Skip to main content
Find a member Join

Cyber Security

One of the growing threats in the current trading environment is cyber security and the resilience of your digital infrastructure and information systems - ECA is here to support Members. 

"The NCSC guidance is a timely reminder of the importance of systems security in construction businesses. In this era of digitization and agile working, the construction industry welcomes the opportunity to be at the forefront of innovation in the management of cyber-related threats" - Maria Adeagbo, ECA Legal & Commercial Advisor 

Cyber Security

NCSC (GCHQ): You will no doubt be aware of the current situation in Ukraine. In light of this, the NCSC has urged organisations of all sizes to follow its guidance on steps to take when the cyber threat is heightened.

The guidance can be viewed here - Actions to take when the cyber threat is heightened. It encourages organisations of all sizes to follow actionable steps that reduce the risk of falling victim to an attack.

While the NCSC is not aware of any current specific threats to UK organisations in relation to events in and around Ukraine, there has been an historical pattern of cyber-attacks on Ukraine with international consequences.

As working practices become more automated and digitised, the threat of cyber-attacks has increased, rendering cyber security an even more important consideration for your business.

Cyber security is a method by which individuals and organisations can reduce the risk of being affected by cybercrime.

Its primary purpose is to prevent unauthorised access to personal information commonly stored online.

Cyber security is a particularly important commercial consideration given the shift towards hybrid working and business digitisation as a result of the Global Pandemic.

Cybercrime is the offence of gaining unauthorised access to or modifying data or applications within an IT system.

Common cyber-attacks include identity theft, phishing, hacking, denial of service attacks (DoS) and ransomware attacks. However, the majority of cyber-attacks are fairly basic in nature. Further information on types of cybercrime can be found on the cisco website.

Increasingly, businesses are being asked, as part of their pre-qualification, to prove their cyber-resilience in order to win work. The Common Assessment Standard establishes an industry-agreed question set based on existing PQ questionnaires (including PAS 91 and corresponding assessment standards). CAS is being adopted throughout the supply chain as a means of homogenising the pre-qualification landscape and providing contractors with a single data repository for their pre-qualification data and systems. Our prediction is that because the adoption of CAS is accelerating, CAS will inevitably feature increased scrutiny of an organisation’s cyber-resilience, systems, processes and accreditation.

The updated version of the Common Assessment Standard is due to be published on 31 March 2022.

The Government has backed an initiative called “Cyber Essentials” which is designed to help you protect your organisation against a wide range of cyber-attacks.

On 12 May 2021, the National Cyber Security Council (NCSC) published the Cyber Essentials Readiness Toolkit. This is designed to help businesses meet the Cyber Essentials requirements for certification.

In January 2022, the NCSC announced that it had updated its Cyber Essentials scheme with changes that cover the use of cloud services, home working, password management and security updates.

In February 2022, the NCSC published construction-specific guidance on issues affecting the Industry. This guidance offers tailored, practical advice for the industry on how to protect their businesses and building projects at each stage of construction, from design to handover. It explores the most common cyber threats faced by the industry including, without limitation, spear-phishing, ransomware and supply chain attacks.

The new guidance is split into two parts: the first aimed at helping business owners and managers understand why cyber security matters, the second aimed at advising staff responsible for IT equipment and services within construction companies on actions to take. The advice also outlines seven steps for boosting resilience, covering topics including creating strong passwords; backing up devices; how to avoid phishing attacks; collaborating with partners and suppliers; and preparing for and responding to incidents. Further information on these recent changes can be viewed in Frequently Asked Questions.

ECA recommends that you review NCSC’s press release on actions UK organisations can take to strengthen their cyber security resilience. These actions can be viewed in the form of the recently published guidance on the NCSC website.

Cyber Essentials is a certification that equips you with the information you need to make your business more cyber secure by identifying areas in your IT systems in which you are required to put in tighter controls.

It is a Government-backed scheme managed by the NCSC which is designed to help protect organisations of any size against a wide range of common cyber-attacks. The NSCS have published a 17-page guide on the evidence you will need to meet the requirements for Cyber Essentials certification which can be found here.

Certification can demonstrate that a business is protected against the vast majority of common cyber-attacks.

There are two levels of certification which both attract a fee, as follows:

  1. Cyber Essentials (self-assessed verification); and
  2. Cyber Essentials Plus (externally assessed verification)

The Cyber Essentials Plus certification includes the added benefit of an audit of your IT systems by a technical expert. Both assessments can be completed online on payment of the appropriate fee and involve an online self-assessment questionnaire followed by a signed declaration to confirm that all answers are true. This questionnaire is free to download here.

Whilst the certifications have a starting fee of £300 + VAT, the benefits of obtaining Cyber Essentials could have an immeasurable impact on your business, and include the following:

  • Providing reassurance to customers of your commitment to securing your IT against cyber-attack.
  • Your pledge to have cyber security measures in place could be attractive to new customers and consequently win you business.
  • Provides a clear picture of your organisation's cyber security level; and
  • Giving you access to the entire Public Sector market as some Government contracts require Cyber Essentials certification and there is an increasing requirement in general public sector procurement for cyber insurance.
  • Additional construction industry “prequalification questions” about Cyber-security (including references to Cyber Essentials) are anticipated in 2022 within the Common Assessment Standard.

More information on the assessment can be found on the Certification Body, IASME Consortium’s website here.

For more information on obtaining cyber insurance for your business, please contact ECINS here.

Cyber Essentials Readiness Toolkit

ECA recommends Members use the Cyber Essentials Readiness Toolkit before taking the Cyber Essentials self-assessment. This free-to-use service aims to test your readiness for the cybersecurity assessment by creating a personal action plan to help your business move towards the Cyber Essentials requirements. Like the Cyber Essentials certifications, it takes the form of a questionnaire. The questions are designed to help you think about Cyber Security within your organisation and prompt you to consider a different aspect of security which will protect your organisation against threats from the internet. 

A link to the questionnaire is here.

Small Businesses

  • Cyber Aware - Small businesses and sole traders can also create their own Cyber Action Plan using Cyber Aware. This free service produces a personalised list of actions that will assist you in improving your business’ cyber security and can be found here.
  • E-learning package for staff - NCSC has published a free online training package for small organisations. Organisations can use this package to provide staff with training in the following 5 key areas:
  1. Backing up your organisation's data correctly.
  2. Protecting your organisation against malware.
  3. Keeping the devices used by your employees secure.
  4. The importance of creating strong passwords; and
  5. Defending your organisation against phishing.

The package is designed to be interactive, prompting staff to answer questions, identify possible issues, and, make suggestions for how to prevent and tackle common cyber security challenges.

The online course can be accessed here.

NCSC has also published a guide for small businesses which includes actions you can take to address the 5 key areas identified available here.

Large organisations

NCSC has published guidance for larger organisations on how to defend their businesses against malware or ransomware attacks. This guidance also includes a list of urgent steps businesses can take if their systems have already been infected with malware which can be found here.

NCSC has produced detailed guidance for those responsible for large organisations’ approach to cyber security. This guidance ranges from information on how to choose secure equipment and maintain its security to managing cyber security risks, as follows:

Larger businesses may benefit from NCSC’s toolkit for Board members which can be found here. This toolkit, which can be downloaded as a pdf document, is designed to facilitate discussions between the Board and an organisation’s technical experts about cyber security.

The advent of covid-19 related scams and the increase in home - working arising from the pandemic has brought new challenges for businesses.

NCSC provides guidance which includes preparing staff for home working, spotting email scams linked to the coronavirus and, controlling access to corporate systems when working remotely – found here.

If you want to start actively applying cyber security measures today, five technical controls that you can implement immediately are as follows:

  1. Use a firewall to secure your internet connection.
  2. Choose the most secure settings for your devices and software.
  3. Control who has access to your data and services.
  4. Protect yourself from viruses and other malware; and
  5. Keep your devices and software up to date.