Digital technologies and communications are playing an increasingly significant role in gathering, processing, sharing and storage of data, transforming the way we work. The ability to share quality information not only enables collaborative working but can also improve the effectiveness of service provision, decision-making and problem-solving. There is also an expectation that sharing information more widely will create opportunities for innovation.
Technological advances allow us to integrate the digital with the physical, generating new information about assets and systems. Embedded computers and networks can monitor and, in some cases, control physical processes that in turn feed back into the computations themselves. This enables assets and services to respond to changing conditions and demands in real time, as well as providing vital information about asset or system condition, performance, use, capacity and resilience.
Security and sensitivity
At the same time, this technology is inherently vulnerable to people with malicious intent, as well as increasing the risk of losses from inadvertent errors or negligence.
As users of these technologies and aggregators of information from multiple sources, we should understand these risks and how to manage them: otherwise, we can jeopardise the very benefits that we seek to gain. We therefore need to be security-minded, understanding appropriate, proportionate security measures and applying them routinely to deter malicious, fraudulent or criminal activities.
Managing risk is not just about implementing good cyber security. Rather, it is about taking a layered approach that employs human, physical and cyber security.
- comprises critical national infrastructure, identified by the local or national government
- fulfils a defence, law enforcement, national security or diplomatic function
- is a commercial site involving the creation, processing, trading or storage of valuable materials, currency, pharmaceuticals, chemicals, petrochemicals or gases, or supports their production
- constitutes a landmark, nationally significant site or is regularly crowded
- is used or is planned to be used to host events of security significance.
While most people are aware of the obvious threats of terrorism – hostile actions by countries and hackers – there is a need to consider the threats of commercial espionage, organised crime, activists, lone actors and malicious insiders.
- compromise the value and longevity of assets
- cause harm, damage or distress to, or compromise, individuals or communities personnel
- disrupt or corrupt information or systems
- cause reputational damage
- acquire personal data, intellectual property or commercially sensitive information.
“Managing risk is about taking a layered approach that employs human, physical and cyber security”
Six security principles
The Engineering Council has adopted six principles of security, and these are equally applicable to surveyors and their organisations.
1. Be security-minded professionally and personally
A key part of being security-minded is to understand the relevant threats, the vulnerabilities that could be exploited, and the nature of harm that could be caused. This can help to increase our awareness of how our behaviour and actions can affect our security and that of others.
This is especially true of social media use, whether professionally or socially. Criminals can make use of posts to connect with people who have access to valuable and sensitive information, for instance. You should therefore be aware of what your digital footprint looks like, managing and monitoring it actively and remembering that others, such as your family, friends, colleagues, clubs and societies can contribute to it if they mention you online.
You should also make sure that anything you post online doesn’t compromise the security of your organisation or client organisations. This could include posting information about systems and security-related products being used by your organisation or a client; details about your role on, or involvement with, sensitive projects; photographs or images taken on or around your organisation or a client’s organisation.
With many of us now working remotely, you should take appropriate measures to protect equipment and any sensitive information in your possession, for example: ensuring that all your devices are password-protected and encrypted; keeping software, hardware and applications up to date; locking your screen if you leave your device unattended; and keeping devices somewhere safe when not in use. You should also ensure that you know what to do if a device is lost or stolen, including how to report any incidents.
2. Use your judgement and set an example
It is important to consider the information you handle and the organisations and assets to which you have access, and assess whether any of these are sensitive. If so, you should confirm whether there are security policies and processes you are required to follow.
You should in any case adopt appropriate behaviour to limit the risk of a security breach or incident. The way you behave can encourage others to follow suit, helping to create a security-minded culture.
3. Understand and comply with legislation and codes
You need to be aware of security-related laws in any countries where you operate, not just the one in which you are physically located, as well as acting in accordance with any relevant codes of practice. If you feel there are reasonable, practicable improvements that could be made to your organisation’s policies and processes, you should raise these with appropriate staff.
4. Be security-minded about communications
If you manage staff, you should ensure that any security policies and processes in place are communicated to them clearly and effectively. You should also adopt an open reporting approach for security risks, incidents and near misses, and foster a spirit of questioning and learning from others.
You should be selective about the material you use when exhibiting at public events or locations or writing in professional or trade publications, to avoid releasing any sensitive information.
Similarly, when making submissions to planning, statutory or regulatory authorities, you should ensure any sensitive information is suitably separated and protected, removing or redacting it where possible or providing it in non-interactive formats. If sensitive information has to be supplied, a conversation with the receiving authority can allow suitable measures to be put in place to mitigate the risks.
You should also ensure that you are not breaching any security requirements of a third party such as the owner of the data or assets.
5. Understand and comply with security governance systems
You should ensure that you understand any security policies and processes that your organisation or any client has in place, and determine what measures you need to take to comply. Where there are no such policies or processes, you should still consider what appropriate and proportionate measures to take to secure any information to which you have access.
If you manage staff, you should ensure you communicate to them, and monitor the implementation of, the security policies and processes they are required to follow. You should also help them develop their understanding of security threats, risks and vulnerabilities as this increases adoption of, and compliance with, security measures.
6. Contribute to wider awareness of security
Public and professional awareness of security relies in part on the willingness of individuals and organisations to engage in debate on security risks and benefits. This is especially true as we increasingly adopt new technologies and look to innovate further.
Being willing to challenge misrepresentations and misconceptions about security and security-mindedness, as well as sharing and promoting effective measures, plays an important role in increasing adoption of appropriate behaviours and processes.