LGT's Profit Sense

Cybersecurity is a major concern for almost every industry, with each industry dealing with its own unique risks. For the construction industry, cybersecurity – and the lack thereof – can affect every part of the business process. Security breaches can lead to disruptions in the supply chain, delays in project schedules, and risks to worker safety. As the industry comes to rely more and more on digital technology, it must also adapt to the risks that inevitably come with these technologies. The following offers an overview of the cybersecurity risks that many construction companies now face, as well as some tips and guidelines for preventing and responding to incidents.

What Are the Biggest Cybersecurity Risks in the Construction Business?

Not too long ago, construction companies only had to deal with security issues involving the theft of materials and equipment from worksites. While this is undoubtedly still a problem, threat actors have found something that could be far more valuable than copper pipes.

The industry is making increasing use of digital tools to deal with matters like suppliers, scheduling, job monitoring and workplace health and safety. Many, perhaps most transactions have shifted from handshakes and carbon-copy forms to the digital realm.

Many construction transactions involve multiple parties, which offers ample opportunities for hackers and other malicious actors to look for weaknesses in a system. Anyone who makes it into a system could find vast amounts of proprietary and otherwise confidential business data, not to mention personally identifiable information (PII) from customers, employees and others.

Ransomware is another growing threat that could affect construction companies. The term refers to malware that can encrypt the entire contents of a device. A threat actor may then demand a “ransom” payment in order to decrypt the device. Ransomware attacks can shut down entire networks, leading to serious delays, lost productivity and safety hazards.

Few regulations or standards exist that address the construction industry’s cybersecurity concerns. This has left many businesses unprepared for the risks and ill-equipped to respond to incidents.

How Can Construction Companies Mitigate Their Risk?

Construction businesses can take several steps to mitigate the risks of cyber-breaches and other incidents, and to respond effectively to an incident should one occur.

Be Proactive

A proactive approach to cybersecurity can help prevent cyberattacks and other security breaches before they occur.

• Encryption: Encrypting data on servers, employee workstations and other devices has become increasingly simple and affordable, while still providing significant protection against data breaches.
• Passwords: Hackers who are able to access a network will often copy every password they can find. Weak passwords are much easier to exploit, so companies should require anyone on their network to use a strong password. Microsoft recommends using at least 12 characters with a mix of numbers, symbols and uppercase and lowercase letters. Passwords should be easy to remember but difficult for others to guess.
• Two-factor authentication: Requiring users to go through another round of verification gives networks another layer of security. A user must enter their password, followed by a unique code sent to a trusted device like a smartphone. Companies might consider adding further forms of verification for particularly sensitive accounts, such as those run by system administrators and company managers.
• Data backups: A ransomware attack may leave a company unable to access necessary data, applications or systems. Regular backups of data can give a company an alternative to paying the threat actor in the hope that they actually will provide the decryption key.
• System monitoring: A third-party monitoring service can help companies identify potential risks and vulnerabilities in their systems. They can also spot cyberattacks and provide real-time information to help fight them.
• Patching: As companies identify vulnerabilities, they should move quickly to fix them. Threat actors often know about vulnerabilities in software systems before others discover them.
• Cyber-insurance: Construction companies may find it prudent to obtain insurance against cyberattacks. Insurance coverage may be available for a range of data breaches. It could also provide coverage for lawsuits, regulatory investigations and other legal proceedings.

Establish Response Teams

Construction companies should create both internal and external teams responsible for responding to cyberattacks and data breaches. An internal response team might include representatives from management, IT, HR and in-house counsel. An external team could consist of investigators, cybersecurity experts, PR professionals and outside counsel.

Create a Response Plan

Once companies have designated their response teams, they should prepare plans of action for the teams to implement. The plans should be detailed, but should also allow the teams enough flexibility to adapt to particular situations. The plans should take numerous factors into account, such as:

• Business continuity;
• Worksite safety;
• The company’s contractual obligations to customers, vendors and others;
• Its legal duties in areas like data security.

Raise Awareness Among Management and Employees

The best plans in the world will be of no use if the entire team does not know how to implement them. Construction companies should educate every employee, independent contractor and intern on their role in maintaining cybersecurity protections. Everyone, for example, should know:

• How to create strong passwords;
• How to avoid ransomware; and
• What to do — and what not to do — if they believe a cyberattack has occurred or is underway.

Have questions? We would love to help!

If you have any questions or would like additional information about anything mentioned, please comment below or email us at askus@lgt-cpa.com.