M&E consultancy Building Services Design (BSD) has recently achieved a Cyber Essentials Plus accreditation – recognising its commitment to cyber security and data protection. Associate director, Jo Jones, and IT consultant, Paul Brinkworth, of New Vision Computing, discuss how this accreditation has helped the business, why others should follow suit and what’s next for construction firms in terms of preparing for General Data Protection Regulation (GDPR) changes.
The protection of data has always been of paramount importance, but with cyber attacks posing an ever-present threat the government has, rightly, put measures in place to ensure that businesses are encouraged to comply with the highest standards of cyber security.
Cyber Essentials Plus is a government certified scheme which is independently assessed. It looks at networks security, firewalls and malware and virus protection software, whether appropriate software is up-to-date, and user access.
It’s a security standard that has been brought in by the government with the aim of becoming the first achievable and valuable security standard for businesses.
There were other options previously available, but accreditations such as ISO:27001 can be overly expensive and often prohibitively restrictive. It’s not something that the average business can afford or maintain and, with more than 100 workstations across BSD’s seven UK offices, we needed something that would also have staff buy in – something they would understand, commit to and get on board with.
BSD celebrated its 25th anniversary last year and technological advancements have been the biggest change in the industry over this time – nothing else has had as much impact.
As a team of almost 80 experienced M&E engineers we’ve got considerable experience in the public sector and have worked on a number of high-profile schemes across the UK – including work with the Ministry of Defence (MoD) and a wide range of education projects.
Public sector frameworks place great importance on this high level of security and it’s now becoming more common to see a Cyber Essentials accreditation being listed as a requirement on government gateway projects.
The necessity to maintain high levels of cyber security is now being instilled as part company culture, with employees also needing to actively participate in adhering to the criteria.
In reality, we were already doing much of what Cyber Essentials Plus requires. Employees are now, however, being reminded regularly of what’s required of them. All machines now have to be locked when not in use – we want to avoid instances of machines ever being unattended and information being open to being accessed in the public domain.
We have changed how we used our VPN sign-off procedure. Fewer people now have full access and those that do have to go through a more rigorous sign in and sign-off system.
Our password policy has also now been confirmed, so they all expire after 90 days. Staff have been really receptive and cooperative – they see the benefits and obviously want to do the best for their clients.
That’s not to say we didn’t encounter any challenges in achieving the accreditation. For example, versions of software specific to our industry are only supported for a limited time but BIM standards often restrict us to older versions, especially for archived projects. In order to continue working on these projects, we’ve had to remove certain machines from our network and run them in an “air gapped” environment to ensure security.
The accreditation is just another step of data protection and storage for the engineering and construction industry that must continue to evolve to meet the requirements of our rapidly advancing industry. Seeing the Cyber Essentials Plus badge on our documentation has gone down well with our customers and it’s the first step we’re making in preparing for General Data Protection Regulation (GDPR).
We’re now talking to various specialists on GDPR, establishing how we can best we can secure customer data and through what methods we’re able to use it. A project handover date is obviously not always the end of the story and all of our work has a guarantee of 12 years so data is stored for at least this amount of time. This is obviously unique to our industry so it’s something we’re having to consider.
The first step in achieving Cyber Essentials Plus is to look at the requirements and get in touch with an IT support firm that understands it. They will then look at your network and firewalls and work with you to achieve this accreditation and improve both your security and, just as importantly, let others know how seriously you take this commitment.
We were also keen to look at what comes next – not just settling with achieving this accreditation and resting on our laurels. The landscape is constantly changing so we’re now being assessed every year to ensure we’re keeping up.
Construction firms need to take cyber security seriously – and already many are without even knowing it, going for accreditations such as Cyber Essentials Plus will go a long way to proving to clients that you are a trusted and secure business with which to work.