In the construction world, risk can come from various sources. One rapidly growing peril is the threat of a cyberattack. According to a recent survey by Forrester, more than 75% of respondents in the construction, engineering, and infrastructure industries had experienced a cyber incident within a 12-month time span.

Unfortunately, the residential construction industry is particularly vulnerable to cyberattacks because of the complex nature of projects that often involve multiple entities (e.g., subcontractors, material suppliers, architects/engineers, etc.). These firms, if compromised by an attacker, can then be used as a platform or conduit to launch attacks against the target firms’ systems and employees.

Before the recent coronavirus outbreak that motivated firms to adopt remote work options, construction companies increasingly relied on technology for communication and project delivery. This led to increased sensitive and proprietary information being handled, hosted, stored, and transmitted by these firms. This information includes, but is not limited to, the following:

• client data
• confidential project information
• intellectual property
• sensitive commercial material
• subcontractor data or financials
• employee data (e.g., Social Security numbers, banking accounts, etc.), including health data.

Does the above list look familiar?

However, even in this environment, there are still holdouts in the industry who think, “My company is not at risk for cyber. We are a medium-sized construction firm. We work in the field – what can a cyberattack do to us?”

Unfortunately, no industry — including construction — is immune from cyber risk. Furthermore, just because you might be a small, regional homebuilder doesn’t mean you are exempt from federal and state fines and/or penalties if your clients’ or employees’ data gets breached.

Still not convinced? Let me set the stage for why cyber is a risk to the construction industry.

The Call Could Be Coming From Inside the House

Not too long ago, at a CFMA luncheon in Dallas, the Director of IT for a very large Dallas-based GC described how their system was attacked by ransomware, which impacted their entire operation. The impact was so widespread that employees had to rely on Gmail to communicate with each other for several weeks. How did the ransomware get inside the company’s system?

A single employee clicked on ONE email that never should have been opened.

Cyber Crime, Inc.

In 2020, The New York Times reported that ransomware attacks had increased across all industries, partly because “…ransomware has evolved into an industry, with hundreds of gangs vying for the most lucrative victims.” In addition, some hackers have developed a business model designing malicious software and selling it to other hackers via the dark web.

Given the increase in cyberattacks and the ease of deploying them, construction companies must be prepared to guard against several cyber threats. The most common include:

• Ransomware: This is a type of malware that encrypts a company’s data and demands a ransom be paid to decrypt it. Ransomware can be particularly crippling to construction companies, as the previously mentioned general contractor found out the hard way.
• Phishing: This is another major threat that construction companies must be aware of. Phishing attacks are designed to trick employees into giving away sensitive information such as passwords or credit card numbers.

A specific type of phishing attack is known as social engineering. Specifically, these attacks often come in the form of emails where individuals often ask for funds to be sent or bills to be paid in an urgent manner. Here, the bad guys are writing their emails to mimic the style and language of the individual (e.g., CFO) they are trying to impersonate. While attempts like this are very common, you need to stop and ask yourself this:

How did they know to send this email when the CFO was out of the office?

The answer could be:

The bad guys are in your system already and have been waiting for the time to strike.

As described in the following ENR article, “…hackers play a long game and research target individuals on sites like LinkedIn to suss out corporate hierarchies and identify people likely to be approving transactions.” Then once in your system, they wait for the time to strike, such as when the CFO is away at a conference.

• Malware: This approach can be used to steal sensitive information or damage computer systems. This type of attack can be focused on just your IT system, or it could be more catastrophic in nature when it impacts everyone using the same system or software. These types of attacks are called “zero-day attacks” and are, in essence, ticking time bombs that can have macro-level impacts on a region or country.
• Insider Threats: This occurs when employees intentionally or unintentionally cause harm to their company’s computer systems, which can include stealing sensitive information or introducing malware into the system.
• Distributed Denial of Service (DDoS) Attacks: These attacks are designed to overwhelm a company’s computer systems with traffic, making it impossible for legitimate users to access the system.
• SQL Injection Attacks: This method is designed to exploit vulnerabilities in a company’s website or database. These attacks can be used to steal sensitive information or damage computer systems.

Knowing Is Half the Battle

Considering these potential attacks that your firm could experience, there are some steps you can take to improve your firm’s overall resilience:

• Train Your Employees: Educate your employees about cybersecurity best practices. This includes how to identify phishing emails, how to create strong passwords, and how to avoid downloading malware. A chain is only as strong as its weakest link, so don’t let Bob from accounting be the bad link that brings your systems to a grinding halt. NOTE: these efforts need to be regular, repeatable, trackable, and scorable, with remediation for those who fail.
• Update Your Software: Keep all software up to date with the latest security patches and updates installed automatically.
• Conduct Regular Security Assessments: Regularly assess your company’s security posture to identify vulnerabilities and areas for improvement. This can include penetration testing (also known as pen testing) of both your digital and physical environments. Just because someone is in your building with a clipboard doesn't mean they should be there.
• Partner With a Cybersecurity Firm: Consider partnering with a cybersecurity firm that specializes in protecting firms from cyber threats. These efforts would include analyzing your current system for vulnerabilities and assisting in responding to an incident should your firm suffer from an attack. These efforts can involve negotiating with the bad guys to get them to unlock your systems.
• Obtain Cyber Liability Insurance: Cyber liability insurance can help protect your company from the financial impact of a cyberattack. However, before you suffer a cyberattack, you must understand what your cyber policy will and will not cover and whether it is sufficient to cover your firm’s risk. Therefore, it is important that you consult with an experienced cyber broker with dedicated cyber resources to understand how cyber, crime and employment practices liability insurance all interact.

Hope Is Not a Plan

No matter what risk du jour dominates the headlines, it’s critical that individuals and firms still follow best practices with respect to cyber security and not let their guard down. Unfortunately, bad actors always look for ways to take advantage of firms when given the means, motive, and opportunity.

With technology only being further integrated within the construction industry, the attack surface is only getting wider. Firms must follow the adage of “plan for the worst and hope for the best” to minimize their risk from cyberattacks.