Felix Blog - Procurement Industry News & Insights

Emerging cybersecurity risk added to construction’s perfect storm

Written by Mike Davis | Apr 12, 2022 6:50:52 AM

The construction industry’s persistent labour shortage and escalating material costs have created the perfect storm, as seen in the recent shock collapses of two major Australian construction companies.

However, another emerging area of concern is cybersecurity risk in construction, as the cyber attacks to an organisation’s supply network could form the next big wave for which they remain precariously unprepared.

The recent Security Legislation Amendment bill (SLACI) passed by Parliament amends the Critical Infrastructure Protection Act 2018, in response to the growing threat of cyberattacks on Australian infrastructure assets. It mandates owners and operators across a wide range of sectors to review and implement measures for cyber risk management, preparedness, prevention and resilience.  

As an industry that relies heavily on third parties, which involves a complex web of contractual arrangements and subcontracting, this means the cybersecurity risk of each construction organisation extends to its consultants, contractors, subcontractors and suppliers.

Construction suppliers within this network have become more attractive targets for cyber criminals as the pandemic drove the adoption of technology. The supply chain, in effect, becomes a cybersecurity blind spot, with many risks not always immediately visible or easily addressable.

The most significant emerging risk in third party management

The recent Building in the Dark report from Felix investigates the far-reaching construction supply chain risk in Australia and New Zealand, and it highlights pressing insights into the looming cyber risks looming over the sector.

Managing digital risks has become the most significant emerging risk in third party management, according to Deloitte. The high number of third parties involved requires intellectual property or commercially sensitive information changing many hands. The cybersecurity risk is especially true in the context of shared project documentation management platforms. 

Despite the increased threat of a cyberattack, Felix’s report found that the sector is not adequately aware of the need to manage digital risks. 50% of participants were somewhat concerned or less about data breaches and cyberattacks.

Levels Of Concern In Relation To Data Breaches And Cyber Attacks. Source: Building in The Dark

Even as organisations increasingly rely on their supply chains to deliver construction and infrastructure projects, they are unaware of the kind of risks that exist within these supply chains. 67% of industry professionals surveyed believed that clients or project sponsors do not understand the true cost of effectively managing third-party risk.

Less than half (40%) of participants were more than a bit confident that their organisation can identify all the parties in its extended supply chain.

Transferring the cyber risk

Supply chain risk beyond that associated with directly engaged third parties or the boundaries of the site is often not well understood or assessed. Research suggests that performance and compliance risks are transferred to third parties within the network not fully equipped for this responsibility,

Many organisations remain in the dark concerning the risks that lie within their own supply networks, such as failure of security or breach of privacy, including unauthorised access and interference with project tools, data and specifications.

The issue is compounded by low levels of transparency and monitoring of third parties. In effect, many organisations are consciously operating in relative ignorance of the actions of their suppliers not directly managed on the job site and thus remaining in the dark concerning the management of multiple risks.

To comply with the new SLACI Act and manage their cyber risk profile, organisations will need to adapt their cyber attack response and recovery plans response. However, many are unaware that it is not a sufficient risk response. Organisations need to extend the management of cybersecurity risks to their supply network – the very builders, contractors and suppliers being targeted by the bad actors.  

Digital’s untapped potential to address supply chain vulnerabilities

Improved risk management of the supply chain requires greater visibility of the network. Technology advancements now enable organisations to inject greater transparency and accountability into the supply chain by enabling large volumes of information to be efficiently obtained, analysed, and monitored.

Digital solutions designed with security in mind and bolstered with advanced safeguards provide reliable, shared online spaces to identify and manage ongoing risks associated with the network.

 ISO/IEC 27001:2013 is the international standard for information security, and sets the benchmark for organisations in managing their information security by addressing people, processes and technology against standards and best practice approaches.

However, while many organisations recognise the value of going digital, over half (56%) of the research participants believed their organisations were not investing enough in digital tools. 

The impact of a cyber incident can cost up to millions, not to mention the less quantifiable impact on the organisation’s reputation. It is imperative for construction leaders to assess the evolving cybersecurity risks not just within their own organisation but across their supply chain. By ensuring they have adequate systems to drive transparency and accountability throughout their supply chains, the industry will be well-positioned to address cybersecurity as well as any other vulnerabilities across their network.

------- 

About the Building in the Dark Report:

The Building in the Dark report, co-produced with entwine, is based on a survey of over 150 individuals across both Australia and New Zealand, a selection of one-on-one participant interviews, and extensive desktop research of existing reports and industry commentary.

------

Originally appeared on Cybersecurity Connect