense to attain internationally recognized certifications but note that these require a significant investment and ongoing commitment. Two examples are:

  • ISO 27001ISO/IEC 27001 is widely known, providing requirements for an information security management system. Using this enables organisations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.
  • SOC 2 - SOC 2 defines criteria for managing customer data based on five “trust service principles” — security, availability, processing integrity, confidentiality and privacy.

Another important aspect to consider is your supply chain. The old adage about a chain only being as strong as the weakest link holds true. Importantly, when choosing a partner or supplier — especially those that will be entrusted with key processes or data — it’s vital to make sure they take information security seriously. In one example from several years ago, retailer Target was the subject of a breach where hackers compromised network login credentials from a third-party vendor — an HVAC subcontractor that had done work on a number of Target stores.

Often the simplest way to verify a supplier is to ask for proof of their certifications to the key cyber security and information security standards. Furthermore, ask if THEIR suppliers or subcontractors are certified because you will want to be able to ensure security across the length of the supply chain.

Selecting a technology vendor you can trust

Construction Worker Using VFP On Mobile Device
The cloud-based Viewpoint for Projects is backed by significant cyber security protections, including Cyber Essentials Plus, ISO 27001 and SOC 2 Type II certifications.

As highlighted in this blog the importance of cyber security applies for any size business and is becoming vital in the construction industry as companies need to protect their highly sensitive data. The number of attacks also is on the up and continues to rise with the insurer, Hiscox has noted more than 60% of companies reported one or more cyberattacks in 2019 compared with 45% in 2018. In line with that, average losses resulting from cyber breaches shot up by 61% from £176,000 to £283,722.

It is vital you select a vendor that is trusted to deliver products that are certified when it comes to security. Viewpoint UK has recently been awarded the Cyber Essentials Plus certification, further adding to its existing security certification portfolio. Viewpoint For Projects (VFP) is Viewpoint’s cloud-based document and information management solution that enables you to share, control and collaborate on project documents with dispersed project teams. A component which gives Viewpoint a competitive advantage in the software market is its certifications and the security and certifications of its supply chain. The below highlights our commitment to delivering secure products across our whole supply chain.

Viewpoint UK is certified in the following:

Viewpoint’s hosting partners are also certified.

Posted By

Peter Hodgson is the UK Engineering Director at Viewpoint and heads our UK based software development teams based in our EMEA HQ located in Newcastle Upon Tyne. He has over 30 years experience leading global software development teams, holds a BSc in Computer Science from Teesside University and is a Chartered Engineer.

Here are some additional posts on cyber security: