The UK construction sector loses £400M to theft each year, according to the Home Office. What springs to mind might be copper, site office assets and construction vehicles. Some may consider the cost of a cyber attack caused by a malicious email attachment. But few will consider the cost of a cyber security breach that is the consequence of an unwanted intruder. One corporate laptop on a construction site can be the key to an entire network of business-critical data, and if this lands in the wrong hands, it could be disastrous.
In 2015, a survey from the Home Office found that one in six construction business premises were affected by cyber crime, and with instances of this type of crime rising across the board, this proportion is likely to have increased since. While it’s no news to any construction business that these attacks are rife, what may not be as obvious is that not all of these threats originate from a suspicious email or an accidentally downloaded virus. The construction sector needs to start thinking bigger than its laptops and start securing its premises.
Social engineering is one technique that criminals use to deceive an individual and persuade them to hand over confidential information, such as bank details, passwords or business data. Typically, this attack takes the form of a criminal pretending to be a senior figure, well-known supplier or other third-party contractor over email, but this isn’t always the case.
Often, there is a vast network of contractors and suppliers stemming from a single organisation, and this makes these businesses a valuable target. The danger is that criminals can access not only the company’s system, but also any data that is shared across its supply chain. Very recently, French construction materials company Saint-Gobain was hit by the now-infamous NotPetya ransomware. If this ransomware was allowed to spread far enough, it could have affected customers and other associated businesses, making it a lucrative opportunity for criminals to make money from stolen files.
The sheer number of individuals involved in the day-to-day operations of a single company also makes it incredibly difficult to identify intruders, particularly on a building site. The amount of people involved in the planning stages, and workers responsible for the construction process, means that it will be common for workers to deal with unfamiliar faces. If a criminal posing as a worker even has an inkling of the generic processes of the business and site, they can craft a believable story.
This complex supply network means that for a construction site with lax security, almost anyone could walk in early on in the day with a hard-hat and high-vis jacket on and claim to be a member of staff. This disguise could even allow them to sit down at a company-owned machine in a temporary office without being challenged. With unsupervised access to a machine, the attacker could then plug in a USB and steal corporate data, install malware, or send emails from an individual’s account asking for financial details.
Once a criminal identifies key information about a business, they can begin to craft very believable background stories and business apparel in aid to infiltrate company headquarters or a construction site. Obtaining a photograph of a member of staff would be easy enough with some observation, making it easy for an unwanted intruder to forge replicas of company lanyards and ID passes worn to stroll onto a site.
It’s rare for construction sites to implement permanent and sophisticated security beyond CCTV surveillance, turnstiles and key-code access due to the rapidly changing nature of building sites. This lack of robust security measures means that criminals could even worm their way into sites that use key-code access through nifty tricks such as leaving felt-tip pen marks on the keys in the morning and coming back later to take a look at the smudged keys and identify the possible combinations to be ‘granted’ access.
Luckily, there are plenty of ways to keep sites and offices secure, and they don’t have to be costly or difficult. It’s important to educate all workers across the site to be more vigilant about suspicious individuals. Although methods of deception are often targeted and intelligent, teaching workers to watch out for anything that looks out of place can significantly reduce this threat. Sites and offices should also have a thorough sign-in or access process in place with request for ID.
It’s also important to continuously update all company-owned devices and software. Newer operating systems, such as those that use biometric scanners for verification, mean that even if a criminal gains access to the site, they often won’t be able to get hold of sensitive information.
Another simple but vitally important step to keep sites and offices secure is to ensure that the likes of passwords, confidential documents and names of third-party suppliers are not left out on display. If passwords are easily available, one computer could act as an entry point into an entire network if the security software fails, while documents containing sensitive information can be used to strengthen a criminal’s cover story. Good password hygiene, including updating them regularly and using unique combinations, will add an additional line of defence.
Education and vigilance are key, but as the methods of cyber criminals become more unexpected, testing the security of company sites is even more crucial. When companies know that they have secure measures in place to stop unwanted intruders, the entire office or construction site – from individual laptops to the turnstiles themselves – will be much safer.
By Daniel Farrie, Security Consultant at NCC Group