Mitigating Cybersecurity Risks in the Construction Industry

Cybersecurity is a major concern throughout the business world, with each industry having its own unique risks. For construction companies, a lack of security can impact every part of the business process as the industry relies more on digital technology. Breaches can lead to disruptions in the supply chain, delays in project schedules and risks to worker safety. So construction companies must adapt to the risks that inevitably come with these technologies.

Here’s an overview of the cybersecurity risks many construction companies now face, as well as some guidelines for preventing and responding to incidents.

What Are the Biggest Cybersecurity Risks in the Construction Business?

Not too long ago, construction company security was relatively simple. The main issue businesses generally faced was theft of materials and equipment from worksites. While this remains a problem, threat actors have found something that could be far more valuable than copper pipes.

Construction firms are increasingly using digital tools to handle matters like suppliers, scheduling, job monitoring and workplace health and safety. Many transactions (which often involve multiple parties) have shifted from handshakes and carbon-copy forms to the digital realm.

This evolution has created ample opportunities for hackers to find weaknesses in a system. Anyone who gains access could find vast amounts of proprietary and otherwise confidential business data, not to mention personally identifiable information (PII) from customers, employees and others.

So how do hackers access your company’s system? In many cases, they engage in phishing—contacting people in your company to gain access to your system while disguised as trustworthy people or organizations. This makes a target more likely to share sensitive information or unwittingly create an entry point for bad actors.

Phishing is most often done via email made to look like a familiar company, such as Google or Microsoft. These emails might contain a link taking you to a page where you enter personal or sensitive information like passwords or account numbers.

Phishing tactics are generally applied to large swaths of potential victims. In a more targeted approach called spear phishing, a hacker’s efforts focus on a specific person. By pulling information on that person from social media, business announcements and other public sources, they create a customized email that looks truly legitimate. This makes it more likely the target will fall victim to their scheme.

Ransomware is another growing threat that could affect construction companies. The term refers to malware that can encrypt the entire contents of a device. A threat actor may then demand a ransom payment in order to decrypt the device. Ransomware attacks can shut down entire networks, leading to serious delays, lost productivity and safety hazards.

Ransomware, viruses and other malware threats are often introduced via phishing. A hacker will send an email with a supposedly important attachment, like an invoice or resume. It might seem like a normal PDF, Word document or other familiar format. But if someone opens that attachment, whatever is inside will run through your system faster than you can stop it.

An important note: Email isn’t the only channel threat actors use. They also contact targets via texts (called smishing) and even phone calls (vishing) to get information and gain access.

Few regulations or standards exist that address the construction industry’s cybersecurity concerns. This has left many businesses unprepared for the risks and ill-equipped to respond to incidents.

How Can Construction Companies Mitigate Their Risk?

Construction businesses can take several steps to mitigate the risks of cyber-breaches and other incidents, and to respond effectively to an incident should one occur.

Be Proactive

A proactive approach to cybersecurity can help prevent cyberattacks and other security breaches before they occur.

Encryption: Encrypting data on servers, employee workstations and other devices has become increasingly simple and affordable, while still providing significant protection against data breaches.

Passwords: Hackers who are able to access a network will often copy every password they can find. Weak passwords are much easier to exploit, so companies should require anyone on their network to use a strong password.

Microsoft recommends the following password guidelines for system administrators:

• Maintain a 14-character minimum length requirement
• Don’t require inclusion of characters, such as *&(^%$
• Don’t require mandatory periodic password resets for user accounts
• Ban common passwords (to keep the most vulnerable passwords out of your system)
• Educate users to not reuse their organization passwords for non-work purposes
• Enforce registration for multi-factor authentication
• Enable risk-based multi-factor authentication challenges

They’ve also established password guidance for individual users:

• Don’t use a password that’s the same or similar to one you use on other websites.
• Don’t use a single word or commonly used phrase.
• Make passwords hard to guess even by those who know a lot about you. Avoid using names and birthdays of friends or family, favorite bands or hobbies, etc.

Two-factor authentication: Requiring users to go through another round of verification gives networks another layer of security. A user must enter their password, followed by a unique code sent to a trusted device like a smartphone. Companies might consider adding further forms of verification for particularly sensitive accounts, such as those run by system administrators and company managers.

Data backups: A ransomware attack may leave a company unable to access necessary data, applications or systems. Regular backups of data can give a company an alternative to paying the threat actor in the hope that they actually will provide the decryption key. The data backup solution must be separated, or air gapped, from the production network to be protected from the ransomware attack.

System monitoring: A third-party monitoring service can help companies identify potential risks and vulnerabilities in their systems. They can also spot cyberattacks and provide real-time information to help fight them.

Patching: As companies identify vulnerabilities, they should move quickly to fix them. Threat actors often know about vulnerabilities in software systems before others discover them.

Cyber-insurance: Construction companies may find it prudent to obtain insurance against cyberattacks. Insurance coverage may be available for a range of data breaches. It could also provide coverage for lawsuits, regulatory investigations and other legal proceedings.

Establish Response Teams

Your company should create both internal and external teams responsible for responding to cyberattacks and data breaches. An internal response team might include representatives from management, IT, HR and in-house counsel. An external team could consist of investigators, cybersecurity experts, PR professionals and outside counsel.

Create a Response Plan

Once you’ve designated your response teams, prepare plans of action for them to implement. The plans should be detailed, but should also allow the teams enough flexibility to adapt to particular situations. The plans should take numerous factors into account:

• Business continuity
• Worksite safety
• Your company’s contractual obligations to customers, vendors and others
• Its legal duties in areas like data security

Raise Awareness Among Management and Employees

The best plans in the world are useless if the entire team doesn’t know how to implement them. Construction companies should educate every employee, independent contractor and intern on their role in maintaining cybersecurity protections. Everyone, for example, should know:

• How to create strong passwords;
• How to avoid ransomware; and
• What to do — and what not to do — if they believe a cyberattack has occurred or is underway.

Educate your staff about the threats they face from hackers looking to access your system and data. Annual training should be held that shows them how recognize the hallmarks of phishing emails, texts and phone calls. And provide a quick, easy and safe way for them to report questionable communications they receive.

You can also consult with a technology services professional, especially one associated with  construction CPAs. This unique combination of industry knowledge and technical expertise is the best way to address your company’s cybersecurity concerns.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.