Like many companies in the construction industry, the team at Carlisle Homes, a leading home building specialist in Victoria, has felt the pressure to keep employees mindful of new and evolving threats and to manage third-party risk. They turned to Infotrust for help in improving their overall cyber security maturity across the business and are now moving the needle in the right direction.
“Some of the biggest cyber security threats in the construction industry are related to staff competency and understanding”, explained Jeremy Bree, CIO at Carlisle Homes. Bree has spent over twenty years in the IT and cyber security space and has an understanding of the scale and complexity of today’s evolving threats. However, that’s not always the same for construction supervisors and other staff members at the company. These employees are focused on priorities within their roles, such as the quality of the houses they’re building or customer service. They will often be more focussed on what the email says to get their job done, not double-checking links in emails. And the problem is amplified for those receiving thousands of emails a day.
Another risk factor is third parties. While many companies invest significantly in cyber security and have protections in place, that doesn’t account for those external parties that they work with. “We work with 4000 plus suppliers and trades”, disclosed Bree, “while some of these are big suppliers with robust practices in place, others are one-person subcontractors that don’t always have the necessary systems or security measures”. And it’s with this third-party risk in the supply chain where companies can fall foul of the lack of controls from others. A prime example was the ransomware attack on Knauf Group, a leading plasterboard manufacturer, in June 2022. The organisation’s production was impacted for over two weeks. “While that might not seem like long, as a company with hundreds of jobs requiring their products within that time frame, it creates significant business risk,” said Bree.
Carlisle Homes’ overall aim was to improve the cyber security maturity level across the business. Additionally, they needed to find a way to help staff better understand cyber security threats and what to look for without needing them to be technical in that space. While the team were aware that they couldn’t do everything and resolve all the risks at once, they wanted to move the needle in multiple areas and controls to ensure an increased cyber security maturity rating across the board.
The starting point for this project was aligning with a framework to implement processes and procedures that were purpose-fit. Carlisle Homes decided to comply with the NIST cyber security framework due to the prescriptive way it defines the framework and how to adhere to it. The company already had some history of working with Infotrust and liked the level of trust offered, the knowledge of its business, and the willingness to adapt the solution to fit its specific needs. With Infotrust’s help, Carlisle Homes implemented two key solutions:
1. The Cyber Security Uplift
After an initial review and audit of their position, the first step was to implement an information security management system (ISMS) and create a standard set of policies and procedures. “We created a small subset of simple policies and procedures, rather than striving for the level of banking or healthcare”, explained Bree. The company didn’t want to create policies for the sake of it if no one would refer to them. Instead of creating an administration overhead, Infotrust helped to tailor a solution that matched the flexibility and agility of the business. It was all about building a level of common sense into everyday operations and improving the basics, getting them firmly in place.
2. The Security Awareness Platform
The next part of the solution was to help staff better understand their role in cyber security. To achieve this, Infotrust helped them to implement the MyCISO security awareness platform. Through the platform, the company has been able to create a lot of engagement. “We have screens up around the building with content that is changed regularly to raise awareness of the latest threats”, said Bree. Instead of people quickly becoming accustomed to seeing the same messages, the company can use different media and change the messaging to keep things fresh in their employees’ minds.
Improving cyber security maturity is challenging; it takes time and resource focus and doesn’t happen overnight. Carlisle Homes has a great team in place to look after the day-to-day, but with the fast-paced nature of the cyber security landscape, it can be a challenge. However, by having Infotrust help augment their team on this project, they've made significant headway. Now that they’ve put the ISMS in place and have fit-for-purpose policies and procedures, they’re in a much stronger position. “Infotrust has been extremely supportive”, explained Bree, “we still have regular catch-ups on where we are, what we’re doing and next steps.” Cyber security maturity is an ongoing journey, but by implementing an ISMS, aligning with a framework and building processes and procedures, Carlisle Homes is heading in the right direction.