Serious about security

BSD has recently achieved a Cyber Essentials Plus accreditation – recognising its commitment to cyber security and data protection.

Associate director, Jo Jones, and IT consultant, Paul Brinkworth (of New Vision Computing ltd), discuss how this accreditation has helped the business, why others should follow suit and what’s next for construction firms in terms of preparing for General Data Protection Regulation (GDPR) changes.

“I’ve been in the engineering and construction industry for more than 10 years and a lot has changed during this time,” said Jo.

“The protection of data has always, of course, been of paramount importance but with cyber attacks posing an ever-present threat the government has, rightly, put measures in place to ensure that businesses are encouraged to comply with the highest standards of cyber security.”

Cyber Essentials Plus is a government certified scheme which is independently assessed. It looks at: networks security; firewalls and malware and virus protection software; whether appropriate software is up-to-date and user access.

Paul said: “In surmise, it’s a security standard that’s been brought in by the government – through Government Communications Headquarters (GCHQ) – which has been designed to be the first achievable and valuable security standard for businesses.

“There were other options previously available but accreditations such as ISO:27001 can be overly expensive and often prohibitively restrictive. It’s not something that the average business can afford or maintain and, with more than 100 workstations across BSD’s seven UK offices, we needed something that would also have staff buy in – something they would understand, commit to and get on board with.”

BSD celebrated its 25th anniversary last year and founder, David White, cites technological changes as being the biggest change in the industry over this time – ‘nothing else has had this much of an impact’ the managing director claims.

Jo continued: “As a team of almost 80 experienced M&E engineers we’ve got considerable experience in the public sector and have worked on a number of high profile schemes across the UK – including work with the Ministry of Defence (MoD) and a wide range of education projects. Public sector frameworks place great importance on this high level of security and it’s now becoming more common to see a Cyber Essentials accreditation being listed as a requirement on government gateway projects.”

The necessity to maintain high levels of cyber security is now being instilled as part company culture, with employees also needing to actively participate in adhering to the criteria.

“In reality, we were already doing much of what Cyber Essentials Plus requires,” explained Paul.
“Employees are now, however, being reminded regularly of what’s required of them. All machines now have to be locked when not in use – we want to avoid instances of machines ever being unattended and information being open to being accessed in the public domain. We have changed how we used our VPN sign off procedure. Fewer people now have full access and those that do have to go through a more rigorous sign in and sign off system.

“Our password policy has also now been confirmed, so they all expire after 90 days. Staff have been really receptive and cooperative – they see the benefits and obviously want to do the best for their clients.

“That’s not to say we didn’t encounter any challenges in achieving the accreditation with programmes such as computer-aided design (CAD) and Revit 2017 – which are specific to our industry. Versions of these design tools are only supported for a limited time but the Building Information Modelling (BIM) standards often restrict us to older versions especially for archived projects. In order to continue working on these projects, we’ve had to remove certain machines from our network and run them in an air gaped environment to ensure security.”

The accreditation is just another step of data protection and storage for the engineering and construction industry that must continue to evolve to meet the requirements of our rapidly advancing industry, Jo believes.

She added: “Seeing the Cyber Essentials Plus badge on our documentation has gone down well with our customers and it’s the first step we’re making in preparing for GDPR.

“We’re now talking to various specialists on GDPR regulations, establishing how we can best we can secure customer data and through what methods we’re able to use it. A project handover date is obviously not always the end of the story and all of our work has a guarantee of 12 years so data is stored for at least this amount of time. This is obviously unique to our industry so it’s something we’re having to consider.”

Paul would recommend Cyber Essentials Plus to any business – claiming that it really is easier than one may assume. He said: “What a lot of businesses don’t realise is that they probably have a lot of the requirements already in place and the additional effort in formalising these is really worth it and to pass independent, government assessments is really impressive. To pass independent, government assessments is really impressive and shows that we take security seriously.

“I would suggest that businesses aren’t scared of any potential IT jargon they may encounter in the process. The first step is to look at the requirements and get in touch with an IT support firm that understands it. They will then look at your network and firewalls and work with you to achieve this accreditation and improve both your security and, just as importantly, let others know seriously you take this commitment.

“We were also keen to look at what comes next – not just settling with achieving this accreditation and resting on our laurels. The landscape is constantly changing so we’re now being assessed every year to ensure we’re keeping up.

“Construction firms need to take cyber security seriously – and already many are without even knowing it, so I would suggest going for accreditations such as Cyber Essentials Plus and proving to clients that you are a trusted and secure business with which to work.”

 

image courtesey of: Smugglers Lair (Unsplash) @smugglerslair