Consultants to the construction sector, AutoMutatio certify to Cyber Essentials Plus

Aug 3, 2022 | Case Study, Cyber Essentials

Founder, Mark Austin tells us a bit about how he got into the construction industry, what some of the issues are in the sector and why he set up the company, AutoMutatio.

I started my career on the shop floor as an engineer’s assistant. Over the years, I worked my way up, spending five years as an operations director, looking after large infrastructure projects such as Crossrail, street works, rail projects, and power stations and two years as Innovations Director doing things like back office transformation.

Three and a half years ago, commercial director, Ian Pegram, systems analysis, Paul Austin and I started the consultancy, AutoMutatio which means, ‘self change’ (in Latin). Our unique software helps organisations with change, so effectively, we’re a software company with a consultancy arm.

Change is the only constant in life, and it is our mission to automate the process of change, identification and management. Board directors constantly talk about people changing or step change, or climate change or scope change, but they never really talk about change in its broadest context. So our belief is that if we focus just on the change, we can pretty much understand and manage anything. If the last two years have taught us anything, it is that change can happen hourly, let alone daily.

What people aren’t talking about is often more important than what they are talking about. That’s why we set up our business to focus on it. We do a lot of listening for what’s not being said. One example might be if an organisation says that they have problems with IT security, we might use our software and put in a tag of cyber, cyber security and Cyber Essentials. Our system would mine all the organisational information and discover if anyone is actually talking about cyber security at all. This information can then help management to put together targeted action or training.

What do you see as being the main security issues for the construction industry?

Construction has been much challenged for being behind the rest of the world and there’s a couple of reasons for it. Firstly, it is a really complex sector because infrastructure interfaces with all sorts of things. Let’s take the new railway between London and Manchester and Birmingham, It is 100 miles long and you can imagine all the interface points along that journey. So, trying to manage that is quite difficult. Some of the projects are 10 years in the planning, 10-15 years in delivery and then 100 years in operation. Think about how technology moves on in that period of time.

One of the biggest challenges in the UK particularly is we have, what we call, a fragmented industry. There are lots of SMEs and micros. In continental Europe, there are probably four or five main contractors in each country, whereas, in the UK, every one of the big Tier 1 contractors has only got 2 or 3% market share. It’s also important to note that the construction industry does not have the luxury of 20 -30% margins, it runs on very thin margins.

There are three divisions in the construction sector. There’s the UK strategic infrastructure, which is usually government work, power stations, water treatment and railways. For this work, it’s very simple, if you haven’t got the badges, you do not play. Then there’s the building sector. Again, with strategic buildings, like hospitals and schools etc, the same rules apply. Below that, you’ve got industrial building which might be buildings on an industrial estate where a contractor puts up some steel and cladding and somebody else comes and fits out the building to the customers requirements.

This is the area where cyber security may be more challenging, building clients and contractors tend to be very regional and often not as sophisticated as some of the tier one property developers such as British Land.

Then there is the housing sector which is a different ball game altogether. Housing goes from the big players like Barratts, who would be taking care of security quite carefully, to builders who maybe only build two and three houses a year. As consumers, if you go and buy a house, it’s unlikely that you will ask the builder whether there is security on the doorbell.

Why did you certify to Cyber Essentials Plus?

In order to be resilient and scalable as we move forward, we made the decision to deploy our entire IT infrastructure to the cloud. One of our core values is integrity, not just for our business systems, but for the integrity of our customer’s data and why would anybody work with us if we haven’t got badges that shows that we take security seriously?

As a micro business, it’s easier to put some really good fundamentals in place sooner rather than retrospectively. What we did, was take the Cyber Essentials standard and used it as our security policy, then we enforced it technically through InTune. We also knew that Cyber Essentials Plus certification will allow us to bid for things that we wouldn’t be able to otherwise, and indeed it was an important component as we got through on the United Utilities innovation Lab programme.

Now you have been through the certification process, do you find that it allows you to advise your clients?

I’m astonished at how many people in the construction industry do not have Cyber Essentials and I am surprised at how many have never heard of it. We occasionally do dispute resolution work, which genuinely means something’s gone wrong, or is in contention. I think you’ve got those who really get it and you’ve got those who perhaps don’t.

Another interesting point is insurance cover. Your insurance really dictates what you can and cannot take on, it’s a risk game. Originally this year, our insurance was not going to include cyber cover, it was excluded. However, when we explained we had Cyber Essentials Plus, the cover was reinstated.

We are now seeing that some of our clients need help and support and we are seriously looking at becoming a Cyber Advisor through our consultancy arm.

A couple of our clients who are start-ups want to go down the direction of being digital first. We’ve helped them set up their IT securely, making sure they’re compliant but there is a gap in the market of helping people to get to that point.

Were there any areas where you had to make changes?

We worked with the Certification Body, LivTech Solutions from Hove who worked collaboratively with us to verify that we met all the Cyber Essentials Plus standards.

There was one thing and I think it was only a small thing and it was because we had just one Mac that we used for testing. With PCs, Windows Defender was automatically installed, so of course we then had one Mac machine with no antivirus protection. I think we solved that within 24 hours. It just shows that if you don’t have a formula, you miss things like that.

What advice would you give to construction businesses?

Why wouldn’t you invest a relatively small amount to make sure you can do business with people moving forward and to make sure that you’re protecting other people’s data? Just follow the guidance, that’s what it’s there for.