Construction technology is reshaping the industry. Indeed, the news this week that hackers have tried to poison a Florida town by changing chemical levels at a water treatment plant has once again brought home how reliant our capital projects and construction industry are on technology and how deep that reliance runs.
An as yet unidentified suspect managed to get through a computer security system for the plant that serves the city of Oldsmar, Florida, on Friday, and tampered with the amount of chemicals in the water supply. This briefly increased the amount of sodium hydroxide to more than 100 times the normal amount.
There are many software and mobile apps that help manage every aspect of a construction project, but all that connectivity poses potential risks when it comes to data security. Something as simple as a malicious email that is mistakenly forwarded or outdated antivirus software could open the door for a ransomware attack or data breach – with catastrophic results.
TECHNOLOGY ENHANCES PRODUCTIVITY…
Technology has been used to great effect in Construction to increase productivity. The traditional method of design-bid-build can make construction disjointed and siloed and every construction site is different, presenting its own unique set of challenges and risks. This makes it difficult to streamline processes and increase productivity the way industries like manufacturing and retail have been able to do.
Technology can undoubtedly help; today there are software and mobile solutions to help manage every aspect of a construction project. From preconstruction to scheduling, from project management and field reporting to managing your back office, there’s a software solution out there to help streamline your processes and improve productivity. Most software solutions are cloud-based, allowing changes and updates to documents, schedules, and other management tools to be made in real time, facilitating better communication and collaboration. Mobile technology allows for real-time data collection and transmission between the jobsite and project managers in the back office. Cloud-based solutions enable on-site employees to submit timecards, expense reports, requests for information (RFIs), work records, and other verified documentation. This can save hundreds of hours per year in data entry and automatically organizes critical files—no more shuffling through files looking for old reports.
...BUT ALSO RAISES RISK
But this digital integration comes at a cost. How do you know exactly what data is being shared with whom and how it is being securely looked after?
- More and more software providers are forming strategic partnerships to allow you to seamlessly integrate your data with your other software solutions
- The increase in offsite construction improves productivity but removes the management of the data risk by a further step
- The increased reliance on AI & Machine Learning to make better decisions, increase productivity and improve jobsite safety can extend the data risk beyond manageable volumes.
- The data captured by Robots, Autonomous drones and rovers equipped with high-definition cameras and LiDAR to photograph and scan the construction site each day with pinpoint accuracy can create an attractive target for hackers, especially when compared against your BIM models, 3D drawings, construction schedule, and estimates.
How to address the Third Party Vendor Risk
With over 70% of cyber security data breaches now involving a third party supplier of some sort, third party risk management is an area that cannot be neglected.
But even here, choice of supplier is critical. You need to ensure that your third party risk management (TPRM) supplier can manage the scale and complexity of the job that you need them to do. Broadly speaking the requirement is split down into three key parts and you should ensure that your provider can reach across all of them:
External Monitoring – Open Source Intelligence monitoring of suppliers on an ongoing basis provides an efficient, standardized method to check on the level of threat that they may pose or how attractive they are to hackers. Monitoring provides a historic and ongoing classification of the overall security maturity of a supplier from the outside but cannot overcome the opacity and complexity of what is really going on inside the supplier and so only tells half of the story.
Internal Assessments –Interrogating the internal workings of a supplier, either onsite or remotely can be costly and time consuming, but is often essential if they are carrying sensitive data on your behalf. This approach captures a snapshot of a supplier at a point in time but lacks the ongoing monitoring capability of external monitoring – it is also resource intensive and expensive.
Risk remediation - A way to actually remediate the risks that a VRM programme finds is essential. This is where gaining the buy in of the rest of the business is a key consideration as imposed change is much harder than collaboration!