Cyberattacks Close to Home Get Board’s Attention
 

The construction industry was, for a time, seemingly insulated from major cyberthreats. But in recent years, the sector’s limited investment in cybersecurity has made it a prime target for attacks, elevating the management of cyber risk to a strategic board-level priority.

That shift has been playing out, in very real terms, for a large construction and engineering firm based in Australia. “Back in the day, cyber risk was something that happened to somebody else,” says the company’s CIO, who joined the firm 14 years ago and took over the IT leadership role in 2016. Bad actors were looking for financial data or credentials, not blueprints or construction schedules. “As long as we had enough endpoint protection, we were ok. We’d all pat each other on the back.” 

Then, last year, one of the company’s sister firms was breached shortly after it was sold off by their mutual parent company. Around the same time, one of the construction firm’s suppliers, a top industrial design firm, was compromised and took three weeks to get back online, delaying ongoing projects. Two of the construction firm’s key technology vendors — one providing password management and the other payroll services — were also breached.

“The narrative has completely changed,” the CIO says. For the board and the C-suite, it’s no longer a question of if, but when the company itself is attacked. The goal is cyber resilience: the ability to continue to operate and deliver as a company no matter what. “The board is definitely more involved than ever when it comes to all things cybersecurity,” says the CIO, “which is really good.” 

The company has joined the ranks of many others, across industries and geographic regions, that are sharpening their focus on cyber risk management. As highlighted in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, business and security leaders' perceptions of cyber risk at the C-suite and board level, and fundamental business decisions such as third-party vendor contracts and supply-chain partnerships, are now being at least partly shaped by their implications for cybersecurity. In-depth interviews with 78 business and security leaders in 13 countries revealed that corporate boards, recognizing cyber risk as a leading category of business risk, are playing an ever-larger role in cybersecurity oversight. 

Cyber: A Top-Three Business Risk

Because the probability of a cyber incident is high and the potential business impact is great, cyber risk has risen rapidly in the board’s view and is now considered one of the construction firm’s top three inherent business risks. Therefore, cybersecurity is on the agenda at every board meeting.

Usually, the CIO focuses each quarterly update on the threat landscape and headway made relative to the company’s three-year strategic cybersecurity road map. In some cases, he may relay the results of cybersecurity awareness training or annual security, governance, and risk audits. “It’s an opportunity to update the board as to how we’re progressing while at the same time making it clear, as a result of having made the progress, what specific risks we’ve mitigated,” says the CIO. “It’s really a cost and value discussion.”

While the board members have no direct cybersecurity experience, they seek to maintain a general knowledge of the risk landscape and the controls in place. “I try not to involve them in too much of the technical detail,” the CIO says, “Although sometimes it does go that way because there are board members who have got just enough technical knowledge that we can go down that path.” 

There’s never enough funding to do everything a company could do from a security perspective. So, “the challenge is making sure we’re focusing on the best bang-for-the-buck areas,” the CIO says. The Australian CIO looks to the U.S. National Institute of Standards and Technology (NIST) cybersecurity framework to help guide his assessments of what makes the most sense for the business to pursue based on its risk exposures and tolerances. 

Feedback from board members about the updates has been good. The board is assured that the firm’s IT team is doing enough. Although cyber is a top-three risk from an inherent perspective, it’s fallen much further down the list of residual risks because of the mitigating controls the CIO has put in place.

As a result of the firm’s painful experience waiting weeks for its design partner to recover from its attack, the board focuses on business continuity. The company serves key sectors including energy, power, transportation and public infrastructure. “They [the board] want to be comfortable that we have the technology and practices to respond to a cyber event,” says the CIO. In other words, the board wants assurances that the company will be able to run its business in the wake of a successful cyberattack.

More Partners, More Problems

One characteristic of the industrial construction business is that the company typically forms joint ventures or other alliance agreements to deliver a project. The partners have to share systems and data, which opens up another avenue for cyber risk. 

“Although, overall, our own cyber culture is actually quite good, the companies that we partner with might not be as good,” the CIO says. That’s most apparent in cybersecurity awareness training rates. The construction company boasts more than 80% compliance with cyber awareness training, while some of its partners may have only 40% compliance. “The challenge is mandating cyber awareness training — and just the behavior of people — that we do not have direct control over,” the CIO says.

The board doesn’t get directly involved in the remediation of this risk, but it certainly expects the C-suite to address it. “They put the challenge back to management to sort it out,” says the CIO. “We don’t have to put any additional pressure on anyone to drive that home.”

Typically, when the company has notified a partner that its security posture fell below an acceptable threshold, the other company has made the effort to close that gap. But recently the company met with resistance from a large alliance partner. “They’re saying their cybersecurity is good enough, and we’re saying we want evidence within our own systems to feel comfortable that that’s the case,” says the CIO. “And if it’s not, we’ll have to lock you out of our systems.”

Reining in Third-Party Risk

A similar vulnerability on the CIO’s radar is third-party systems risk. Last year, the construction firm’s payroll provider suffered a data breach. Then in December, the provider of the construction company’s password management system was hacked.

The breaches created a gap in the company’s day-to-day operational systems, as well as concerns about whether its own data had been compromised. “These are the companies that we rely on,” the CIO says. “When the company whose sole purpose is to store your passwords is breached, who can you really rely on?”

Those incidents, in combination with the cyberattack and business interruption at the construction company’s design supplier, has led its leaders to reassess its third-party risk. “One of the things we’re introducing as we speak is a third-party assessment as part of our onboarding that gives us some comfort that they’re doing enough of the right things to protect their own systems,” says the CIO. “We’ll ask them some key questions about cybersecurity in the same way that we currently ask them about things like diversity.”

Open Book Cyber Management

One of the CIO’s most important rules for a good working relationship with the board of directors is to be upfront and honest. “They get really annoyed when management isn’t transparent. They’re willing to work with the business to resolve even massive issues as long as you don’t wait to tell them until six months later, when it’s too late.”

That’s why the CIO strives to be open and forthright with the board. “They appreciate the transparency of the messaging that I’m giving them,” the CIO says. “They don’t think I’m hiding something.” That, in combination with the company’s cybersecurity track record, internal audits, and third-party assessments, give the board a good sense of how cyber risk is being managed.

When a massive data breach is in the news, they board will ask about it. “Inevitably, the first thing they ask is whether we’re doing enough,” the CIO says. “They don’t quite know what ‘enough’ is, but that is the question. And I make it clear that we’re doing enough of what we can afford, and that’s good enough to keep us ahead of most others.” The board understands that there will always be some tradeoff between protection and business productivity. 

Based on the progression of the board’s questions and cyber knowledge over recent years, the CIO expects that they’ll want to know more and more about the specifics of protocols, practices, and tools in the future. Two years ago, cyber wasn’t even a topic of board discussion. One year ago, they starting talking about multifactor authentication. Six months ago, they began asking about incident response and follow-the-sun coverage. “They’re becoming more and more informed,” the CIO says.

Making the Case for Cyber Staff

The CIO has secured cybersecurity budget increases for five consecutive years. “Will it continue to increase? Absolutely,” the CIO says. “But are we spending enough? I’d probably say no.”

The CIO estimates he has all the tools the firm requires right now. “What we need is more people,” he says. There are no dedicated cybersecurity professionals and only recently was the CIO able to expand his head of infrastructure’s role to include cybersecurity as well. “The tools are amazing, but they are very chatty,” he says. “Sifting your way through, for example, a SIEM solution to make sense of what it’s telling you takes a lot of bandwidth.”

With the razor-thin margins of the construction industry, however, there’s not much budget to go around. Heading into the next fiscal cycle, the CIO will likely ask to add at least one more person to the team. And he suspects that, after working through his request with the input of the CFO, he will get board approval. It’s certainly not a rubber stamp. “The board wants to make sure any money we’re spending is being spent in the right place,” the CIO says. “But I can’t remember a time when I’ve put something forward that, after some scrutiny or perhaps another iteration, they didn’t approve.” 

The Bottom Line

No industry is immune from cyberattacks, especially when cyberthreats and vulnerabilities extend well beyond a company’s own technology environment. As corporate boards become more involved in cybersecurity oversight, IT and security leaders will need to provide them with insight about cyber risks internally as well as across their ecosystem of partners, suppliers, and vendors. They’ll also need to execute on a solid strategy for mitigating that range of cyber risks. Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.