The construction industry's growing reliance on technology and remote systems, coupled with alarming cyber security statistics, necessitates a paradigm shift towards ‘zero trust’. Our CEO Tim Mercer, recently explored how this burgeoning access model can help fortify cyber security strategies in the era of digital construction in this article for PBC Today. If you missed the original piece, you can find it here...
The construction industry is undergoing a remarkable technological transformation, underpinned by the adoption of digital tools and remote systems. For the most part, this is a monumental shift. As well as revolutionising efficiency, collaboration, and project management, embracing technology has optimised processes, enhanced communication, and accelerated innovation — propelling the sector toward a future of sustainable growth and competitiveness.
However, with this progress comes an increased vulnerability to cyber threats. And as the construction industry forges ahead, it must not overlook the digital sentinels guarding its progress.
A growing number of personnel — from contractors and subcontractors to architects, engineers, surveyors, and more — have access to shared IT platforms today, heightening the potential for insider breaches. Plus, with all three key stages of construction (design, construction, and handover) involving extensive digital workflows, cyber security risks exist from the tender stage right through to completion, and thereafter.
A glance at the Department for Culture, Media and Sport (DCMS) Cyber Security Breaches Survey 2023 paints a sobering picture. The construction sector significantly lags behind others in assigning importance to cyber security, with just 21% of firms having a board member overseeing this domain – a mere 1% increase from the previous year. Alarmingly, the industry is also identified as one of the top three least likely to have cyber security rules or active threat identification measures in place.
Software's integral role in the construction process further amplifies the urgency of robust cyber security too. According to Grand View research, the global construction software market was valued at around $9.6 billion (£8.42 billion) in 2021, and is projected to grow at an annual rate of 8.5% from 2022 to 2030. As software usage expands, data harvests increase, subsequently offering more opportunities for cyber attackers.
As such, the need for stringent cyber security has never been more critical. This is where the concept of zero trust comes into play.
The essence of zero trust
Just as the sector’s professionals meticulously inspect every brick and beam, so must they scrutinise every digital entry point into their domain. Zero trust, a paradigm shift from the traditional "trust but verify" approach, dictates that no user or system is inherently trustworthy — assuming that threats can emerge from within and outside the organisation, thereby minimising vulnerabilities.
Part of a multi-layered defence strategy, this framework involves meticulous identity verification, continuous monitoring, and robust encryption. User access privileges should be granted on a need-to-know basis, with rigorous verification processes for each request.
Constructing a resilient cyber security strategy
Establishing a resilient zero trust access strategy can be a daunting task, particularly in the absence of expert guidance. Make one wrong move, and the very digital foundation meant to enhance operations could become a vulnerable gateway for malicious actors seeking to exploit weaknesses.
While each element will differ slightly from one organisation to the next, the following framework outlines a comprehensive roadmap that construction companies can tailor to suit their specific needs:
1. Comprehensive identity verification: The foundation of a zero trust strategy lies in meticulous identity validation. Construction companies must implement multi-factor authentication (MFA) and identity verification protocols for all users seeking access to digital resources. This ensures that only authorised individuals gain entry.
2. Least privilege access: Embracing the principle of least privilege, the strategy should grant users the minimum access necessary for their roles. This prevents over-privileged accounts from becoming potential entry points for cyber attackers, reducing the attack surface and potential damage.
3. Continuous monitoring and behavioural analytics: Real-time monitoring of user behaviour and network activities is integral to detecting anomalies promptly. Behavioural analytics enable the identification of unusual patterns, allowing immediate response to potential threats before they escalate.
4. Micro-segmentation: Segmenting the network into smaller, isolated sections limits lateral movement for attackers. This containment approach isolates potential breaches, preventing unauthorised access to critical assets.
5. Robust encryption: Data encryption, both in transit and at rest, is pivotal to maintaining data integrity and confidentiality. Encryption ensures that even if unauthorised access occurs, the intercepted data remains indecipherable.
6. Zero trust architecture: Implement a comprehensive architecture that enforces zero trust principles across all layers of the IT infrastructure. From endpoints to applications and data repositories, consistency in zero trust application enhances overall security.
7. Continuous training and awareness: Employees play a crucial role in any cybersecurity strategy. Regular training and awareness programmes educate personnel about the zero trust approach, fostering a security-conscious culture.
8. Vendor and third-party management: Extend zero trust principles to third-party vendors, contractors, and partners who interact with the company's digital environment. Rigorous vetting and monitoring ensure that external entities adhere to the same security standards.
As digital tools proliferate and data volumes surge, a proactive cybersecurity strategy is no longer a luxury but a necessity for the UK’s most ambitious construction firms. In a world where innovation knows no bounds, neither should construction firms’ commitment to safeguarding their digital foundations.