Construction firms are failing to protect themselves from cyber criminals – with employees reporting they prefer a top-down approach to cyber security policies inhouse.
The Cyber Security Breaches Survey (CSBS) polled more than 3,400 UK companies across a range of sectors between September 2022 and January this year. Sole traders and public sector organisations were not polled.
By aligning with the National Cyber Strategy, its purpose is to inform government policy on cyber security, and to assess the various cyber-attacks and cyber-crimes companies face.
Cyber-crime is a national scale issue, which costs the UK economy an estimated £27 billion per annum, according to the UK Government.
A top-down approach
It found businesses in construction to be among those sectors “least likely” to have board members taking responsibility for cyber security (21%).
At the other end of the scale, however, sectors which tended to prioritise cyber security, and were also above average in 2022 and 2021 surveys, included Information and Communications (49%), Finance and Insurance (44%), and Scientific and Technical (41%).
Data showing how often company directors and senior managers were given updates on actions taken around cyber security revealed the following across all sectors:
Large firms
- Monthly 41%
- Quarterly 23%
- Weekly 11%
- Daily 6%
- Annually 5%
- Never 3%
- Don’t know 7%
Medium-sized firms
- Monthly 24%
- Quarterly 22%
- Weekly 13%
- Daily 7%
- Annually 14%
- Never 5%
- Don’t know 8%
It also revealed the percentage of firms aware of government guidance and initiatives on cyber security were as follows: Cyber Aware (27%), 10 Steps to Cyber Security (14%), Cyber Essentials (14%).
Further, the extent to which business directors and senior managers viewed cyber security as a high or low priority bore these results:
- Very high 36%
- Fairly high 35%
- Fairly low 19%
- Very low 8%
Technology leads within those companies surveyed tended to agree on the benefits of having company directors taking the lead on cyber security and its implementation inhouse.
“It’s good to have somebody right at the very top who understands the risks and is quite supportive,” reported an IT manager at a large business.
While the infrastructure and security lead at a medium-sized firm added: “Luckily, at director level, there is the message [to staff] that ‘this is happening, you will toe the line on this, and there is no excuse’. I do have the backing to push through what we agreed. They know they need to improve security and change where staff members are positioned.”
However, one business technology officer for a large firm also illustrated the trappings of treating cyber security as a financial audit than one of actual governance: “Most of [the cyber security audit] is bullet points showing the money spent and what we got out of it. It shouldn’t be, but it’s more a financial exercise than a governance exercise. You’re competing for budgetary allocation more than anything else.”
Technical cyber security controls
Construction was also found to be “less likely” than other sectors to have a range of technical rules and controls in place to help minimise the risk of cyber security breaches (26%). This failure was also true in previous years.
The most frequently deployed securities among most businesses tended to be:
- data back-ups (both Cloud-based and non-Cloud)
- updated malware protection
- password policies
- network firewalls
- security controls on organisation devices, or only allowing access via these devices (as opposed to personal devices)
- agreed processes for phishing emails
- policies to apply security updates within 14 days
However, two areas where many large firms do not have technical rules and controls are patch management (66%) and restricting access to organisation-owned devices (69%).
Cyber-facilitated fraud
Three per cent of all UK businesses have been a victim of fraud that resulted from a cyber-crime in the last 12 months. This equates to approximately 40,000 companies.
The overall percentage estimates are also slightly, but significantly, higher among large businesses.
Alarmingly, construction businesses are among those “most likely” to fall victim to cyber-facilitated fraud, the study found.
This finding appears to align with that of the Economic Crime Survey (ECS), which showed construction saw 18% of firms defrauded in the three years to 2020, not far behind Finance, Mining and Retail.
And, alarming still, construction was found to be the sector “least likely” to have preventative measures in place to guard against fraud victimisation.
The poll also found construction firms were “more likely” to experience fraud victimisation via online banking, possibly reflecting “vulnerabilities associated with the use of payment systems”.
The average annual cost to a construction business was found by the ECS to be in the region of £14,000. Annual losses to fraud in the UK were up to £190 billion, as of a 2017 annual fraud indicator report. £140 billion was via payroll and procurement in the private sector.
The percentage of firms polled by CSBS that had breaches leading to cyber-facilitated fraud showed:
- Phishing attacks 68%
- Hacking of online bank accounts 35%
- Takeovers of organisation or users’ accounts 12%
- Viruses, spyware or malware 12%
- Denial of service attacks 5%
- Ransomware 5%
- Unauthorised access of files/networks by staff 3%
Wider feedback on cyber security adoption
“[Cyber security is seen as] a scary, messy business with lots of technical challenges, best left to the experts. But there’s a growing recognition that it’s staff behaviours that drive most of the cyber security risk, so we need to share more with the SMT [Senior Management Team], so they know where the threats are coming from and what behaviours might be seen as risky,” – business and resources director at a high-income company.
“Inflation is not affecting cyber security budgets at the moment. Maybe over the next year, as there is a sharp focus on spending, we may need to really be able to justify our case,” – head of cyber security for a large business.
“We don’t identify the threat sponsor. We do differentiate if it’s insider attacks, malicious or unintended. But that’s it in terms of differentiating the source. It doesn’t matter why they wanted to do it. It’s what they do that impacts us and makes a difference to the organisation,” – information security strategic lead at a high-income company.
For more information, visit:
Enjoyed this? Try Construction sector ‘most vulnerable’ to fraud – while corruption rife
Get industry news in 5 minutes!
A daily email that makes industry news enjoyable. It’s completely free.