October is Cybersecurity Awareness Month. Though many businesses, and especially those in construction, may think a cyber attack will never happen to them, the numbers say otherwise. It’s true that most organizations are unprepared for a cyber attack. And the construction industry ranks third in ransomware attacks, indicating a big need for more cybersecurity awareness, training, and prevention efforts industry wide.

Why Does Cybersecurity Matter in Construction?

It would be false to assume that construction companies are immune from cyber attacks or that they don’t have anything hackers would want. On the contrary, construction companies do maintain sensitive data that hackers would love to gain access to. Consider:

  • Employee information
  • Bid or project information, like project drawings and spec sheets, purchase orders, and more
  • Contracts, including documents and special conditions
  • Planning tools, like schedules and resource management
  • Company financial data
  • System and/or software shutdown

Enduring a financial loss is one thing. However, companies could be held liable from certain contracts, especially from the federal government, if a lack of IT infrastructure or cyber negligence leads to a hack. It’s also a valid concern for construction companies to suffer from costs to bring systems back up and running, in addition to reputational damage, on top of potential financial losses. If owners can’t place their trust in the company to safeguard company and project data, future bids could be at stake. It is critical to note, especially in the Department of Defense (DoD) space, DFARS 800-171 requirements are being augmented with the Cybersecurity Maturity Model Certification (CMMC) that hold organizations accountable via a successful third party assessor audit, prior to bidding on or renewing DoD contracts.

Even if a hack doesn’t result in any tangible losses, there’s still fallout. Construction companies could be subjected to involuntary downtime while they wait for a system to be back online. How would a loss of several hours – or days – affect ongoing project timelines?

Also, think about the interconnectedness of machinery and technology. If a critical communications or tech system is down or hacked, it could affect autonomous equipment. In turn, there are potential safety hazards for anyone or anything near the affected equipment.

Biggest Cybersecurity Risks in Construction

In part because the construction industry is known to be behind the curve in data security, and due to the rise in technology solutions in recent months and years, construction companies are at a high risk for cybersecurity incidents. And with more companies moving remote, the risks of falling victim to a cyber attack are higher than ever.

Social engineering and ransomware attacks are two of the bigger concerns for construction companies.

Most cyber incidents are caused by either human error or negligence. Social engineering attacks thrive on human error.

A hacker may pose as a trusted but unknown person, like a vendor or new employee, to gain access to company credentials. Phishing, or the use of fake emails or websites, is another form of a social engineering attack. A hacker may impersonate a company leader and send a fraudulent email to request access to payroll records, for example.

This is where employee training comes in; employees need to recognize suspicious emails or requests and have a process to follow for independent verification.

Fraudulent wire transfers, a product of social engineering attacks, also present a large risk to construction companies.

Ransomware, when a hacker or hacker group gains access to a computer network or server and holds it hostage, can cause work stoppage, financial losses, and potential reputational damage. Around one in six construction firms have reported a ransomware attack in the last year.

The resulting downtime or business interruption is one thing; associated costs above and beyond a ransom include but aren’t limited to IT fees to get the system back online, legal fees, call center expenses, credit monitoring fees, regulatory reporting, and more. Plus, there is the potential for stolen data and intellectual property.

Cybersecurity Prevention Strategies

The best defense is a good offense. This is true in sports and in cybersecurity.

Two of the simpler yet highly effective tools that reduce cyber attacks are stronger passwords and multi-factor authentication (MFA). Avoid using predictable, short passwords in favor of long, complex passwords that have a mix of upper- and lower-case letters, numbers, and symbols. MFA, which requires a two-part verification system, can be installed to protect access to company files and/or software. Many cyber insurance providers are not providing coverage if a company does not have MFA in place, which is a good indicator of risk level and importance of this internal control to your organization’s risk mitigation strategy.

Another simple risk mitigation tactic is to back up data regularly – daily is ideal. However, it is not enough to backup, your company must ensure backup restores are tested and that periodic tabletop exercises are performed for disaster recovery and incident response to ensure your employees are prepared when the next bad actor strikes. Patch and update software and other applications regularly as well.

Employee Training

is also important to create a culture of awareness and accountability. Ensure the whole team is familiar with the different types of online fraud schemes and how to recognize them. Run phishing attack simulations frequently to test employee readiness.

Beyond that, construction companies may want to consider cyber insurance. This type of policy would protect the firm if it gets hacked and suffers a financial loss. Many construction companies mistakenly believe they are already covered by their existing insurance policy, but either haven’t read the terms or don’t have the proper security measures in place for the policy to kick in if there is a loss.

Also, look at how contracts can help to protect the company. When engaging third-party vendors or subcontractors, ensure that they either have substantive risk mitigation controls in place to protect a hack from reaching the company, or that the company is named as an additional insured on the third-party’s cyber insurance policy. A study over recent cybersecurity-related security incidents and data breaches showed that nearly 60 percent of data breaches are caused by a third-party vendor, further underscoring the need for better contracts and a vendor risk management program.

A more comprehensive cybersecurity prevention plan would involve a risk assessment. A risk assessment covers existing cyber controls and data privacy practices as well as gaps in controls. Part of this process should entail setting cybersecurity goals and IT standards specific to the company. Examples of a cybersecurity program can be found in the National Institute of Standards and Technology (NIST) Cybersecurity Framework Version 1.1.

Construction companies do have help to implement cybersecurity programs. Building a culture of cybersecurity awareness and prevention starts with finding an experienced team of advisors. Financial, IT, and legal counsel can best advise companies on the data security controls needed to protect the organization. In some cases, an advisor may be able to tap into related expertise – for example, PBMares’ Construction and Real Estate Team works closely with our Cybersecurity and Control Risk practice.

Protect Your Company

For more insights on cybersecurity prevention, register to attend our live webinar, “What Can You Do to Prepare for the Next Cyber Attack?”, on October 13, 2021.