________________________________________________________________________________________________________________
What can the construction industry do ?
To help defend , go on the offensive . Simulate what these nation-states are doing against your own construction business and shine a light on your own cyber blind spots .
We will see a heightening of nation-state interest in cyber attacking as there is a broad range of how these attacks can be deployed .
Ben Wallace ( UK Secretary of State for Defence ) and Joe Biden have both been talking recently about their need for offensive security practices - running your annual pen test is no longer enough .
For businesses , and especially those providing or supplying organisations with critical national infrastructure , the mentality can no longer be about merely testing but attacking . The traditional pen test is a point in time , typically once a year , narrowly scoped engagement running checks for ‘ known ’ vulnerabilities using common scanning tools and techniques . You need someone who will emulate and simulate the real threats .
This is a bit of a provocative statement but nobody else is doing this right . Businesses are generally looking at how they think they could be breached and taking a parameterised approach as to how breaches are done in their minds .
The rise of technology in construction comes with many risks , most crucially , cyber risks and an increased critical vulnerability of data security
How do these breaches occur ?
Typically , it is assumed that breaches will occur via a digital route , say for example your main website .
This leads to a point in time , and narrowly scoped offensive security engagements . Such an approach leaves blind spots and the moment the report touches your desk , it ’ s out of date . The real actors are constantly looking for ways to compromise your business . They target the whole brand using digital , social and physical routes via multiple attack paths to find a way to achieve a breach .
A typical , naive , response and approach of many business leaders is ‘ why would they attack us or why would we be classed as important ? We are a construction business - who would come and attack us ?’
Imagine if you were breached , your data was stolen , and your business could no longer operate without paying a ransom to the attacker . How would you feel ? How would you function ? How would your brand suffer being headline news ?
There is a lag in mentality in organisations that are doing things the old and outdated pen test way , setting rules of engagement with their cyber security teams and expecting it to provide a realistic view of how attacks really happened .
The data tells us that this is a threat that everybody needs to take seriously , with recent data showing that more than 80 percent of UK businesses suffered at least one cyber-attack in 2021 / 22 . That accounts for nearly 4,000,000 registered companies .
What are the predictions for the future ?
What I believe we will see in the coming years is an acceleration in bad actors , including nation-states , targeting organisations that provide software or services that would give the adversary or nation an advantage
32