Threat secured?

Nation-state cyber attacks are on the rise and construction businesses are at risk, says Luke Potter, Chief Operating Officer at CovertSwarm.

According to Microsoft, nation-state cyber attacks are “malicious cyber attacks that originate from a particular country and are an attempt to further that country’s interests”. We have allegedly seen Russia do it with Ukraine, hitting their national grid during times of political unrest as well as during elections.

Many organisations never even consider nation-state cyber attacks while doing their risk assessments, especially construction businesses. They may believe that it isn’t a sector that would be targeted and, even if it was, it would only be the largest companies in the cyber attackers’ sights. But this is far from the case.

According to Statista, in 2022 the gross value added (GVA) of the construction industry in the UK amounted to almost £128.9bn. Its huge contribution to the UK economy is further reflected by the market’s employment figures, with construction responsible for one in every 20 jobs, according to Reuters. This means even smaller scale businesses are in increasing danger of being targeted. The data tells us that more than 80% of UK businesses suffered at least one cyber attack in 2021/22. That accounts for nearly 4,000,000 registered companies.

In an industry that has only relatively recently embraced digital workflow and record-keeping as part of the so-called Golden Thread of information, cyber security feels like an afterthought. There’s so much else to get to grips with. But the wealth of confidential data and information used and stored – as well as cyber criminals being aware of the industry’s under-protected stance on cyber security – means it is an increasingly appealing target. Imagine if you were breached, your data was stolen and your business could no longer operate without paying a ransom to the attacker. How would you respond? Could you pay? How would your brand handle the reputational damage?

Be proactive

To defend, you need to know where you are vulnerable to attack. The traditional penetration test (pen test) is a point in time, typically once a year, where an organisation checks for known vulnerabilities using common scanning tools and techniques. Businesses are generally looking at how they think they could be breached and taking a parameter-led approach. However, such an approach is unrealistic and will be out of date the moment the report touches your desk.

The cyber attackers are constantly looking for ways to compromise your business. They target the whole brand using digital, social and physical routes via multiple attack paths to find a way to achieve a breach. Many businesses won’t know they are being targeted or may have already been breached. For many, the first indication is a sickening ransomware email that denies an organisation access to its own files until a payment is made for the decryption key.

That’s why I believe it is more effective to simulate a real cyber attack. Have the cyber security team think and act like an attacker to find the vulnerabilities in the business. It may sound bizarre to attack your own business, but it is better to be safe than sorry.

For more, visit covertswarm.com

As a professional engineering institute, CABE recommends that all members refer to Engineering Council Guidance on risk at engc.org.uk/risk and security at engc.org.uk/security as part of their professional development programmes.

Image credit | iStock