EDITOR ' S QUESTION
The construction industry is in a unique position when it comes to cybersecurity , as many of the projects that organisations in the vertical work on have components that aren ’ t controlled by the organisation itself . This presents several challenges that have interesting implications , as many projects involve third parties . In general , the types of cybersecurity challenges faced during building and construction projects can be broken down into three categories :
1 . Data security : There is a lot of sensitive data controlled by multiple parties during construction projects , including financial data . Considerations should be taken into place during the project for :
2 . People and process : Construction projects often involve many stakeholders – Each of these entities may hold sensitive data and are all entry points for threat actors and adversaries . Many of the same recommendations apply from a people and process standpoint , too .
3 . Technology : While focusing on network security is important , the construction industry faces new and interesting challenges in the nature of the tools being used on project sites . With the increasing usage of wearable technology , drones and connected sensors , it ’ s even more important to consider security risks around these technologies .
Some questions to consider when thinking about cybersecurity around construction projects :
• Compliance certifications – are contractors and vendors certified to handle the data involved ?
• Security transparency – What processes and procedures do contractors and vendors have in place to protect the data they may be handling ? What data will they be handling , and where will it be stored ? How will it be transferred ?
• Do contractors have an incident response plan in place ? A security incident at a third party during a project can have catastrophic consequences , especially with the proliferation of ransomware attacks in the construction space .
• Do contractors and vendors have a business continuity and disaster recovery plan in place ? As we saw with the recent IT issues around the globe , understanding and having contingencies in place is very important when not only cybersecurity incidents occur , but also unexpected technological disruptions .
• Do contractors and vendors have security awareness training in place ? Security awareness training is key to ensuring that common attacks are spotted and stopped before they become major incidents . Individuals are often common targets for attacks , so ensuring that tools and training work together in conjunction to protect environments is very important .
While there are many aspects to cybersecurity and this covers just a few , thinking about these questions during the scoping process can often save a lot of headaches down the road ! �
NICK HYATT
DIRECTOR OF THREAT INTELLIGENCE AT BLACKPOINT CYBER
www . intelligentbuild . tech 27