After years of falling behind, the construction industry has realised the importance of its data. Construction-related businesses invested a remarkable 188% more in cybersecurity in 2018–19. Data leaks and cyberattacks have jolted sectors worldwide, affecting everyone. 55% of UK businesses experienced a cyberattack in 2019 alone, and the average damage resulting from breaches is £176,000. This is why every company needs to choose an effective cyber protection system to stop attackers from ruining all they have laboriously built.
Some of the most significant construction projects in the UK are the result of joint ventures. Joint ventures (JVs) are business entities created by two or more parties, characterised by shared ownership, shared returns and risks, and shared governance. Therefore, the data they manage must be secured to protect vital infrastructure. Joint ventures must secure their websites, computer systems, and data, since failing to protect this information impacts individual firms and may jeopardise national security. To this end, the UK government, in collaboration with the construction sector, has introduced new guidance to promote information security through implementing security best practices in the construction sector.
Joint Ventures and Information Security Risks
The construction industry benefits from increased productivity, lower costs, and expanded data exchange thanks to digitalisation. Additionally, it is establishing a paradigm where ever-increasing amounts of data are generated and digitally preserved for each project. The confidentiality, integrity, and availability of a project's information and IT systems are increasingly critical to its success. Due to these developments, the industry is becoming more and more attractive to threat actors, such as cybercriminals, foreign state actors, and nefarious insiders, who may try to steal, inappropriately use, alter, damage, or prevent access to crucial information with the potential to have a severe impact on victims.
It's important to note that all sizes of construction businesses are vulnerable to illegal activity. The high volume of money and sensitive data generated by JVs in the construction sector, differences in partners' security and risk appetite approach, the complexity of their IT infrastructure, potential proximity to other significant assets, and extensive site structures make information security risks relevant to joint ventures.
Information security risks associated with JVs in the Construction sector are:
- Ransomware: Ransomware restricts users' access to their systems by encrypting files in exchange for a payment. Construction is one of the industries that is most frequently targeted by ransomware globally, and several UK businesses have been impacted in recent years.
- Phishing: Phishing attacks are designed to trick unsuspecting users into revealing sensitive information that attackers can use to gain unauthorised access to a system.
JV information security must be approached uniformly by creating information security governance and accountability, assigning key roles and responsibilities, understanding information security risks and requirements particular to joint ventures, and developing and adopting an information security strategy and an information security management plan, respectively.
JV Information Security Roles and Responsibilities
JV's information security roles in the Construction sector vary. However, the following key roles and responsibilities should exist:
JV IT Lead: Collaborates with the information security lead to develop the IT architecture required to meet the JV's IT requirements. Internal teams inside the partner organisations frequently support this position.
JV Information Security Lead: Oversees the JV's day-to-day information security requirements, security management plan, and information security strategy.
JV Security Controller: A representative of each JV Partner who manages information security activities for their own company and works with other Security Controllers to establish information security plans and strategies for the entire JV.
JV Data Protection Officer: A designated individual who provides the Board with information and counsel on data protection and ensures compliance with the Data Protection Act.
The Information Security Management Plan
The Information Security Management Plan will be owned by the JV Information Security and JV IT Lead, who will select team members to work on it.
The Information Security Management Plan should adopt and adapt current policies, methods, and processes used by JV partner organisations whenever appropriate to avoid duplication and pointless effort. By doing this, it will be ensured that any relevant domain expertise is used.
The effectiveness of the information security strategy will be hampered by gaps or omissions in the information security management plan, increasing the likelihood of a security breach or incident. Security controls should be routinely monitored, tested, and audited for efficacy to guarantee that the plan remains fit for its intended purpose.
The importance of the Design and Implementation of an Information Security Management Plan
The JV's strategy for detecting, evaluating, and controlling threats to its shared IT infrastructure must be agreed upon and implemented as the first stage in creating an information security management (ISM) plan. After selecting an ISM approach, partners' representatives should compare it to their enterprise ISM approach to find areas where process modification is required.
JV partners should aim to align with standards for their IT systems and processes, particularly Cyber Essentials. JVs must ensure that there are defined protocols and procedures to detect, respond to, and recover from information security events, just like other organisations. This can be accomplished in the event of a JV by reusing and adapting current procedures. Although the recently formulated guidance on information security does not specify a particular strategy, it does advise JV partners to use their prior experience with widely accepted methodology, such as ISO 27001, NCSC CAF, or NIST CSF. The decided approach should include strategies covering the identification, detection, and protection against information security risks, and documenting response and recovery processes from cyber-attacks.
Through the new Information Security Best Practice Guide, industry and government have provided construction companies in the UK with security guidance that is unique in its kind. By providing specific guidance about how to safely handle, store and exchange the data they produce in joint venture projects, the handbook intends to assist these companies in protecting sensitive information from attackers. Businesses can increase their physical, employee, and cybersecurity by taking the suggested actions, making them less appealing targets for cybercrime.
Her other interests are law, volunteering and women’s rights. In her free time, she enjoys spending time at the beach, watching movies or burying herself in a book.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.