With the introduction of tools such as daily log book apps, construction management software and on-site reporting, the rail industry is slowly catching up with the digital world.
But with a new set of technology comes a new set of challenges. The prevalent use of platforms such as WhatsApp, email and other messaging systems to share sensitive information about a project poses a cybersecurity risk that must absolutely be addressed.
A cybersecurity breach has the potential to affect, even significantly harm all stakeholders on a project, or even other projects being undertaken by the same company. A cyber attack in rail infrastructure is currently classed as a level 0 threat - the highest classification there is. Network Rail has shifted to adopt cybersecurity and safety at the core of their culture, issuing a new cyber security strategy and undertaking extensive training with their staff.
So, if you want to work with the likes of Network Rail, you need to make sure your own safeguards are up to scratch.
Here are four reasons why your company might be at an increased risk, and what you can do to stop it:
1. A Mobile Workforce
One of the prevalent risks affecting rail contractors is that of location and network access. With teams working in remote locations, accessing networks and systems through their own devices, the information they are sending or receiving may not be secure. Working over public wifi exposes data to cyber eavesdroppers, who can hijack transferred data and steal private logins and passwords, among other things. Or, if a worker loses their device, it may not be properly secured, making confidential company information available to whoever happens to find it.
Extensive training and protocol should be in place to arm your workers against this. At a minimum, every device containing company data should be assessed, deemed secure for use via encryption, and require authentication by password and 2FA (two factor authentication).
2. Data Sharing On Multiple Platforms
The transfer of data doesn’t just refer to big, confidential spreadsheets of figures or personal details that might circulate in an office. It also applies to the things you use every day to substantiate your works: Photographs and video, as well as your informal text updates.
In many cases, construction workers are communicating their on-site works across a variety of platforms. They might send a quick text during the day, make a phone call, follow up with a photo over whatsapp and send a summary email at the end of a shift. With information scattered over so many different platforms, it’s easy for crucial data to get lost. This is an administrative nightmare when it comes to payment claims, but also poses a security risk. If you can’t keep track of your private information, someone else will.
There should be a standardized, secure platform used across the entire company to communicate information. It should allow for photos, videos and railway specific information, such as access types and location coordinates.
3. Sending Data To External Companies
Any construction project requires collaboration and sharing between different stakeholders, from subcontractors and plant suppliers to the client themselves. This means that sensitive information such as financials, plans and staff details often has to be shared between companies.
There should be a set system in place for the distribution of information at every level, at every stage of the project. This should be clearly explained and documented at the start of works.
4. Personnel Changes
A reliance on subcontractors and movement between projects means that your personnel can change frequently. This makes it difficult to train staff and enforce a standard protocol for data sharing and security.
Users and their subsequent permissions should always be kept up to date on the platform you are using to store your information, so only the people who need to see it have access. A regular review of all user permissions should be conducted to keep this up to date and take new job roles and promotions into account.
Employee onboarding and offboarding procedures, alongside staff IT security awareness training should be established company wide to produce a security-friendly company culture.
It’s Not Too Late!
With Raildiary all of your project records, reports, media and personnel details are kept in one place. Data is stored securely in the cloud in line with ISO 27001 and ISO 27017 and made available for viewing, amending and exporting only to the users with relevant permissions. It’s available securely offline using your mobile device’s built in encryption, and we offer extensive training to ensure your workers can use it safely.
If you’re worried that your current reporting process isn’t meeting security standards, get in touch today and see how we can help.