Cyber Threats and Civil Engineering

The embarrassment of headline-grabbing information breaches are just the tip of the iceberg when it comes to the growing cyber risks facing civil engineering firms. Karl Jones of UK insurance broker Kerry London says the risks go much further than reputational damage.

From the cyber attack which lost UK telecoms firm TalkTalk 100,000 UK customers last year to the many red faces caused by international law firm Mossack Fonseca Panama papers leak, the importance of cyber security has never been more relevant – particularly for civil engineering firms.

A Department of Business, Innovation & Skills survey published in May this year (BIS, 2016) found that 65% of large and 51% of medium organisations suffered a cyber breach in 2015 – though there is still no obligation to report these.

Knowing the risks

Civil engineering firms now rely heavily on electronic systems. They are used for everything from day-to-day office administration and communications to digital design and engineering, building information modelling, project and supply chain management, logistics planning, satellite positioning, and monitoring and control systems.
The consequences of electronic systems failing or coming under attack are potentially very serious given the safety-critical nature of structures and infrastructure and the often large sums of money involved. Attacks can come from a diverse range of sources including criminals, rogue governments, terrorists, activists, competitors and even disgruntled employees

Attacks generally fall into two categories: malicious viruses being introduced to the network internally, or external network intrusions. If a system breach happens, the risks are many: reputational damage and the ensuing loss of customers; loss of intellectual property; fines from the UK Information Commissioner; business interruption; loss of invoicing systems; being held to ransom to remove external encryption from documents; financial fraud; malicious alteration of designs or survey data; and defamation.

Potential solutions

The Information Commissioner’s Office reported that 93% of investigated incidents in the fourth quarter of 2014 were caused by human error. Employee education should therefore be high priority, along with appropriate controls on own-device usage and access to personal web-based email accounts.

Employee education and control should all form part of a comprehensive cyber security strategy, which should include regular stress tests. Civil engineering firms should also factor in the need for anti-virus software and firewall protection, evaluating and protecting systems of high exposure or value to the business, and regulation of administrative access.

Prudent firms should also consider buying non-physical business interruption insurance. Essentially this works in the same way as physical business interruption cover. The cover is designed to indemnify businesses for either lost profits or revenue as a result of a cyber event that damages or interrupts their cyber infrastructure. Depending on the insurer, the cover could be part of data-breach insurance or a standalone policy, and can be extended to deal with financial crime.

Top-level decision

According to BIS (2016), only 29% of UK business have written cyber security policies and just 10% have formal incident management processes.

Cyber security strategy should be decided at the top level of all civil engineering businesses and then integrated into company culture through employee policies and education. Its success will also depend on regular updates to security software and procedures reflecting new cyber threats.

Reference

BIS (Department for Business Information and Skills) (2016) Cyber Security Breaches Survey 2016. https://www.gov.uk/government/publications/cyber-security-breaches-survey-2016 (accessed 02 June 2016).

For further information contact: Karl Jones

Tel: +44 7807 194 283

Email: karljones@kerrylondon.co.uk

Categories: Corporate,