Cyber Security

As working practices become more automated and digitised, the threat of cyber-attacks continues to increase, rendering cyber security an even more important consideration for your business.

The primary risk of cyber security is the potential for harm when your digital assets (including personal information) are compromised, corrupted or stolen. It can lead to financial loss, operational disruption, data breaches, and loss of trust in your organisation.

Cyber security is a method by which individuals and organisations can reduce this risk. It involves practices and technologies that you can implement to protect against, detect, and respond to cybercrime.

Cyber security is a particularly important commercial consideration given the shift towards hybrid working models, accelerated by the global pandemic in 2020. Proactive cyber security measures are critical to protect your business’s future stability, reputation and commercial viability.

Cybercrime is the offence of gaining unauthorised access to or modifying data or applications within an IT system. It is in essence any criminal activity that involves a computer, computer network or device.

Common cyber-attacks include identity theft, phishing, hacking, denial of service (DoS) attacks and ransomware attacks. Further information on types of cybercrime can be found on the cisco website.

Increasingly, businesses are being asked, as part of their pre-qualification requirements to tender, to prove their cyber-resilience in order to win work. The Common Assessment Standard (CAS) establishes an industry-agreed question set based on existing PQ questionnaires (including PAS 91 and corresponding assessment standards). CAS is being adopted throughout the supply chain as a means of homogenising the pre-qualification landscape and providing contractors with a single data repository for their pre-qualification data. Our prediction is that because the adoption of CAS is accelerating, it will inevitably feature increased scrutiny of an organisation’s cyber-resilience, systems, processes and accreditation.

The Government has backed an initiative called “Cyber Essentials” which is designed to help you protect your organisation against a wide range of cyber-attacks.

On 12 May 2021, the National Cyber Security Council (NCSC) published the Cyber Essentials Readiness Tool via its Cyber Essentials Delivery Partner, IASME. This is designed to help businesses meet the Cyber Essentials requirements for certification.

In January 2022, the NCSC announced that it had updated its Cyber Essentials scheme with changes that cover the use of cloud services, home working, password management and security updates.

In February 2022, the NCSC published construction-specific guidance on issues affecting the industry. This guidance offers tailored, practical advice for the industry on how to protect their businesses and building projects at each stage of construction, from design to handover. It explores the most common cyber threats faced by the industry including, without limitation, spear-phishing, ransomware and supply chain attacks.

The guidance was split into two parts: the first aimed at helping business owners and managers understand why cyber security matters, the second aimed at advising staff responsible for IT equipment and services within construction companies on actions to take. The advice also outlined seven steps for boosting resilience, covering topics including creating strong passwords, backing up devices, how to avoid phishing attacks, collaborating with partners and suppliers and preparing for and responding to incidents.

In September 2022 the NCSC published guidance in relation to joint ventures in construction projects, listing a series of recommendations that can help businesses implement and maintain information security and manage cyber risks in a joint venture. These include the parties in a joint venture agreeing upon and developing a holistic approach on shared information security strategy, agreeing upon a shared risk appetite at board-level and at a more granular level identifying key staff to hold responsibility for assessing and responding to cyber risks. This guidance be found here.

ECA recommends that you review NCSC’s press release on actions UK organisations can take to strengthen their cyber security resilience. These actions can be viewed in the form of the recently published guidance on the NCSC website.

Cyber Essentials is an annually renewable certification that equips you with the information you need to make your business more cyber secure by identifying areas in your IT systems in which you are required to put in tighter controls.

It is a Government-backed scheme managed by the NCSC which is designed to help protect organisations of any size against a wide range of common cyber-attacks. The NCSC recommends Cyber Essentials as the minimum standard of cyber security for all organisations. The Cyber Essentials Knowledge Hub contains up to date information on the Cyber Essentials scheme including what to include in your assessment, technical guidance and updates from trained scheme advisors.

Certification can demonstrate that a business is protected against the vast majority of common cyber-attacks.

There are two levels of certification which both attract a fee, as follows:

1. Cyber Essentials (self-assessed and verified by a qualified assessor); and
2. Cyber Essentials Plus (externally assessed verification).

The Cyber Essentials Plus certification includes the added benefit of an audit of your IT systems by a technical expert. Both assessments can be completed online on payment of the appropriate fee (based on the size of your organisation) and involve an online self-assessment questionnaire followed by a signed declaration to confirm that all answers are true. This questionnaire is free to download here.

Whilst the certifications have a starting fee of £320 + VAT, the benefits of obtaining Cyber Essentials could have an immeasurable impact on your business, and include the following:

• Provides reassurance to customers of your commitment to securing your IT/organisation against cyber-attack.
• Your pledge to have cyber security measures in place could be attractive to new customers and consequently win you business.
• Provides a clear picture of your organisation's cyber security level and helps you stay ahead of new cyber security risks by assessing your systems against a recognised framework each year.
• Gives you access to the entire Public Sector market as some Government contracts require Cyber Essentials certification and there is an increasing requirement in general public sector procurement for cyber insurance.
• If you have a turnover under £20m and achieve self-assessed certification you are entitled to free Cyber Liability Insurance.
• If you hold a Cyber Essentials Plus certificate, you will automatically have passed some of the “prequalification questions” in the CAS.

More information on the assessment can be found on the Certification Body, IASME Consortium’s website here.

For more information on obtaining cyber insurance for your business online with Cyber Essentials see here and/or talk to your broker as cyber insurance is often a standalone or, at best, bolt-on insurance policy to the other common insurance policies taken out by contractors (Employer’s Liability, Public Liability, Professional Indemnity, All risks etc..).

The advent of covid-19 related scams and the increase in home - working arising from the pandemic has brought new challenges for businesses.

NCSC provides guidance which includes preparing staff for home working, spotting email scams linked to the coronavirus and, controlling access to corporate systems when working remotely – found here.

If you want to start actively applying cyber security measures today, five technical controls that you can implement immediately are as follows:

1. Use a firewall to secure your internet connection.
2. Choose the most secure settings for your devices and software.
3. Control who has access to your data and services.
4. Protect yourself from viruses and other malware; and
5. Keep your devices and software up to date.

• Construction Leadership Council - Cyber Security & Insurance For Construction Businesses Webinar
• 10 Steps to Cyber Security guidance aimed at cyber professionals in medium to large organisations and video here.
• Business email compromise: dealing with targeted phishing emails guidance.
• Contact for reporting cybercrime is Action Fraud.
• Creating your own Cyber incident exercises guidance.
• Further information on cybersecurity threats can be viewed here.
• Homeworking: managing the cyber risks guidance.
• Phishing attacks guidance and video.
• Preparing for Denial of Service (DoS) attacks guidance and summary guide.
• Protecting devices from viruses and malware guidance.
• What is ransomware guide and video.
• Mitigating malware and ransomware attacks guidance.
• Security culture.
• Small Business Guide: Response & Recovery guidance and more guidance. 
• Stay safe online: top tips for staff guidance.
• Video conferencing services – using them securely.
• 2022 video on emerging cyber trends.
• Video on Building a Cyber Ecosystem: Accelerating and Securing Cyber Innovation and Growth.

NCSC has produced detailed guidance for those responsible for large organisations’ approach to cyber security. This guidance ranges from information on how to choose secure equipment and maintain its security to managing cyber security risks, as follows:

• Device security guidance
• Risk management guidance
• Cloud security guidance

Larger businesses may benefit from NCSC’s toolkit for Board members which can be found here. This toolkit, which can be downloaded as a pdf document, is designed to facilitate discussions between the Board and an organisation’s technical experts about cyber security.