Emerging cybersecurity risk added to construction’s perfect storm

Mike Davis   |   April 12, 2022

The construction industry’s persistent labour shortage and escalating material costs have created the perfect storm, as seen in the recent shock collapses of two major Australian construction companies.

However, another emerging area of concern is cybersecurity risk in construction, as the cyber attacks to an organisation’s supply network could form the next big wave for which they remain precariously unprepared.

The recent Security Legislation Amendment bill (SLACI) passed by Parliament amends the Critical Infrastructure Protection Act 2018, in response to the growing threat of cyberattacks on Australian infrastructure assets. It mandates owners and operators across a wide range of sectors to review and implement measures for cyber risk management, preparedness, prevention and resilience.  

As an industry that relies heavily on third parties, which involves a complex web of contractual arrangements and subcontracting, this means the cybersecurity risk of each construction organisation extends to its consultants, contractors, subcontractors and suppliers.

Construction suppliers within this network have become more attractive targets for cyber criminals as the pandemic drove the adoption of technology. The supply chain, in effect, becomes a cybersecurity blind spot, with many risks not always immediately visible or easily addressable.

The most significant emerging risk in third party management

The recent Building in the Dark report from Felix investigates the far-reaching construction supply chain risk in Australia and New Zealand, and it highlights pressing insights into the looming cyber risks looming over the sector.

Managing digital risks has become the most significant emerging risk in third party management, according to Deloitte. The high number of third parties involved requires intellectual property or commercially sensitive information changing many hands. The cybersecurity risk is especially true in the context of shared project documentation management platforms. 

Despite the increased threat of a cyberattack, Felix’s report found that the sector is not adequately aware of the need to manage digital risks. 50% of participants were somewhat concerned or less about data breaches and cyberattacks.

cybersecurity concern

Levels Of Concern In Relation To Data Breaches And Cyber Attacks. Source: Building in The Dark

Even as organisations increasingly rely on their supply chains to deliver construction and infrastructure projects, they are unaware of the kind of risks that exist within these supply chains. 67% of industry professionals surveyed believed that clients or project sponsors do not understand the true cost of effectively managing third-party risk.

true cost manage third party risk

Less than half (40%) of participants were more than a bit confident that their organisation can identify all the parties in its extended supply chain.

Transferring the cyber risk

Supply chain risk beyond that associated with directly engaged third parties or the boundaries of the site is often not well understood or assessed. Research suggests that performance and compliance risks are transferred to third parties within the network not fully equipped for this responsibility,

Many organisations remain in the dark concerning the risks that lie within their own supply networks, such as failure of security or breach of privacy, including unauthorised access and interference with project tools, data and specifications.

cybersecurity construction

The issue is compounded by low levels of transparency and monitoring of third parties. In effect, many organisations are consciously operating in relative ignorance of the actions of their suppliers not directly managed on the job site and thus remaining in the dark concerning the management of multiple risks.

To comply with the new SLACI Act and manage their cyber risk profile, organisations will need to adapt their cyber attack response and recovery plans response. However, many are unaware that it is not a sufficient risk response. Organisations need to extend the management of cybersecurity risks to their supply network – the very builders, contractors and suppliers being targeted by the bad actors.  

Digital’s untapped potential to address supply chain vulnerabilities

Improved risk management of the supply chain requires greater visibility of the network. Technology advancements now enable organisations to inject greater transparency and accountability into the supply chain by enabling large volumes of information to be efficiently obtained, analysed, and monitored.

secure procurement platform

Digital solutions designed with security in mind and bolstered with advanced safeguards provide reliable, shared online spaces to identify and manage ongoing risks associated with the network.

 ISO/IEC 27001:2013 is the international standard for information security, and sets the benchmark for organisations in managing their information security by addressing people, processes and technology against standards and best practice approaches.

However, while many organisations recognise the value of going digital, over half (56%) of the research participants believed their organisations were not investing enough in digital tools. 

digital procurement investment

The impact of a cyber incident can cost up to millions, not to mention the less quantifiable impact on the organisation’s reputation. It is imperative for construction leaders to assess the evolving cybersecurity risks not just within their own organisation but across their supply chain. By ensuring they have adequate systems to drive transparency and accountability throughout their supply chains, the industry will be well-positioned to address cybersecurity as well as any other vulnerabilities across their network.


About the Building in the Dark Report:

The Building in the Dark report, co-produced with entwine, is based on a survey of over 150 individuals across both Australia and New Zealand, a selection of one-on-one participant interviews, and extensive desktop research of existing reports and industry commentary.


Originally appeared on Cybersecurity Connect

Mike Davis
Mike Davis is Co-founder and CEO of Felix. Prior to launching Felix in 2015, Mike co-founded PlantMiner in 2012 which had grown to become Australia’s largest online construction marketplace. Mike has been pivotal in the development of Felix and has a deep understanding of how technology can help organisations get control over their procurement.
Follow me:

Related Articles

Value creation
Enabling Disruption in Construction

The Australian construction industry is at a turning point as the number of projects increases while productivity decreases. Experts tout the current state of inefficiency is due to the industry’s stagnant operations being unable to manage the shortages and uncertainty in its supply chain. History shows us that this state indicates an industry ready for disruption.

Risk mitigation
ISO 9001 in Construction & Engineering: The makeup, benefits and process

International Organisation for Standardisation (ISO) is an independent, non-governmental, global organisation that develops standards to ensure the quality, safety, and efficiency of products, services, and systems.

Felix News
Year in Review 2023: A dynamic landscape for construction and mining

The year 2023 was a dynamic one for the construction and infrastructure sectors in Australia. While challenges like project cost blowouts and workforce shortages dominated headlines, there were also positive developments, including renewed investor interest and significant progress in sustainability. Let’s look back on the key themes that shaped the industry this year.

Let's stay in touch

Get the monthly dose of supply chain, procurement and technology insights with the Felix newsletter.