Why a robust cyber-crime strategy is a critical investment for construction firms

As published in Construction Manager, 24 October 2014.

Technological development contributes many benefits to a construction business and is generally seen as a force for good, but it isn’t without its downsides. With the Government estimating the annual cost of cyber crime to UK businesses to be in the region of £21bn, this developing threat poses a business-critical risk to all companies, including those in the construction sector.

The proliferation of email and other network-based systems and electronic storage of records mean that construction firms now sit on a wealth of data, including a significant amount of legally confidential and commercially sensitive information. The construction sector is regularly involved in the kind of large financial real estate transactions that make it an appealing target for organised (cyber) crime.

As well as the financial cost of a computer hacking or electronic fraud crisis, there is also a high level of reputational risk. The level of risk is also likely to increase with the size of the project, especially for the Principal Contractor. Firms can be working with clients who themselves have access to sensitive data and/or who require a high level of confidentiality. Some schemes, such as government and infrastructure projects, will be of national importance. The reputational damage in the event of a high profile cyber attack or data breach can be devastating, and in the worst cases irreparable.

Just as in other sectors such as financial services and utilities where data security is of paramount importance, a robust cyber crime strategy should not be considered a ‘nice to have’ but an integral part of every firm’s approach to risk management. While there tends to be higher awareness of the issue of corruption within the construction industry, until recently there has generally been less awareness in some parts of the sector regarding the risk of cyber crime. This was highlighted by research conducted by QBE Insurance Group last year that found that just 44% of respondents in the building and construction industry said they had a cyber security plan in place, compared with 94% for financial services. Furthermore, just 26% of building and construction firms informed QBE that they had taken out appropriate insurance.

Your systems and data require a high level of protection and security. Given the risks involved, however, this should be seen as more than just protecting your assets. A comprehensive policy and risk assessment for preventing cyber crime should be embedded within the business as a critical investment.

Importantly, the strategy should not only embrace technology. In addition, construction firms must take the time to fully understand the specific risks posed to their business and identify the areas of operations that are priorities for investment to combat and minimise that risk.

Investing in the necessary IT, including excellent firewalls, is a must. But it is also important to invest in the people behind not just the technology but the overall strategy. Good cyber security clearly requires good IT professionals, and this should not be underestimated. However, it also means that a senior person within the business (whether this is a risk professional or someone in a related position in the legal or IT departments, for instance) takes ultimate responsibility for the cyber security strategy. This responsibility should also be explicitly stated as part of their role. It is then up to this individual to put both the right policies and risk assessments in place and to ensure that the right people are tasked with managing the implementation of risk reduction measures. Another important part of this role is to ensure that the business has a joined up approach to security, including physical security and staff checks.

Get your cyber security strategy right and not only will it serve to protect your business from fraud and theft of confidential information and preserve your firm’s reputation, it can also help you to establish a competitive advantage. By embracing it as part of a strong overall risk management process, it can be a major point of differentiation and a source of future new business wins, thereby enhancing profitability. A good cyber crime security strategy does make good business sense!

This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.

David Egan

Partner - Joint Head of Environment

I am a Partner at DWF, providing clear, expert advice on matters relating to crisis management, environmental incidents and fatal accidents.