Igor Stevanovic/Dreamstime.com
Cybercrime is becoming more sophisticated and construction, with its unwieldy supply chain, is particularly vulnerable to the latest scam – known as ‘social engineering’. Andrew Avanessian explains.
Andrew Avanessian
Headlines concerning cyber attacks are becoming all too familiar, from largescale data breaches to vicious ransomware attacks that lock down corporate data and demand payments for safe return.
The construction industry is vulnerable just like other sectors. Materials giant Saint-Gobain was one of those targeted by the “NotPetya” ransomware outbreak last year – and it is likely that others were too, but kept quiet.
There is upcoming legislation to help raise standards in cyber defences. The General Data Protection Regulation (GDPR) comes into force on 25 May, and gives the Information Commissioners Office (ICO) much more clout when it comes to dishing out financial penalties. Companies could be fined up to 4% of their turnover, or £17.8m, whichever is higher.
Construction companies should be analysing their own security strategies. There is a strong argument that the industry is more at risk than most, given the sprawling nature of a typical construction supply chain. The number of third parties involved means that there are numerous ways that cyber criminals can access a company and its data.
Top three tips to avoid social engineering attacks:
- Security hygiene. Ensuring good security hygiene practices are present throughout your organisation is a must. Using strong and unique passwords for all systems is obvious advice. Patching systems and software regularly, and as soon as possible following the announcement of any new security vulnerabilities, will also act as a good basis for security.
- Protect the keys to the kingdom. Removing administrator privileges from all employees, apart from those who really need it, is highly advised and will help to form a solid security foundation. If your staff or suppliers are given admin accounts, it means they can make any changes they like to the technology infrastructure – this in itself is risky – but it also means that a successful cyber criminal could take advantage too.
- Layer your defences. Adopting an in-depth approach to security is the best way to reduce the risks. Application control software is something that shouldn’t be ignored. This means that only known, safe applications can run. Therefore, if an employee accidentally clicks a malicious attachment in a phishing email, the file would be blocked and the corporate system would still be safeguarded.
One of the most common type of attack is “social engineering”. This involves preying on the weaknesses inherent in human nature, tricking users into divulging sensitive information without realising.
This typically takes the form of a phishing email. The Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2017 reported that a “large supplier” for the construction industry faced “significant and ongoing” cyber attacks, including “over 3,000 phishing emails a month and various ransomware attacks” – highlighting the risk to the sector.
The content of these emails has evolved since the days of someone posing as an overseas businessman asking for money in an error-riddled email. These days they can be incredibly targeted. The amount of information we leave in our digital footprints allows attackers to craft bespoke messages that appear to be legitimate.
The email might look as if it comes from a trusted supplier or another third party, but is actually an attacker masquerading as a familiar source. They might trick you into transferring funds to a new account, or simply opening an attachment that allows them to access the wider corporate infrastructure.
These can be very difficult to defend against. Educating employees is important, but even the savviest staff could be caught out by a targeted attack. And can you really educate all your suppliers and their employees too? Defences need to be technical as well.
These defences don’t have to be complicated (see above). Focus on the basics and you’ll be in a very strong position to defend against internal and external attacks – including those that start within the supply chain.
Andrew Avanessian is COO at Avecto
