As published in Building Magazine on 26 April 2022

Building, with software specialist Egnyte, convened an online roundtable to explore the issues around data-sharing and the mitigation of digital security risk throughout the supply chain.

Digital security risk has not traditionally been associated with the construction industry. But within formation technology becoming commonplace across the sector, the importance of acknowledging such risk – how it might affect the industry’s work, and how to protect against it –cannot be overstated.

According to recent research, breaches at small organisations total fewer than half of those at large ones, but this is changing; incursions by hackers increasingly affect smaller firms. This makes the issue particularly pertinent for construction, with its extended supply chain and large number of SMEs.

With this in mind, Building together with software specialist Egnyte convened an online roundtable of experts to explore key trends in and approaches to digital security risk, the rise of data-sharing management, and the importance of ensuring data security is maintained throughout the supply chain.

A silver lining or just the cloud?

Meeting chair and Building’s special projects editor Jordan Marshall kicked off proceedings by asking the group to spell out their main concerns around digital security.

The recent advent of cloud technology opened up how most of us store everything from complex documents to basic images, and similarly revolutionised how companies view data security, said HLM Architects’ associate and IT manager Craig Charlesworth.

“I’ve spent my entire career focusing on the endpoint, the internal network, segmentation, creating safe places for data. And then the cloud comes along … and all the great practices we’ve got, it’s out in the wild now.

“Making that boundary leap from ‘this is ours, we’re controlling it’ to putting it out into someone else’s domain is quite something. Essentially we’re making the vendor of these applications responsible for our data, and it’s been a hard thing to evolve into,” Craig added.

There had also been a significant shift in how firms procure software, inevitably affecting how firms control data, according to Indi Singh Sall, technical operations director at NG Bailey IT Services.“ Historically a business unit would go to its IT department and request something like an essential application, and the controls for those systems would be managed by the ICT [information, communications and technology] guys.”

The advent of cloud technology meant ICT was becoming more of a procurement operation, said Sall, yet vigilance was still required. “You need to understand the governance process, ensuring that contractually you can use these new cloud applications properly. You have to make sure that the applications and systems being used are compliant with your policies. At NG Bailey we’ve created governance teams within our business units to ensure the data is being managed appropriately.”

Creating a system of controls was crucial, said Tom Willcock, director in charge of surveying innovation at Hollis Real Estate Consultants – also ensuring a business had robust back‑up strategies in place. “We’re not just talking about sharing data. There’s also possible manipulation of data and the threat of contamination getting into your core networks. You need to avoid this, and understand how it could be compromised. What is your data classification? How is your data stored? Is it segregated? It’s a multifaceted area.”

One factor that can never be ruled out in the digital risk arena is human error. Alinea partner Cameron Baylis said: “You can train people, you can advise people, but if someone clicks on a[virus] link there’s not much you can do about that. We put a lot of effort into trying to prevent as much of this as we can, educating as much as we can. And then it’s a case of keeping on top of the people, regularly advising them not to do things like clicking on these links.”

Data flow pitfalls

Businesses experience internal tensions around the need for security and the desire to collaborate. Steve Yates, Egnyte head of marketing, defined the problem as “having the right amount of security to allow people to collaborate – because you want people to have access to anything from anywhere, on any device – but also to consider the difficulty of managing that from a security perspective”.

He also questioned the implications of sharing data. “At some point sharing isn’t really sharing, in the world of data. Very often, sharing just means ‘I make a copy and I give it to you’. This creates inherent problems in that when I give you a copy I no longer maintain ownership of that data. I can’t manage it, I can’t control it any more, and I’ve no visibility of it. So we often talk about sharing, but it’s not really sharing. It’s not always a case of ‘we give something to somebody, then they do something with it and then we take it back’.”

How data is used in buildings, particularly for sensors and to assess the use of space, was another issue raised. Willcock highlighted how data flows and the use of a building could affect the valuation of the building. “But what if that can be manipulated? What if you have spoof devices that can affect that?”

HLM’s Charlesworth added: “This is a potential problem being stored up for the future. You’ve got all these sensors around the building to make it smart, but what’s the lifetime on them? What’s the projected upgrade schedule on these devices? Are companies locked in for five years, 10 years, 50 years, to keep these things up to date and patched and make sure they’re not vulnerable? Or is there a responsibility to continually change these devices? And does the owner of the building understand this aspect when they take ownership of it at the end of the project?”

This raised another potential tension, said NG Bailey’s Sall. “You’ve got an IT department which understands technology, and a facilities department which understands how to operate a building. In many cases there are demarcations, when really they need to be brought together. Operators need to understand the actual building is sitting on a network and that the facilities and the IT departments need to come together and recognise that there is a problem to fix.”

Accreditation – all it’s cracked up to be?

The panel acknowledged that many firms were going down the ISO route, particularly ISO 27001,a specification for an information security management system (ISMS) which was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving that ISMS.

But Hollis’s Willcock said such accreditations were only any good if they were carried out in practice. “It’s vital you have those control frameworks in place and follow them properly. I’ve come across ISO 27001-accredited companies that had standard admin passwords on servers. A directive control framework is just a bit of paper. You really need to have all the proper elements actually in place if you want to cover yourself effectively.”

Many firms also obtain Cyber Essentials’ accreditation, the government-backed scheme developed and operated by the National Cyber Security Centre (NCSC). But accreditation schemes cannot solve some of the challenges that firms face, according to Charlesworth.

For all the effort that he and his IT colleagues at HLM put into educating staff about the need for security, at the end of the day “they just want to build buildings. They’re not that bothered if we get hacked, or how. But it’s important to get them to understand that they should be bothered,” he said.

The end user was probably his HLM’s biggest risk, said Charlesworth. “They can get to one part of the network and another that we’ve allowed them to, and they can cross that bridge and transfer data to somewhere it shouldn’t be, because they needed to get the work done.”

Support – for whom and from where?

Building’s Marshall wondered where firms were getting the most up-to-date security information and guidelines for their operations to be as secure as possible. Alinea’s Baylis said a third party looked after all his firm’s IT systems. “They make sure that we are up to date, that our servers are all running perfectly. We meet up with them every week, just to make sure that we are all aligned and that our equipment, all laptops and so on, are fully up to date.”

NG Bailey’s Sall said his firm also had third parties for support “in terms of keeping us up to date on the latest threats. We also have a lot of technical engineers, and pre-sales teams, and they are tuned into the security threats, especially on systems.

“We manage a lot of systems for our customers, so our operational teams are tuned in with the latest threats to ensure that we’re updating the software. And we work very closely with vendors to get updates as well.”

HLM’s Charlesworth raised the issue of responsibility: “If it’s your organisation setting up a common data environment, and you’re giving a third party access to that data, are you then responsible for that third party’s training and constant monitoring of their account?

“Does their organisation need an effective policy in place to ascertain whether a particular member of staff is adhering to what has been agreed? We find that we’re an IT team which seems to be helping other companies access certain data which is not necessarily within our network anymore. So where do those boundaries lie in terms of help and support?”

Sprawling data

And as “data sprawl” – where data spreads out across networks and to different users – increases, firms must be vigilant. How do staff mitigate the risks of sending out data – such as documents –while doing their day job to the best of their abilities?

It depended on the risk involved and what was being potentially compromised, said Hollis’s Willock. “BIM’s got some really interesting challenges ahead, particularly as it moves forward into the golden set of data. That is going to form the whole thread moving forwards, and it needs to get sent to the regulator. But what happens if that data got compromised?”

Willcock said that while BIM was all about collaboration, he wondered about the controls in place to make sure no one was going in and changing things. “What would happen if a hacker got in and made all the steel girders 30cm shorter before they were fabricated, just because they could?Somebody has then spent millions of pounds of stuff that can’t be used on site. It’s a fascinating set of risks.”

Egnyte’s Yates said data sprawl reflected storage being cheaper than ever. “We can get access to terabytes and terabytes of storage in many places for very little. That’s a concern, because then I think, ‘Where is the latest version?’ Are we all working to the latest versions of the documents?’ This is intellectual property; is it in the wrong hands? The thought of important data being on someone’s phone on a WhatsApp session is frightening.

“Sprawl is made easy by the fact that storage is cheap, so we don’t tend to care. But ultimately, it creates a security risk. Are people being asked for more in terms of security? Are people being required to adhere to new regulations? Are there changes being asked for to keep [risk] insurance premiums the same, or have they gone up?”

Said NG Bailey’s Sall: “We’re on a number of frameworks and recently we’ve been sent a whole load of terms and conditions to sign regarding cybersecurity, because the premiums for cybersecurity are going through the roof.” As a result, NG Bailey sits down with insurers, Indi said,“ and we do a deep dive into our business with them, so they can understand the risk, and what mitigations that we’re putting in place. It’s about building a really good relationship with them.”
Insurers would normally be very interested in understanding a firm’s risk and control framework and talking through what is done in practice about these things, said Willcock.

Speed of change

Meanwhile the global pandemic has accelerated change across the construction industry, and Marshall wondered how that had changed the risk profile and the kinds of threats that firms were concerned about? Had they adapted relatively quickly?

“We basically said if we offer our people a form of ‘smart blend working’ where they can work wherever they want, we will be responsible for the technology they use,” said HLM’s Charlesworth. “So we’ve essentially given everybody a laptop that is still under our control, which has mitigated quite a lot of the risk and worry for home kit being VPN-ed into the networks and all of the chaos that that potentially brings.”

Alinea’s Baylis agreed. “We pretty much did the same; everyone has a work laptop, run by the IT departments, and accessing it outside the office is all via VPN with appropriate authentication. Otherwise it’s about limiting people’s access, making sure they only have access to folders they need.”

Willcock agreed, adding that security had been tightened at his firm. “That’s happened across the board, from access to systems and IP tracking, monitoring, data loss prevention tools, network benchmarking, all of these things have really come to the fore, because before it was everyone sitting in an office. Now suddenly, everyone’s working from home so there is a substantial change in terms of risk profiles.”

Supply chain challenges

As with any other type of risk in construction, guarding against data risk is best achieved when relationships between supplier and customer are at an optimum. NG Bailey conducts quarterly reviews with suppliers, assessing their data security policies, said Sall. “We work with them, instead of beating them up. We’re trying to help them as a business, but also understand some of the risks and can they manage that risk from a data perspective. If they can, great; if they can’t then we don’t work with them.”

The consulting side of the industry has to take a different approach to data security. Said Alinea’s Baylis: “Given how we work, our supply chain is very different to Indi [Sall]’s, where our supply chain is more consultants who will be working with us. They’ll get a company laptop and will need to adhere to all our policies. They don’t become staff, but they get treated as if they were a member of staff. They have to adhere to all our policies, and if they don’t then we call them up on it.”

HLM also takes the approach of effectively regarding suppliers as members of staff, said Charlesworth. “We have an approved supplier route, and they have to be vetted. First they get added to an internal list that we can use and don’t deviate from. If we were to use people who aren’t on that list, they won’t get paid.”

At any point anyone could create a problem, said Egnyte’s Yates. “You can’t just say on day one: you’re secure, therefore you’re secure forever. You have to continually assess. For me security is so much more than ‘it’s just an external network problem’. A lot of people think cybersecurity is just ‘How do we secure our network? How do we stop people from getting in? How do we stop bad actors from accessing the data?’

“But what I see more often than not is an insider threat. People maliciously compromising data or through neglect or a lack of training. Are they clicking on what they should? Did they share the wrong file with the wrong people?”

The future?
So what of the future, Building’s Marshall asked. How can risks to data security best be tackled? There appeared to be a consensus around one starting point: the attitudes of staff.

Hollis’s Willcock said people were the most important and potentially influential factor. “People think data risk belongs to the IT department. But it is everyone’s problem. Your most likely point of compromise is going to be the people within your organisation. So ensuring that people remain vigilant, and are adequately trained, is crucial.”

NG Bailey’s Sall agreed. “Teach your people, continuously remind them of their responsibilities for the data they’re managing, make sure they understand the risks and remind them through regular evaluation, not just a one-off ‘Oh, yes, we’ve done the assessment’. It is a continuous process of improvement. And that includes the supply chain. It’s got to involve everybody who touches our data set; it’s vital they understand that.”

And while Alinea’s Baylis agreed that education and training were vital, he pointed out that sometimes it wasn’t enough: “The biggest factor is going to be human error. As I mentioned earlier, you can train people as much as you want, but if someone decides to click on that link, there’s not much you can do about it.”