Building Security: Unmasking the Cyber 'Villains' in Construction!

Thinking about the industries that are most at risk for cyberattacks, the construction industry might not be near the top of most people’s lists.

According to a report from the security software company Nord locker, the construction industry is at the greatest risk for ransomware attacks which is one of the most significant cybersecurity risks. The various computer applications and technologies used in the construction industry present countless opportunities for breaches.

This article addresses some of the most common cybersecurity risks in the construction industry and offers tips on how to mitigate those risks.

Common Cybersecurity Risks in the Construction Industry

Cybersecurity experts are constantly discovering schemes that cybercriminals use to gain access to computer systems and online accounts. Cybercriminals are continuously adapting their tactics to stay a step ahead. This cycle is likely to continue for as long as digital technology exists. The following are some of the most common risks that construction businesses face:

1. Ransomware Attacks

Ransomware is a type of malicious software that can lock down a computer or network completely, preventing anyone from accessing it without an encryption key. The cybercriminal responsible for the attack typically demands payment — a ransom — in exchange for the key.

A ransomware attack can be financially devastating for a construction business. Every second that the lockdown continues is lost revenue. The ransomware can shut down functions like scheduling, logistics, and payroll. Savvy hackers might plan a ransomware attack to occur at a time when a construction business can least afford to cease operations.

2. Data Breaches

Many cybersecurity breaches still happen through old-fashioned hacking, in which cybercriminals exploit weaknesses in a system’s security or find a way in through brute force. Weak password security is a common way for hackers to gain access to a company’s servers. They may find ways to get in through connected “smart” devices, or a variety of other means.

Once a hacker is in a company’s system, they can have access to all information stored on the servers. This could include customers’ personally identifiable information (PII), including credit card numbers and Social Security numbers. It could also include details about ongoing or proposed projects that should not be public, such as trade secrets or other proprietary information belonging to a construction company’s clients.

The consequences of a data breach include damage to the company’s reputation and potential legal penalties. They may lose business goodwill and their clients’ trust. They may be liable for damages under state consumer protection laws if the hackers obtained significant amounts of PII. They could also face legal claims for breach of contract or mishandling of trade secrets.

3. Phishing Scams

In a phishing scam, a cybercriminal contacts a construction company employee through an email account that looks like it comes from a trusted source. For example, the cybercriminal might pose as an employee of a bank or credit union where the company does business. The cybercriminal exploits that trust to get the employee to give up sensitive information or grant them access to company resources.

A common phishing scam in the construction industry involves a seemingly urgent request for payment from a supplier. The email states that without immediate payment, ongoing projects may be delayed. It provides instructions for sending a wire transfer, making it seem like the employee can save the day. The entire communication is, of course, fraudulent.

Best Practices for Cybersecurity in the Construction Industry

The following practices can protect construction businesses from many cybersecurity risks:

1. Network Security

Limiting access to company networks and devices can prevent many attempted breaches. Measures may include: 

• Strong password requirements.
• Multifactor authentication.
• Firewalls.
• Data encryption.
• Regular software updates and patches; and
• Wi-Fi security at construction sites.
  
  

2. Risk Management and Incident Response Plans

Written policies and plans can help construction businesses understand how best to mitigate their risks. In the event of a cyberattack, they will have a guide for how to respond.

3. Employee Training

All employees need to be aware of their responsibilities regarding cybersecurity. This includes:

• Not using company devices for personal texts or emails.
• Choosing strong passwords; and
• Recognizing potential phishing attacks.
  
  

4. Data Protection and Backup

A ransomware attack denies a construction business the use of its computer system. Regular system backups provide construction businesses with a “plan B” in case a ransomware attack happens. Encrypted data backups can also protect construction businesses by allowing them to store older sensitive data off-site.

5. Manage Third-Party Risks

A construction business can take every precaution and still fall victim to cybercrime if it partners with a company that does not take cybersecurity seriously. Construction businesses should review cybersecurity expectations with subcontractors and other third-party partners.

Planning and Preparation for Construction Cybersecurity

Cybercriminals pose substantial risks to construction businesses. The consequences of a breach could range from lost revenue to legal liability for damages.

With some planning and implementation of the above referenced best practices, construction companies can manage their cybersecurity risks and do business with confidence.

To learn more about LGT and how we can serve you, contact us here.