Are you vulnerable to ‘social engineering’?

15 March 2018 | By Andrew Avanessian

Igor Stevanovic/

Cybercrime is becoming more sophisticated and construction, with its unwieldy supply chain, is particularly vulnerable to the latest scam – known as ‘social engineering’. Andrew Avanessian explains.

Andrew Avanessian

Headlines concerning cyber attacks are becoming all too familiar, from largescale data breaches to vicious ransomware attacks that lock down corporate data and demand payments for safe return.

The construction industry is vulnerable just like other sectors. Materials giant Saint-Gobain was one of those targeted by the “NotPetya” ransomware outbreak last year – and it is likely that others were too, but kept quiet.

There is upcoming legislation to help raise standards in cyber defences. The General Data Protection Regulation (GDPR) comes into force on 25 May, and gives the Information Commissioners Office (ICO) much more clout when it comes to dishing out financial penalties. Companies could be fined up to 4% of their turnover, or £17.8m, whichever is higher.

Construction companies should be analysing their own security strategies. There is a strong argument that the industry is more at risk than most, given the sprawling nature of a typical construction supply chain. The number of third parties involved means that there are numerous ways that cyber criminals can access a company and its data.

Top three tips to avoid social engineering attacks:

One of the most common type of attack is “social engineering”. This involves preying on the weaknesses inherent in human nature, tricking users into divulging sensitive information without realising.

This typically takes the form of a phishing email. The Department for Digital, Culture, Media & Sport’s Cyber Security Breaches Survey 2017 reported that a “large supplier” for the construction industry faced “significant and ongoing” cyber attacks, including “over 3,000 phishing emails a month and various ransomware attacks” – highlighting the risk to the sector. 

The content of these emails has evolved since the days of someone posing as an overseas businessman asking for money in an error-riddled email. These days they can be incredibly targeted. The amount of information we leave in our digital footprints allows attackers to craft bespoke messages that appear to be legitimate.

The email might look as if it comes from a trusted supplier or another third party, but is actually an attacker masquerading as a familiar source. They might trick you into transferring funds to a new account, or simply opening an attachment that allows them to access the wider corporate infrastructure.

These can be very difficult to defend against. Educating employees is important, but even the savviest staff could be caught out by a targeted attack. And can you really educate all your suppliers and their employees too? Defences need to be technical as well.

These defences don’t have to be complicated (see above). Focus on the basics and you’ll be in a very strong position to defend against internal and external attacks – including those that start within the supply chain.

Andrew Avanessian is COO at Avecto

Leave a comment