Unfortunately, many construction companies are learning the hard way that cybersecurity is not something they can ignore, and it hasn't been for some time. We've discussed in other articles how small businesses are frequent targets of cybercriminals due to their more lax security posture. In the construction industry, enterprises are targeted at a rate much higher than most executives would suspect. Some research has indicated that construction firms are the third most commonly targeted industry for cyber attacks, and a Cybertalk.org study revealed that 1 in 6 construction companies suffered a ransomware attack in 2020-2021.
The Hidden Cost of a Cyber Attack
A cyber security incident, or cyber-attack, can lead to devastating consequences for construction firms of all sizes. The sad reality is that it is not just the direct financial loss of a data breach or ransomware attack that you have to worry about. The reputational damage can be immense as the incident becomes public, and this doesn't even account for the possibility of civil liability claims or regulatory fines and penalties. With the widespread nature of cyber attacks, a bad actor gaining access to your computer systems can be a financial nightmare for a construction firm.
Why are construction companies such popular targets, and what vulnerabilities can cybercriminals exploit to gain access to business and personal information contained in their networks? To put it simply, criminals are looking for a target where they will have the greatest chance of success, which means generally poor or no cybersecurity practices in place. They are also looking for a victim that has possession of a large quantity of personal information or integral critical systems that can cripple an agency should they lose access to them. A focus on cybersecurity for most construction companies is not always viewed as a priority.
As construction firms strive to drive profitability and leverage new technology, more and more systems are connected to the internet, and significantly more information is stored in the cloud. This is a benefit when it comes to streamlining processes, sharing information, and the speed of business operations, but it can become a serious liability if cybersecurity is not taken into consideration when implementing these processes. Personally identifying information of clients, vendors, and employees, client lists, contractor and supplier lists, and other proprietary information like physical site security concerns and measures can all be accessed remotely.
Building Information Modeling (BIM) provides a massive upside when working on large collaborative projects, but failing to abide by recognized cybersecurity standards can leave you vulnerable to a data breach. Third-party security should be a primary focus when selecting any software application for your enterprise, and even more so when you're looking at a system that will be holding such critical information.
Ransomware attacks are one of the top two cyber attacks facing the construction industry as a whole. Bad actors utilize malware that infects computers on the network and completely locks out all users except the attackers. They then demand payment of a substantial ransom in order to release the system back to the victim organization.
Unfortunately, not only is there no guarantee that the bad actors will actually release control of the network after receipt of the ransom, but there is no telling what damage may have been done in the interim. Cybercriminals frequently take the opportunity to install back doors into the compromised network, exfiltrate personal information and sensitive data, or install other malicious software to perpetrate further cyber attacks. Recently, major growth has been seen in ransomware as a service space that provides ready-made ransomware attacks for sale to low-tech criminals as another revenue stream for more technically advanced cyber criminals.
Phishing attacks are the second major threat vector within the construction field. Social engineering is wildly popular in the cybercrime world as it has a very low bar to entry into the space with little technical knowledge needed, the ability to target many organizations at once, and even the opportunity to use automation to further increase the number of organizations targeted. At their hearts, all social engineering scams like phishing attacks attempt to entice unsuspecting employees to click on a suspicious link, change payment processes, or take some other form of action that benefits the attacker.
This can be done through email, text message, or even VoIP calls, but all attacks leverage a sense of urgency and prey upon the innate desire of employees to accommodate the customers, vendors, or other staff that the bad actors are impersonating. Phishing attacks can result in malware infections, ransomware attacks, a direct data breach, or even payment interception. The possibilities are nearly endless and can be customized by the attackers to better suit their goals at the time.
That's a healthy selection of concerns that we have laid out, but what can you reasonably do to better protect yourself while at the same time continuing to function in a fast-paced and competitive industry? Cybersecurity for construction companies doesn't need to be complex to be effective.
The most effective way to thwart phishing attacks is adequate employee training. Construction firms are the single most likely target to fall for a phishing scam among small and medium-sized businesses and the second most likely among large corporations. That shows that training is sorely lacking across the industry. Frequent reminders of attack indicators, regular training blocks, and the use of practical exercises are all best practices.
Pen Testing and Vulnerability Assessments
After implementing a training program, your next objective is to ensure that cyber risk is appropriately addressed in your existing risk management program. This means that cyber risk assessments are regularly conducted both internally and on prospective vendors and that actionable steps are provided for any deficiencies that are located. A good cyber risk management approach recognizes that security measures can't be truly assessed without practical application. This means employing penetration testers to put the system to the test and address any identified vulnerabilities.
One of the easiest but also most effective security measures to implement is a comprehensive password policy covering both password management and password strength. Ensuring that all login credentials for secured systems are unique, passwords or passphrases are of sufficient length and integrate special characters and numerals, multi-factor authentication is enabled, and passwords are regularly changed will go a long way towards making your credentials hackproof.
When it comes to password management, providing your staff with a password manager or password vault application provides an additional layer of security. The stored information is encrypted, and with integrated desktop, browser, and mobile apps that many services offer, it provides an ease of use to your employees that will make them more likely to comply with your policies. The goal is to increase cybersecurity for construction companies without lowering productivity or increasing the difficulty of daily tasks to the point where they become tedious.
Cyber Incident Insurance
Cyber incident insurance, or cyber insurance, provides a final layer of security that can be the difference between weathering the storm of a cyber attack or declaring bankruptcy. As the number of claims against cyber insurance has increased, premiums have gone up as well. Cyber insurance companies have also begun mandating certain security standards as a condition of issuing a policy. Shopping around for the most cost-effective policy that covers the greatest number of incidents is a must, but to keep premiums low across the board, the only way to move forward is to focus on cyber risk management as an industry.
At Venture Lynk Risk Management, our cybersecurity experts provide a wide variety of services ranging from cyber risk assessment to continuous monitoring and even complete cyber risk management programs. We also offer intellectual property risk management, vendor risk management, and more. Reach out to us today to see what we can put together to address your specific risk management needs.