BIMBeing: The Journey #34
#34 – Digital security…
Photo by Pixabay from Pexels.
As we increasingly rely on everything being digital, we must also appreciate the risks that are associated with the digital world and, most importantly, the impact of it being compromised. Recent press shows that the Bouygues Construction Group were the latest victim of a cyber-attack on their company network, and although they’re not the only one, a ransomware hit to a big Tier 1 contractor should bring this topic to the very forefront of our industry.
Currently, the entire industry is pushing digital. Companies and individuals are all at different levels of digital ‘maturity’, and some remain sceptical about digital progression, but I’m yet to hear anybody trying to go backwards – nobody is saying “let’s go back to paper”. The benefits of our continued digitisation are clear and therefore everybody is, at some level, on board with this progression. Digital tools and platforms continue to improve speed, accuracy, consistency, quality, collaboration and connectivity – just to name a few. Unfortunately, there must always be a negative. For every force or action in life there is an opposing force or reaction; in the world of all things digital those opposing forces are security, vulnerability and a lack of resilience.
Think for a few moments about the potential impact of a digital shutdown on your daily working life. Consider the real difficulties you and your company may endure as the result of a cyber-attack, with the company network being compromised affecting the following:
- No internet access
- No email access
- No phone access (most offices use VOIP)
- No messaging or communication services
- No server access to any company data
- No software licences
Basically, you’re left sitting at your desk with a PC that doesn’t really serve any purpose. What do you do now? We rely entirely on all of these digital services, once they’re taken away, we’re all totally stuck – there is no plan B, there is no resilience in our systems or processes for catastrophic failure.
There’s another issue too – data loss. If the shutdown of IT systems is the result of a malicious attack, what data has been lost? Does the company work on sensitive projects? Have company and/or employee personal details been taken? Names, addresses, bank details, passports, national insurance numbers…everything anybody needs to clone an identity and commit fraud. Unconfirmed reports circulating online state that this was the case in the Bouygues Construction attack, and of course there was a suspected ransom – €10 Million no less. I repeat that these claims are unconfirmed, but it’s not a stretch of the imagination to consider that this is the reality. So, what does the company do now? Ignore the ransom and allow an unknown type and quantity of company information to be leaked? Or pay the ransom and hope that a bunch of criminal hackers are ‘true to their word’? At this point in time, it’s a lose-lose situation.
With the company IT systems in a total shutdown, what happens next? Is anybody able to produce any work? Can construction activity continue? Will projects be forced into delay? What are the implications of those delays? It goes on, and on. The fallout from a digital security breach could be enormous – I’m certain that Bouygues Construction are still feeling that now. And still, none of us appear to have a plan B.
I’m certainly no digital security expert and therefore I do not know the answer to this question, but what do we do to mitigate these risks? Sure, all companies pay considerable sums of money to anti-virus companies for protection of their networks and all have IT teams monitoring daily activity, but this is only the preventative. A quick google shows that Bouygues Construction had invested in several supposedly ‘state of the art’ digital security systems, all of which have clearly failed. Once the preventative fails, where’s the contingency? How can a company ensure that works are unaffected, or at least less affected, by an IT shutdown?
It’s a serious question, and I do not envisage that it has a simple answer. Does anybody have any ideas? Are you/your company doing everything possible to mitigate these risks? Let us know in the comments, or email me to discuss privately.