How construction companies can manage cyber risk

Cyber criminals are proving common adversaries for organisations across every sector, and managing the risks they present ought to be a priority for any business.

Through phishing attacks, employees are persuaded to hand over valuable information by fraudsters. Through spear-phishing attacks and social engineering, CEOs and other senior personnel are specifically targeted for even more valuable information.

Malware and ransomware are commonly transmitted through innocuous-seeming, but dangerous files and URLs contained in emails: in the former case, the purpose is to illicitly access and damage systems and data; in the latter case, the purpose is to hold valuable information hostage until payment is made.

The construction market is just as vulnerable to these kinds of attack as any other. If you’re running a firm, everyone you employ is a potential target. Simple, everyday functions such as email can be manipulated for the cyber-criminal’s ends.

So how can you combat these risks?

Understanding and counteracting cyber risks

The first step is to develop a comprehensive understanding of cyber risks. This doesn’t mean assuming the burden of combating them, but it does mean acknowledging that threats exist and can compromise your systems.

Making efforts to quantify this threat and the vulnerability of your IT infrastructure is the first step on the path to protecting your business. When you can better understand the impact an attack might have, you’re better placed to introduce the necessary countermeasures. An appropriate and all-encompassing risk assessment methodology is essential.

But all technical countermeasures should be proportionate to the risks they are intended to mitigate. The most expensive technical countermeasures should be reserved for the most exceptional threats; when the threat level is low, overinvesting in security can unnecessarily strain your resources.

Besides which, even the most sophisticated security is not impregnable. Cyber protection services work to identify and contain compromises – before returning the business to a normal level of operation. When these incidents are understood, the company can learn from them and adapt.

Train in vain?

There is a common misconception that the root of all cyber-attacks is human error: that, with the right knowledge and a vigilant eye, the average employee can stop compromises from occurring in the first place.

Certainly, it is important to make sure that all members of staff with access to sensitive information assets comply with the company’s security policy, and receive the same level of instruction as core members of the team. But it is essentially misguided to believe that employees can serve the same function as trained professionals. Cyber awareness is important, but cyber education is often a misallocation of resource. Update them on the latest threats that the organisation face, but never expect them to assume preventive responsibilities – training users inevitably ends in blaming them.

Cyber security education is often incomplete: attackers are persistent, and many have made careers out of finding ways to compromise well-protected systems. The sheer volume of attacks renders any training exercise pointless. Recent beta testing for Corvid’s Pernix Email Protection tool revealed that a single client with 1,000 email accounts faced 139,136 impersonation attempts, 80,148 samples of malware, and 1.4 million spam emails in a period of three months. How can an end-user fight off this many attempts and still conduct their core job duties?

A constructive approach to cyber security

Technological problems require technological solutions. Email protection systems are invariably better equipped to handle attacks: they work to identify attack vectors and close them immediately. Better yet, they’re able to learn with the aid of large training sets – their countermeasures improving with each attack. These systems are less costly, and more likely to generate undisruptive results.

Attackers are greater in number than ever before: by monetising cyber exploit tools, they are not even particularly technically savvy any more. The frequency of cyber-crimes are such that businesses have more areas of vulnerability than ever before. To protect these vulnerable areas, companies should make an investment in security systems that are proportionate to the threats they face. Anything more and you risk resources; anything less and you risk the entire business.

 

 By Nick Yarham, Client Engagement Manager, Corvid, the cyber security arm of Ultra Electronics.

If you would like to read more articles like this then please click here.

The post How construction companies can manage cyber risk appeared first on UK Construction Online.