In a digital era where connectivity reigns supreme, the construction industry stands at the crossroads of innovation and vulnerability. Cyber threats in construction have become an increasingly pressing concern, posing risks that extend beyond project timelines. This article delves into the intricacies of these threats and explores strategies to fortify the digital foundations of construction enterprises.
Understanding the Threat
Cyber threats find fertile ground in construction for various reasons. One major factor is the lack of comprehensive cybersecurity regulations. Unlike sectors such as finance or healthcare, construction isn't well-regulated regarding cybersecurity and privacy. According to an IBM Ponemon study, this lack of regulation means that many construction organizations are unprepared for cyber-attacks. A surprising 74% lack readiness.
The appeal of the construction sector to cybercriminals is also fueled by the large amount of sensitive data it handles. Construction firms store personal and business information, making them attractive targets. Unauthorized access to this data can lead to reputational damage, regulatory fines, and lawsuits.
Another contributing factor is the increased use of technology. While it has improved efficiency, it has also made businesses more vulnerable to cyber-attacks. The devices regularly relied on for asset tracking, machine control, and worksite security become potential entry points for malicious actors.
Furthermore, the industry often collaborates with multiple vendors and third-party contractors. While these partnerships are essential, they also increase exposure to cyber risks. A data breach in any of these companies could result in widespread cyber losses, affecting not just one entity but all parties involved..png?width=2240&height=1260&name=cyber%20security%20in%20construction%20(1).png)
Common Cyber Threats in Construction
A look at the data shows a concerning reality. The construction sector is one of the most targeted by cybercriminals, alongside transportation, wholesale trade, manufacturing, and retailers. Cyber losses in construction have been increasing since 2010, with a significant surge in 2020. Although 2021 saw a decrease, it's important to note that this may be due to delayed reporting. Cybercriminals use various tactics to target construction enterprises, with the most common types being unauthorized contact or disclosure (44%), malicious data breach (30%), ransomware (10%), phishing, spoofing, or social engineering (5%), physically lost or stolen data (4%), unintended disclosure (4%), and network disruption (3%).
These statistics highlight the diverse methods cybercriminals use to exploit vulnerabilities in the sector. While ransomware attacks currently rank as the third-most common form of cyber loss in construction, their significance is rising.
Types of Data Targeted in Construction Cyber Losses
Cyberattacks mainly focus on personal identifiable information (PII), including names, Social Security numbers, and driver's license numbers, accounting for 60% of incidents. Personal financial information is targeted in 36% of cyberattacks, while personal health information is the focus in 4% of cases. These numbers underscore the diverse nature of data that malicious actors aim to exploit.
Real-World Impact: Notable Cyberattack Examples
Two significant cyberattacks serve as reminders of the damage these incidents can cause. In 2019, Bird Construction fell victim to MAZE cybercriminals, who stole 60 gigabytes of data, including Social Security numbers, banking details, names, email addresses, and health information. In 2020, Bouygues Construction faced server breaches, resulting in a complete network shutdown and 200 gigabytes of data theft. The attackers demanded a $10 million ransom. These cases illustrate the substantial financial and reputational damage from cyberattacks.
Mitigating the Risk
Proactive measures can safeguard construction businesses in response to the rising threat of cyberattacks. The following strategies are instrumental in navigating these challenges:
- Employee Training: Educate your workforce on recognizing potential cyber threats and provide clear instructions to follow if they suspect a cyberattack.
- Supply Chain Management: Assess the risks associated with external collaborations and consider legal contracts with contractors and third-party entities to effectively address and manage cyber risks.
- Cyber Incident Response Planning: Develop a well-defined cyber incident response plan that includes identifying internal and external response teams, clarifying roles and responsibilities for key team members, and anticipating critical business continuity measures and workplace safety concerns.
- Insurance Coverage: Consult a trusted professional to secure sufficient coverage for potential cyber losses, providing a safety net in a cyberattack. Cyber insurance is not just about liability but also serves as a critical first-party breach response tool. This coverage can drastically reduce the overall cost of a cyber incident by providing an immediate crisis management team. Policies may include coverage for ransomware extortion attacks, business interruption, and possibly even business income loss due to damage to the brand.
Industry-Specific Risks
In the past, we've seen particular industries targeted, such as public school systems and municipalities, due to their typically underfunded and unsophisticated cybersecurity provisions. Industries that don't feel they have cyber risk often fail to prioritize their cybersecurity training and expenditure. For example, one manufacturer believed they had no exposure because they had no PII. However, employee data alone is a rich target. Additionally, any cyber-related business interruption and extra expense would not be covered by their property policy. They bought coverage and suffered a ransomware attack a week later, highlighting the importance of having a cyber policy to respond to incidents.
Aside from employee data, accounts payable/receivable and external relationships are also key vulnerabilities. Construction companies, in particular, have an ever-growing and shifting landscape of vendors, clients, and subcontractors. Bad actors can exploit these interactions to move from one network to another and provide opportunities for invoice manipulation or purchase order scams. The more complex the landscape of relationships, the more vulnerable a company becomes. The group that breached Target's network accessed their system through one of their HVAC vendors, demonstrating how a construction company could also face liability for being the weak link that led to an attack on someone else's network.
Another vulnerability is antiquated or unsupported technology. The NotPetya virus that inadvertently impacted companies worldwide targeted out-of-date accounting software by exploiting an unpatched Microsoft vulnerability. Construction companies might rely more heavily on older software and be less likely to have in-house IT to maintain an adequate patching cadence or stay on top of known vulnerabilities in the software industry.
Protecting Your Digital Assets
As cyber threats rise, prioritizing cybersecurity and protecting your digital assets and industry reputation is crucial. By implementing employee training, improving supply chain management, establishing robust cyber incident response plans, and securing comprehensive insurance coverage, you can fortify your business against the growing risk of cyberattacks. In this digital age, securing your construction enterprises is not just necessary but a responsibility.
Take Action Now!
Check how your construction company scores on cyber risks using our Cyber Scorecard. Your proactive measures today will determine your readiness for tomorrow's digital challenges. Use this link: Cyber Scorecard.
This article is not intended to be exhaustive, nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.