Cyber security and SMEs: what construction companies can learn from military intelligence


By Neil Craven, joint managing director

Cyber criminals don’t just target individuals and big corporations, so how do you close the chinks in your digital armour?

Last year, I attended an event for SMEs hosted by HSBC and like all good seminars I left with plenty of food for thought – but the talk that stuck with me was Barry Searle’s session on cyber-crime. As a security specialist and former intelligence specialist with the RAF, Barry’s insights on cyber-crime prevention are well worth taking into account.

While it may seem that the intelligence division of the RAF is a world away from the construction sector, I found that there are plenty of areas that SMEs within the construction sector can benefit from taking Barry’s lessons into account. In many instances, it may be only once a business is affected by cyber crime that they understand the sophistication of some cyber-attacks – by which time it is too late.

As an SME ourselves, and with several clients which fall into this bracket, we wanted to highlight some of the pernicious methods cyber criminals use to breach business’ defences.

Simply does it

Cyber crime may be sophisticated, but often the simplest methods of breaching a company’s defences are the most effective, precisely because they’re the easiest to overlook. I was surprised to learn from Barry that email is the most common method of cyber-attack: in fact, over 90 per cent of cyber attacks are launched by email.

Increasingly, this takes the form of fake invoices pretending to be from a trusted and known sender. In this case, it’s not that companies have been hacked – they’ve been tricked.

Fortunately the solution is equally simple, as companies should just implement a set process to verify invoices before paying them, especially where the company claims to have changed or updated its bank details. Often, a quick phone call is enough to flush out a fake. However, if businesses wish to create another level of defence, Barry recommends installing free SPF and DMARC tools, which alert you to unauthorised use of your email domain. This is something we are recommending to our clients from now on too.


The oversharing problem

Where we manage social media accounts on behalf of our clients, we take care to strike a balance between sharing the company’s personality and not oversharing to the extent that privacy or safety is compromised.

However, for companies managing their own social media accounts, there are vulnerabilities that they need to be aware of as social accounts can be exploited by cyber criminals to mount ‘spear-phishing’ exercises. That’s where cyber criminals send emails that appear to come from a known or trusted sender to tempt targeted individuals to reveal confidential information.

Barry Searle’s recommendations include reviewing social media policies to make sure that profiles don’t include details on who is responsible for authorising invoices; and using discretion on social accounts. Overall, try to make it harder for criminals to cross-reference personal social media accounts with company websites or LinkedIn profiles – for example, it might be worth business leaders using abbreviated names on Facebook or Instagram profiles.

The difficulty with data

Not all cyber crime is focused on trickery and sneak-attacks: when it comes to data, some criminals instead lock companies out of their own cloud accounts and demand payment for releasing the data.

This is a problem for companies which don’t have a robust data retrieval process agreed with their cloud providers. If companies find themselves in a protracted wrangle with cloud providers to regain access to data that a cyber criminal has locked them out of, some companies resort to paying the criminals instead.

As Barry points out, it’s all about procedure: knowing who to go to if your data is blocked or deleted, and keeping hard copies of continuity plans in case your digital access is also restricted. Above all, make sure you have a cloud contract with acceptable terms of data retrieval.

With the construction sector accounting for 20 per cent of the UK’s 1.6 million SMEs, there is plenty of food for thought for our sector – and for us as both a construction marketing agency and an SME. Your digital presence is an asset, but with cyber criminals targeting SMEs, it pays to be vigilant. We’ve reviewed our policies and tightened our procedures – hopefully this inspires you to do the same.

Harris » Cyber security and SMEs: what construction companies can learn from military intelligence