Industry and government collaborate on best practice guidance helping major infrastructure projects, such as HS2 and Crossrail, improve data security. New advice, published by GCHQ’s National Cyber Security Centre, sets out the best approach for managing information security risks Construction sector urged to follow guidance amid continued targeting by malicious actors
Construction firms working together on major building projects such as HS2 have been offered first-of-its-kind security advice from industry and government.
Information Security Best Practice
The new Information Security Best Practice guide aims to help these firms keep sensitive data safe from attackers by offering tailored advice on how to securely handle the data they create, store, and share in joint venture projects.
The guide is a unique collaboration between experts from industry and the National Cyber Security Centre (NCSC), the Department for Business, Energy and Industrial Strategy (BEIS), and the Centre for the Protection of National Infrastructure (CPNI).
Cyber security
By following the recommended steps, businesses can improve their physical, personnel, and cyber security
It includes input from firms with experience in joint ventures, including major infrastructure contracts such as HS2 and Crossrail, where information security risks are particularly relevant due to their typically large size, value, and complexity.
By following the recommended steps, businesses can improve their physical, personnel, and cyber security, making themselves less attractive targets for malicious actors as threats including ransomware continue to pose a significant problem globally.
Data security
Sarah Lyons, NCSC Deputy Director for Economy and Society Resilience, said, “Joint ventures in construction are responsible for some of the UK’s largest building projects and the data they handle must be protected to keep crucial infrastructure safe."
“Failure to protect this information not only impacts individual businesses but can jeopardise national security, so it’s vital joint ventures secure their sites, systems, and data."
Holistic strategy
The guidance is a collaboration between government and industry members of an NCSC-convened trust group
“By following this new guidance – a first-of-its-kind collaboration between industry and government – construction firms can help put a holistic strategy in place to effectively manage their risks.”
The guidance is a collaboration between government and industry members of an NCSC-convened trust group, bringing together expertise, experience, and input from dozens of companies in the sector.
Data and digital technology
Business Minister Lord Callanan said, “Data and digital technology are key to making a more productive, competitive, and sustainable construction industry. However, this new technology presents challenges that businesses must protect themselves and their stakeholders against."
“This new guidance, produced in partnership between industry and Government, will help construction firms keep their information safe, ensuring building projects are delivered on time and securely.”
Risk management approach
The guide sets out why information security matters for joint ventures and offers a recommended approach to take to manage the risks, including:
- Establishing information security governance and accountability within the joint venture and ensuring board-level engagement.
- Identifying staff to hold responsibility for assessing specific information security risks and developing a shared information security strategy.
- Understanding the specific risks and any regulatory requirements for the joint venture, and deciding on a shared risk appetite.
- Developing and agreeing on a shared information security strategy to manage and mitigate the risks holistically, including physical, personnel, and cyber risks.
Globally, the construction industry continues to be one of the most targeted sectors by online attackers, and businesses of all sizes are at risk.
Protection against cyberattacks
Jon Ozanne, Chief Information Officer at Balfour Beatty, said, “With cyberattacks becoming increasingly more intelligent, cyber security and protecting our own, our employees, our supply chain, and customers’ data has never been more important."
“The introduction of the new Information Security Best Practice guide will play a key role in helping to combat the operational risks faced across the sector; raising the standard and educating those to the measures required to protect against cyber threats.”
Best practice guide
Andy Black, Chief Information Security Officer, Sir Robert McAlpine, said, “Cross-industry collaboration is important to help the construction sector level up its approach to information security."
"We are grateful for this opportunity to share our expertise and collaborate with our peers, the NCSC, BEIS, and CPNI to develop this best practice guide for Joint Ventures.”
Cyber security guidance
The NCSC published cyber security guidance with the Chartered Institute of Building aimed at helping small and medium-sized businesses improve their resilience.
Other NCSC resources aimed at helping organisations manage cyber security risks include the Board Toolkit, to facilitates essential conversations between board members and their technical experts, and the Exercise in a Box toolkit which helps organisations to test their incident response plans in a safe environment.
Understand how converged physical and cybersecurity systems can scale protection.
