How surveyors can prevent cybersecurity risks

Surveyors are vulnerable to a multitude of cyber risks, which are exacerbated by emerging technologies


  • Stuart Mangion

14 April 2019

Despite the valuable data they possess, surveyors have largely managed to steer clear of cyber criminals. However, there is increasing potential for hackers to exploit weaknesses in surveyors' systems to access the large amounts of money they hold.

Criminals are becoming more inventive, and increased scrutiny under the General Data Protection Regulation means security breaches can have devastating effects on a company. Consequently, clients are seeking reassurances on security from the outset.

Surveyors are vulnerable to a multitude of cyber risks including identity theft and social engineering, email compromise, or phishing attacks and ransomware. These are exacerbated by emerging technologies such as building information modelling (BIM), as this allows data to be shared by employees at all stages. If BIM is breached, hackers could gain access to client databases, occupier details, information about security systems and other internal controls.

The current trend for short-term, multi-occupier use of space brings other risks. The transient client base, minimal contact with occupiers, the greater number of people accessing the space and increasing use of fully web-based systems increases the risk of security breaches, the theft of personal information and identity fraud.

Everyone has a duty to ensure data is protected. Regular staff training can help employees spot suspicious behaviour immediately and avoid accidentally compromising your data security by:
  • clicking on a malicious attachment or link
  • giving unauthorised access in a bid to help
  • oversharing information on social media
  • using one password for multiple accounts
  • sending confidential information to personal accounts
  • using work devices on insecure networks.

The UK's certification scheme, Cyber Essentials can help your staff understand the basics of good practice. For added protection, companies can also employ a third-party security service provider or appoint an internal operational risk manager. The National Cyber Security Centre provides advice for small and medium-sized enterprises, where hiring or appointing a dedicated cyber risk specialist may not be feasible.

Prioritising the issue and reporting it back to the board can improve ongoing internal communication, as can ensuring staff's technological knowledge is kept current. A robust cyber security strategy also demands that the latest technology is installed on your systems. Security software can filter urls, scan content and block any suspicious emails or links to reduce the opportunities for human error. Multi-factor authentication and end-to-end encryption can control access to your system, while virtual private networks can ensure that all internal communication remains secure. Cloud-based back-ups can also help with recovery following a ransomware attack.

From an insurance perspective, proactive companies with strong IT defences are a much lower risk. It is essential for firms to show that appropriate controls and procedures have been set up and – more importantly – communicated throughout.

Surveyors should ensure that their professional indemnity insurance coverage is broad enough to cater to their specific needs, particularly third-party liability. If necessary, there are a variety of specialist stand-alone crime and cyber policies that complement your current arrangements.

When assessing your insurance, read the small print. Hacks and outages can amount to potentially bankruptcy-level recovery costs, which can easily exceed minimal limits. There will rarely be the opportunity to negotiate a commercial settlement – will your policy's indemnity limits really be enough to protect your business? Exclusions can have a colossal effect on your finances when applied broadly; paying attention to and negotiating the wording of these exclusions can make all the difference.

Surveyors must pair robust security controls with fit-for-purpose insurance and improved internal communication so employees at all levels can help minimise the potential impact of a cyber attack.

Stuart Mangion is partner in the professional indemnity team at JLT Specialty

Related competencies include: Client care, Data management, Ethics, Rules of Conduct and professionalism

Related Articles


go to article Guidance issued on EV fire safety in car parks


go to article Understanding rights of light for the APC


go to article Data integrity key in golden thread and building safety