Construction firms urged to be aware of cyber risk heading into 2024

Cyber risk experts Stuart Davey and Laura Gillespie of Pinsent Masons were commenting on the high level of cyber risk faced by the UK’s infrastructure sector, following the UK parliament’s recent inquiry into cyber resilience of the UK’s critical national infrastructure. The inquiry comes shortly after reports showing that the UK was the third most attacked country in the world, after the US and Ukraine, and in a year where the National Cyber Security Centre (NCSC) warned that Russian-aligned groups were intent on disrupting or destroying infrastructure in the UK.

“To respond to such cyber risk, the UK and EU are tightening cyber security regulatory requirements and obligations on operators, and their supply chain.  Cyber risk is a real and present danger for all in the sector, not just those involved in critical national infrastructure,” said Davey.

The NCSC and the Chartered Institute of Building (CIOB), for example, have partnered to produce practical guidance to support businesses (20-page / 438KB PDF), including SMEs, working in construction.

Ransomware payment risks present a particular challenge in cyber security, according to Gillespie, and businesses should consider carefully how to respond to a ransom in the event of an attack.

In the UK, the NCSC does not recommend payment of ransoms, but making a payment can be legally possible subject to strict processes – and sometimes the business disruption means the highly unpalatable is contemplated.  Some countries, such as the Netherlands and Australia, have indicated that they are considering whether legislative intervention is required to make such payments unlawful. “It is therefore important to understand ransomware payment risks, if that option is being considered” Gillespie said.

Businesses working in construction are also urged to pay increasing attention to how artificial intelligence interacts with cyber security in the coming year. Drafting of contracts and specifications are, in certain cases, struggling to keep up – particularly in relation to the transition from the construction to operation of built assets incorporating complex systems. Last month, the UK led on the production of first of their kind guidelines to help developers of any systems that use AI make informed cyber security decisions at every stage of the development process – whether those systems have been created from scratch or built on top of tools and service provided by others.

“Cyber is a fast-moving risk area. As more organisations continue to explore how AI can help their businesses, cyber security risks will continue to remain a key consideration, as it should be in the implementation of any new technology,” said Davey.

“2024 looks likely to be another year where AI hits the headlines, and the cyber risk associated with AI will need to be kept under close review by business functions moving to AI solutions,” he added.