By Jennifer French, CPA and Antonina McAvoy, CISA, CISM, QSA, PCIP

Construction is among the most highly targeted industries for cyberattacks. A combination of construction’s advancements in technology adoption and gaps in data security have quickly escalated digital threats, both on and offsite. While storing personal data has never been much of a consideration for most contractors, threat actors know that construction lags behind most cybersecurity protocols, making it an easy (and big) target.

Cybercriminals are continually evolving and varying their attack methods to exploit new vulnerabilities. The construction industry needs to be equally proactive in its prevention, detection, and response, looking at the risks holistically and instilling a culture of cybersecurity in the boardroom, on-site and everywhere in between. Understanding what puts contractors at the most risk and how to mitigate it can go a long way in preventing costly cyberattacks.

Cybersecurity Awareness Month, which occurs every October, is the perfect time to revisit digital security and take steps to address the evolving cyber landscape.

A Changing Digital Landscape

Cybersecurity is a growing challenge, and the pandemic has amplified the need for the construction sector to have a robust cyber risk strategy. As more contractors move to the cloud and embrace a remote and/or hybrid workforce, their risk of exposure to digital threats increases. Adopting new technologies that drive digital connectivity and analytics like AI and machine learning comes with many benefits, but the added risks mean that a different approach to cybersecurity is possibly needed. Increased connectivity and collaboration also increases cyber risk.

Weak cyber controls related to virtual private networks and remote desktops provide easy access for digital criminals.

Top Cybersecurity Risk in Construction

Ransomware attacks pose the biggest threat to construction contractors because of the amount of sensitive financial and job-related data that’s stored.

With ransomware attacks, hackers gain access to the company network or server and take files offline or encrypt data so it can’t be accessed. Then, they hold the data “hostage,” demanding a ransom to release the data (which hopefully has not been tampered with). The ransom amounts can range from several thousand or hundred thousand dollars to millions.

A ransomware attack could target:

  • Employees’ personally identifiable information
  • Project plans and financial information
  • Intellectual property
  • Bid data

If your construction company’s data is held hostage by hackers, what would you do?

  • Give in and pay the hackers the ransom
  • Keep the company offline until or if the data is restored
  • Refuse to pay the ransom with the knowledge that stolen data on projects and people would be compromised

In any scenario, the company is losing money, time, and its reputation. Breaches like these could also potentially subject the contractor to litigation and fines, depending on the type of data involved, and the risk of losing current or future bids. Business interruption, when the contractor is forced to delay projects, can have significant financial consequences as well.

The extent of the risk cannot be understated.

Other areas of concern for the construction industry are fraudulent wire transfers, phishing or business email compromise, smishing (SMS text message phishing attacks), and intellectual property theft.

Cybersecurity Tips and Best Practices

October 2023 marks the 20th Cybersecurity Awareness Month – an annual campaign designed to raise awareness of cybersecurity, both at home and at work. This year, CISA (Cybersecurity and Infrastructure Security Agency) has announced a new awareness program called Secure Our World.

The Secure Our World program promotes four basic actions that everyone should take to stay safe online:

  • Use strong passwords
    It is important to use a unique, strong password for each online account. Using different, strong passwords for each account means that even if one account is compromised in a data breach or cyberattack, others will be safe from brute-force attacks. A strong password is long and complex, using a random mix of uppercase and lowercase letters, numbers, and special characters. If remembering long strings of characters seems impossible, consider using a password manager.
  • Turn on multifactor authentication
    Multifactor authentication (MFA), sometimes known as two-factor authentication, helps ensure that even if someone does learn a password, the account remains secure. There are different forms of MFA, including an extra pin number, security question, code sent via email or text, a standalone app, secure token, or biometric identifiers.
  • Recognize and report phishing or smishing
     Phishing is when hackers send an email to bait the recipient into responding, clicking on a link, or opening an attachment. Phishing attacks are how most malware spreads and how most successful cyberattacks start. They are communications – usually emails, but increasingly social media messages and posts – that look like they are from a trusted person or organization. The messages usually create a false sense of urgency to encourage recipients to click a link or open an attachment. However, doing so will either result in malware being installed on the device or a fake website that will harvest any credentials that are entered.

Smishing is a phishing cybersecurity attack carried out over SMS mobile text messaging, also known as SMS phishing. Smishing simply uses text messages instead of email. It is an increasingly popular social engineering variant of phishing, as employees have personal and/or work cell phones and are not expecting to be targeted on their phones. Victims are deceived into giving sensitive information to a disguised attacker, following emergency instructions to help an executive officer in the company, or can be assisted by malware or fraudulent websites.

Urgent Executive Need: The smishing message will claim to be the construction company’s executive officer (i.e. President, Owner, CEO, CFO, or similar) and will create an urgent need to either send money, or sensitive customer or company information immediately.

Malware: The smishing URL link tries to trick victims into downloading malware – malicious software – that installs itself on the phone. The SMS malware might look like a legitimate app, tricking users into typing in confidential information and sending this data to the cybercriminals.

Malicious website: The link in the smishing message might lead to a fake website that’s requesting sensitive personal or company information. Cybercriminals use custom-made malicious sites designed to mimic reputable ones, making it easier to steal personal or company information.

  • Update software
    Most cyberattacks are automated, so they require practically no skill to execute, are cheap and easy to run, and are indiscriminate, looking only to exploit common vulnerabilities rather than specific websites or companies. It can be frustrating to update software sometimes, but it is also necessary. When devices, apps, or software programs (especially antivirus software) notify users that updates are available, the updates should be installed as soon as possible. Updates help to repair bugs in underlying application configurations and source code to better protect online data.

Cybersecurity Strategies to Protect Construction Contractors

Across the entire organization, there are several proactive steps that contractors can take to promote cyber safety. A good place to start is by examining the current risk landscape.

Risk Assessment

A cyber breach can have a significant negative impact on an organization. A risk assessment involves looking at the security framework to identify situations that could pose a threat to the network, systems, data or cybersecurity posture. These assessments evaluate overall cyber risk, assess risk appetite and preparedness, review areas of vulnerability and risk management controls, and develop corrective action plans.

Cybersecurity Policies and Standard Operating Procedures

Use of the cloud, social media, and a mobile/hybrid workforce have exposed contractors to new and different threats. Policies and procedures to thwart cyberattacks is key. Information security policies can help ensure cybersecurity risk is minimized and that any security incidents are effectively responded to. Security policies should:

      • Protect people and information
      • Set expectations
      • Authorize security personnel to monitor, probe and investigate
      • Define consequences of violations
      • Establish a baseline stance on security
      • Minimize risk
      • Ensure compliance with regulations and legislation

Another type of cybersecurity policy relates to business continuity. Disasters of any kind, digital or not, cannot be planned. Business continuity and disaster recovery plans make sure assets are well-protected and employees have clearly defined roles even during the most disruptive circumstances. If a disaster recovery plan exists but hasn’t been reviewed lately, it’s time to revisit it and test whether its action plans still make sense.

Read more about other types of cybersecurity assessments here.

A cyber liability insurance policy is another worthwhile consideration for construction contractors. It’s like an extra layer of protection when existing general insurance policies don’t address the potential damage of a cyber-attack. Cyber insurance can cover the costs associated with data breaches; however, not all cyber insurance policies are created equal. When was the last time an independent set of eyes looked over the cyber insurance policy? Tricky sub-limits, exclusions, or required minimum security requirements (that an organization has not yet implemented) in a cyber insurance policy may be providing false security.

Cyber Culture and Employee Best Practices

Creating a culture where employees can easily recognize and report cyber threats can often be the difference between a rogue email and a full-scale data breach.

According to recent statistics, more than 90 percent of data breaches are caused by human error. Computer users are often referred to as the “weakest link” in information security. An important component to mitigate this risk includes frequent security awareness training and phishing simulations. A cybersecurity consultant can conduct mock phishing campaigns to test user response, provide customized training to employees, and ensure the company is following critical cybersecurity controls.

Cybersecurity preparedness is an ongoing effort, and diligence is key. Proactively managing risk is important to protect sensitive customer information as well as financial and personal data to ensure business continuity.

For more information on cybersecurity in construction, PBMares clients can reach out to Jennifer French, Team Leader of our Construction and Real Estate practice, and Antonina McAvoy, our Cybersecurity Team Leader.