Leading homebuilder companies have a responsibility to help secure supply chains against cyber threats
Police and cybersecurity professionals are encouraging large homebuilder organisations to proactively invest in securing their supply chains. By fostering better collaboration, there is a valuable opportunity to collectively strengthen the industry’s defences and ensure a more secure future for all.
Working with suppliers is an essential part of any business, yet an attack on even a single supplier can compromise others in that same supply chain. Cyber threats increasingly target supply chains across all industries, including homebuilder businesses in the construction sector and a 2023 survey1 stated that concern is growing. 51% of survey respondents rated cyber as having a medium impact on their supply chain risk and 32% said it has a high impact. This comes as no surprise to anyone with even a basic knowledge of cyber threats, as the impact of a breach can cost a business time, money and even reputational damage.
What are the most prevalent cyber threats?
Cyber threats come in a variety of forms, according to expert Martin Wilson, Police Detective Inspector and Head of Student Services at NEBRC (North East Business Resilience Centre). The most common threats to supply chains come in the form of phishing attacks which aim to trick employees and stakeholders; and malware and ransomware attacks which infiltrate the supply chain and can spread through the organisation.
Other examples include man-in-the-middle (MitM attacks), where cybercriminals intercept communications between the homebuilder company and its suppliers or clients; software and hardware compromise through third-party vendors; and insider threats, which often involve disgruntled employees or contractors within the supply chain that intentionally compromise security by leaking sensitive information or introducing malware.
Why is the homebuilder industry particularly vulnerable?
The homebuilder industry is particularly vulnerable to cyber threats due to several factors. The sheer size and variety of suppliers used within each project often leave homebuilder businesses exposed, creating a greater need for collaboration to better secure the industry. With the UK construction industry forecast to reach £476.6 billion in revenue by 20272, huge sums of money may left vulnerable.
A snapshot of the types of businesses in the homebuilder supply chain |
|
Construction Groundworkers Plumbers Electricians Bricklayers Carpenters Plasterers Roofers Painters Decorators Materials suppliers Equipment suppliers Transport Payroll |
Architects and designers Interior designers Home buyers Estate agents Landowners Government and local councils Accountants Lawyers PAs/digital PAs Software and apps (video call software, apps for invoicing and expenses) Recruiters and apprenticeship schemes International material suppliers (which might not follow as strict regulations as UK or EU business) |
In addition to the factors previously mentioned, several other aspects make the homebuilding industry an attractive target for cyber attackers:
1. Complex Supply Chains: Homebuilding involves a vast network of suppliers, subcontractors, and service providers. Each link in the chain can be a potential entry point for cyber attackers. The complexity and interdependence of these supply chains make it challenging to ensure robust cybersecurity measures are consistently applied across all parties.
2. High-Value Targets: Large homebuilder organisations handle significant financial transactions, sensitive customer data, and proprietary designs and plans. This makes them attractive targets for cybercriminals seeking financial gain or valuable information.
3. Resource Constraints: Smaller suppliers and subcontractors often lack the resources or expertise to implement strong cybersecurity measures, making them easier targets and weak links in the overall security of the supply chain.
4. High-Volume Transactions: The homebuilding industry deals with numerous high-value financial transactions, including large payments to suppliers, subcontractors, and service providers. This makes it a lucrative target for cybercriminals seeking financial gain through fraud or theft.
5. Critical Infrastructure: Homebuilding is often part of broader critical infrastructure projects. Disruptions to these projects can have significant economic and societal impacts, making them targets for politically motivated cyber attacks.
6. Project Timelines and Deadlines: Homebuilding projects often operate on tight deadlines. Cyber attacks that disrupt schedules can cause substantial delays and financial losses. Attackers may exploit this urgency by demanding ransoms or leveraging disruptions to gain concessions.
7. Proprietary Information: The industry relies on proprietary designs, blueprints, and innovative construction techniques. Cybercriminals may target this intellectual property for theft or sabotage, seeking to gain competitive advantages or sell the information on the black market.
8. Remote Work and IoT: The increasing adoption of remote work and Internet of Things (IoT) devices in construction sites and offices introduces new vulnerabilities. Remote access tools and IoT devices can be less secure, providing additional entry points for cyber attackers.
9. Supply Chain Dependencies: Homebuilders rely heavily on a diverse array of suppliers and subcontractors. Any compromise within the supply chain can have a cascading effect, impacting the entire project. Cyber attackers can exploit weaker links in the supply chain to gain access to larger targets.
What can businesses do to better secure their supply chain?
According to the 2024 Cyber Security Breaches Survey3, many businesses are not taking the necessary precautions. The report found that “31% of businesses and 26% of charities have undertaken cyber security risk assessments in the last year – rising to 63% of medium businesses and 72% of large businesses”. In addition, just over one in ten businesses (11%) review cyber risk for their immediate suppliers but, only 6% review the wider supply chain.
Martin Wilson, Detective Inspector and Head of Student Services at NEBRC comments,
“You might think an attack on a smaller supplier brand is “not your problem” however, any breach within your supply chain puts you at a greater risk. Investing time and resources into securing your supply chain is essential, looking deeper into not just your own business but, reviewing all stakeholders too.
Martin continues,
“Set a minimum standard of cybersecurity which you expect others in your supply chain to follow. Get it stipulated into contracts, and ensure it is maintained. Good examples include government certifications such as cyber essentials, which are often mandated in public sector supply chains. Don’t be afraid to ask to see copies of the relevant documentation to ensure that the security meets your standard.”
“Also, not all of your suppliers are equal. Some might have more access to your data than others, so consider taking a deeper dive into their security and maybe less scrutiny of other suppliers who only have very little access to data.”
All businesses within the home building sector, regardless of size, should be implementing their cyber security measures, both internally and within the supply chain in order to protect and prevent cyber attacks. For help doing so within your business, reach out to your local cyber resilience centre https://www.nebrcentre.co.uk/. Both large and small businesses can be supported by the local business resilience centres, with smaller organisations often benefiting from larger corporations who often have greater resources to pay for upgraded services.