The construction industry's growing reliance on technology and remote systems, coupled with alarming cyber security statistics, necessitates a paradigm shift towards ‘zero trust’. Our CEO Tim Mercer, recently explored how this burgeoning access model can help fortify cyber security strategies in the era of digital construction in this article for PBC Today. If you missed the original piece, you can find it here...

The construction industry is undergoing a remarkable technological transformation, underpinned by the adoption of digital tools and remote systems. For the most part, this is a monumental shift. As well as revolutionising efficiency, collaboration, and project management, embracing technology has optimised processes, enhanced communication, and accelerated innovation — propelling the sector toward a future of sustainable growth and competitiveness.

However, with this progress comes an increased vulnerability to cyber threats. And as the construction industry forges ahead, it must not overlook the digital sentinels guarding its progress.

A growing number of personnel — from contractors and subcontractors to architects, engineers, surveyors, and more — have access to shared IT platforms today, heightening the potential for insider breaches. Plus, with all three key stages of construction (design, construction, and handover) involving extensive digital workflows, cyber security risks exist from the tender stage right through to completion, and thereafter. 

A glance at the Department for Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2023 paints a sobering picture. The construction sector significantly lags behind others in assigning importance to cyber security, with just 21% of firms having a board member overseeing this domain – a mere 1% increase from the previous year. Alarmingly, the industry is also identified as one of the top three least likely to have cyber security rules or active threat identification measures in place.

Software's integral role in the construction process further amplifies the urgency of robust cyber security too. According to Grand View research, the global construction software market was valued at around $9.6 billion (£8.42 billion) in 2021, and is projected to grow at an annual rate of 8.5% from 2022 to 2030. As software usage expands, data harvests increase, subsequently offering more opportunities for cyber attackers.

As such, the need for stringent cyber security has never been more critical. This is where the concept of zero trust comes into play.

The essence of zero trust

Just as the sector’s professionals meticulously inspect every brick and beam, so must they scrutinise every digital entry point into their domain. Zero trust, a paradigm shift from the traditional "trust but verify" approach, dictates that no user or system is inherently trustworthy — assuming that threats can emerge from within and outside the organisation, thereby minimising vulnerabilities.

Part of a multi-layered defence strategy, this framework involves meticulous identity verification, continuous monitoring, and robust encryption. User access privileges should be granted on a need-to-know basis, with rigorous verification processes for each request.

Constructing a resilient cyber security strategy

Establishing a resilient zero trust access strategy can be a daunting task, particularly in the absence of expert guidance. Make one wrong move, and the very digital foundation meant to enhance operations could become a vulnerable gateway for malicious actors seeking to exploit weaknesses.

While each element will differ slightly from one organisation to the next, the following framework outlines a comprehensive roadmap that construction companies can tailor to suit their specific needs:

1. Comprehensive identity verification: The foundation of a zero trust strategy lies in meticulous identity validation. Construction companies must implement multi-factor authentication (MFA) and identity verification protocols for all users seeking access to digital resources. This ensures that only authorised individuals gain entry.

2. Least privilege access: Embracing the principle of least privilege, the strategy should grant users the minimum access necessary for their roles. This prevents over-privileged accounts from becoming potential entry points for cyber attackers, reducing the attack surface and potential damage.

3. Continuous monitoring and behavioural analytics: Real-time monitoring of user behaviour and network activities is integral to detecting anomalies promptly. Behavioural analytics enable the identification of unusual patterns, allowing immediate response to potential threats before they escalate.

4. Micro-segmentation: Segmenting the network into smaller, isolated sections limits lateral movement for attackers. This containment approach isolates potential breaches, preventing unauthorised access to critical assets.

5. Robust encryption: Data encryption, both in transit and at rest, is pivotal to maintaining data integrity and confidentiality. Encryption ensures that even if unauthorised access occurs, the intercepted data remains indecipherable.

6. Zero trust architecture: Implement a comprehensive architecture that enforces zero trust principles across all layers of the IT infrastructure. From endpoints to applications and data repositories, consistency in zero trust application enhances overall security.

7. Continuous training and awareness: Employees play a crucial role in any cybersecurity strategy. Regular training and awareness programmes educate personnel about the zero trust approach, fostering a security-conscious culture.

8. Vendor and third-party management: Extend zero trust principles to third-party vendors, contractors, and partners who interact with the company's digital environment. Rigorous vetting and monitoring ensure that external entities adhere to the same security standards.

As digital tools proliferate and data volumes surge, a proactive cybersecurity strategy is no longer a luxury but a necessity for the UK’s most ambitious construction firms. In a world where innovation knows no bounds, neither should construction firms’ commitment to safeguarding their digital foundations.

It’s no secret that the global tech sector is advancing at an astonishingly rapid pace – not least in relation to the now integral role of digital transformation in spearheading growth and success. But no matter the size or scope or your organisation – or how sophisticated your innovation strategy is – the only way to drive significant change is to leverage the power of people.

So, to champion some of the industry’ finest talent, and gain some insight into the minds of individuals from across the tech space, we’re inviting friends and partners of the business to take part in our quickfire Q&A.

Up next, it’s Greg Gyves, Business Manager, MSSP - EMEA at Fortinet

Tell us about your role at Fortinet and the part you play in the tech sector.

Fortinet is the world’s leading cyber security company, and we help a range of organisations – from the smallest micro businesses to the world’s largest enterprises and governments – to securely accelerate their digital journey.

All my time in the last 10 years at Fortinet has been dedicated to supporting the growth of our MSP and MSSP partner community, as well as helping them build new and incremental recurring revenue streams from managed security services.

What innovation was the turning point for your organisation, to get it to where you are now?

A significant turning point was the introduction of the Fortinet Security Fabric vision – which has existed for almost a decade now, and helps deliver broad, integrated, and automated protections across the entire digital attack surface.

This is a strategic approach most recently validated by Gartner, with the introduction of their cyber security mesh architecture (CSMA).

And where’s next for your business?

Fortinet has several strategic growth engines in different technology areas – driven in a large part by the increasing volume and variety of sophisticated cyberthreats, the shift to working from anywhere, and the convergence of network and security.

Our key priority areas are continuing our growth in network firewall and Secure SD-WAN, along with SASE and ZTNA, to accelerate the digital transformation of our customers. We’re also keen to further develop comprehensive products and solutions to secure operational technology (OT) environments, as we see a rising volume of attacks that are targeting these traditionally isolated environments.

The biggest misconception faced by the tech sector is…

That it’s an industry for men and that you have to be technical to succeed. While it is true that there are few women working in the field of cybersecurity, and even fewer if we only consider engineering positions, I don’t think it’s necessarily more difficult for them to enter this space. We should collectively make it more balanced by hiring a greater number of women, to bring diversity as well as help to address the global skills shortage.

What do you think will be the biggest tech trend over the next 12 months?

Although the trend will span longer than 12 months, there is a continued convergence of IT and OT, where there is a requirement to leverage previously unconnected operational networks by connecting them to the cloud, and in turn the IT network.

There is a significant addressable opportunity in OT security, and we believe we are well placed to take advantage of this fast-growing trend.

What top tip would you give to an individual trying to excel in their tech career?

Don’t stand still – it’s equivalent to falling behind. Constantly looking for ways to push beyond your comfort zone is crucial to keep up with the pace of the industry.

The next purchase on my personal tech wish list is…?

A Peloton exercise bike – I love the idea of that immersive experience from the comfort of your own home.

And what is your earliest memory of tech in your life?

Probably a Commodore VIC 20, that I think was originally given to my older brother. It was later superseded by the Commodore 64 and Amiga 500, before we became a Nintendo house instead.

What is one longstanding piece of tech you are shocked is still used today?

Well, I’m shocked my wife still forces me to keep the Blu Ray player (not that I can remember the last time we used it!), against my best efforts to stick it in the bin. If anyone reading this actually still uses a DVD or Blu Ray player, then I am shocked!

If you are without the internet for an hour, what would be the first activity you resort to, to pass the time?

I imagine it would be a game of football in the house or in the garden with my two boys, aged 10 and 5. They are both mad for the sport and any ‘unconnected’ activity usually involves a football.

sign up for latest news
  • This field is for validation purposes and should be left unchanged.