With cyber attacks becomingly more costly and targeted, complacency towards cyber security not only places contractors’ own systems at risk, but also that of suppliers and partners within their supply chain. Bryan Banbury, managing director of independent insurance broker Russell Scanlan, looks at how the lack of a robust cyber security strategy places contractors at risk of being excluded from supply chains.
Last year, more than two in five businesses (43%) experienced a cyber breach, and with the continuing drive towards BIM, automation and more connected, collaborative working, the construction industry is increasingly vulnerable to cyber crime threats.
Whilst it’s often the big brand names such as Facebook and British Airways that hit the headlines, security breaches often occur due to flaws in third party partners. The construction industry relies on a vast network of SME suppliers and contractors which can be easy targets for attackers if they don’t have robust security measures in place. The cyber security of any company within the supply chain is only as strong as that of the weakest member. A determined attacker will identify the weakest link and use any vulnerability to gain access to other members of the chain.
Larger organisations and main contractors are realising that it’s no longer enough to ensure their own network is secure; they must now also pay attention to securing the supply chain.
Enterprises at the top of a supply chain will more and more require certification as proof of security and compliance, or will want contractual warrants and indemnifications as protection for themselves. The increased risks of a data breach and GDPR enforcement are requiring companies to ensure they have cyber security as part of their contract with suppliers and contractors. Larger organisations will choose to use only those suppliers that are certified as part of their due diligence and selection process.
So what can small businesses and contractors do to mitigate the risk of being excluded from supply chains? One solution is to undertake a certification process. Cyber Essentials is a UK government and industry backed scheme to help all organisations protect themselves against common attacks.
Widely considered to be the minimum benchmark for cyber security, compliance with the Cyber Essentials scheme can reduce the risk of threats from the internet by 70-80%. Businesses can obtain an official Cyber Essentials certification to demonstrate compliance which is annually assessed. The aim is to ensure that companies can understand their cyber-risks, implement appropriate defences and meet minimum cyber security standards.
Whilst worthwhile, the accreditation process can be time consuming, which is why we offer customers access to Cyber AMI, a web-based business app to help SMEs obtain and maintain compliance with Cyber Essentials. Cyber AMI manages the annual Cyber Essentials certification process, providing a modular assessment and education support journey which is designed to guide the non-technical laymen through Cyber Essentials in plain English. It enables businesses to implement better risk management practices without the expense of a consultant, whom now often charge in excess of £1,000 per day.
Contractors who fail to prove sufficient compliance and information security needed to meet the minimum expected by their partners risk losing contracts. Those not prepared to take cyber security seriously will be unable to compete with certified businesses. For example, the Cyber Essentials certification is already a mandatory requirement for any HS2 sub-contractor who handles building information modelling (BIM) or Bill of Quantities (BOQ).
In a rapidly evolving cyber landscape, it is time for SMEs across the supply chain to demonstrate their cyber credentials. The threat is real and contractors need to act now or risk their business failing due to the lack of a robust cyber security strategy.