Cyber attack guidance for Joint Ventures in the Construction Industry
The National Cyber Security Centre (NCSC) has provided guidance to Joint Ventures (JVs) within the construction industry to help protect themselves from cyber-attacks.
Digitisation within the construction industry is benefitting all involved in a project by increasing efficiency, reducing costs and allowing more data to be shared. The construction industry, however, is becoming a desirable target for cyber criminals due to the high volumes of sensitive data held coupled with the large monetary value of projects. JVs also often have complex IT infrastructures and their large site structures can make them difficult to secure against physical attacks.
Criminals access and use data by, for example, modifying it, damaging it or simply denying access to it, in order to seriously impact a project and the parties involved. It is not just large construction companies that make good targets either. Criminals are targeting all sizes of organisations. Having said that, data breaches do not always arise due to malicious attacks. Accidental breaches can also occur, which adversely affect a project's information security, for example, leaving commercially sensitive data on a memory stick on site or sharing sensitive information in a public presentation. It is, therefore, important to ensure all JV partners and personnel involved are aware of the risks posed by a cyber-attack or data breach and how to reduce the likelihood of these happening. As well as taking on board the guidance provided by the NCSC as set out below, the JV partners should look at clearly recording their obligations and responsibilities for data protection and cyber security in the JV agreement.
Cyber-attacks and data breaches are extremely costly to the industry. UK businesses lost £365 million in 2020 due to such attacks, which can also result in heavy fines under the Data Protection Act 2018.
The published guidance serves as an important reminder for JVs to review and strengthen their cyber and information security practices. The guidance suggests five key steps that should be taken by JVs to keep their information secure throughout a project lifetime:
- Establish Information Security Governance and Accountability: JVs should ensure that their board includes an Information Security Sponsor who is accountable for the JV's cyber and information security. JVs should also appoint a team who facilitates this security minded approach with clear roles defined.
- Assign Key Roles and Responsibilities: JV partners should identify staff to be responsible for assessing the security risks of the project and developing an appropriate security strategy. It is important that all staff have a strong awareness and appropriate training as to the importance of cyber and information security.
- Understand the JV specific Information Security Risks and Requirements: Once the security governance structure is established, those appointed should assess the risk of the information available, identify any regulatory appointments, and decide the JVs approach to risk. How sensitive is the information to be held by the JV and at what volume? Does it include information relating to neighbouring assets? What controls will the JV need to put in place to protect this information?
- Develop and Agree an Information Security Strategy: Security controllers should develop a strategy detailing the JV's governance and management framework, the regulatory and data classification requirements and create an information security risk management approach for determining specific information security, managing personnel, and various other security considerations. This strategy will need to be reviewed regularly and updated as necessary throughout the project (as well as being signed off by the JV board). Are there any additional requirements from the customer that need to be factored into the plan? Does the JV's cyber insurance cover all data relevant to the JV or is additional JV-specific cyber insurance required?
- Design and Implement and Information Security Management Plan: It is important to produce and implement a concrete and fully costed Information Security Management Plan which should be developed by qualified practitioners and overseen by Security Controllers. The plan will need to deal with, for example:
- the JV's information security risks
- how to protect data
- how to respond to any breach
- training for staff to raise awareness of security issues
- physical security requirements
- the risks posed by the JV's supply chain and what controls can be put in place to mitigate such risks
Agreeing a structured and documented approach to JV information security is the first line of defence to cyber-attacks and data breaches and will:
- minimise delays, cost and complexity caused by inadequate security measures
- reduce the risk of fines and prosecution from regulatory breaches
- ensure JV partners are more aligned
- reduce the likelihood of monetary loss or reputational damage because of a cyber-attack or data breach
We would encourage you to read the NCSC's guidance in full. Please click here for further practical advice for JVs dealing with information security attacks.
Alternatively, our cyber security, data protection and projects and construction disputes teams would be happy to speak with you about preparing for and responding to these types of attacks.