With increasing speed and consistency, data breaches and financial losses due to cybersecurity incidents are occurring across companies of all types – and the construction industry is not exempt. Misappropriations, ransoms, corporate embarrassment, and weeks of administrative downtime can cripple a closely held business.

Cybersecurity is an enterprise risk management concern. And, since construction financial managers (CFMs) understand the business risks and potential impacts to an organization if a breach were to occur, they are, to some extent, responsible for their companies’ cybersecurity controls and response plans. The responsibility is in large part assembling the right team of resources and experts to ensure the company is safe. However, it is our belief that effective CFMs need some level of understanding of the cybersecurity threats, defenses, and insurance. (We acknowledge that the “level” is up for debate.)

This article will review how cybersecurity has impacted the construction industry and will work through the facets of an IT risk assessment including current threats, controls, and a response plan.

The Impact to Construction

The construction industry has not been spared from the exploits of cybercriminals. Verizon’s 2020 Data Breach Investigations Report (DBIR) identified construction as a new category in 2020. The DBIR collected data on more than 157,000 incidents and 108,000 breaches and found that organized groups are targeting the construction industry for financial gain.¹

Web applications and crimeware represent 95% of all incidents in construction.² Cybercriminals are using stolen credentials and waiting for the right opportunity to access confidential information or divert payments from contractors.

The construction industry is also in the early stages of standardizing the integration of smart devices – such as thermostats, water heaters, and power systems – that involve more access to internal and client networks. These new internet of things (IoT) devices create a larger attack surface than previously existed.

While construction has not historically faced federal cybersecurity regulations, in November 2020, the U.S. Department of Defense (DOD) initiated the Cybersecurity Maturity Model Certification (CMMC) framework that phases in certain cybersecurity requirements for DOD contractors.

Contractors that rely on revenue from the DOD will be required to implement over 200 cybersecurity controls over a five-year implementation period. Additionally, those required to comply with this mandate will have to hire an independent third party to assess and report their level of compliance with these requirements.

Where to Start

To begin establishing a cybersecurity risk management program, start by identifying and understanding risks and then sourcing and measuring them to determine how to manage them down to an acceptable level.

Identify & Understand

A CFM trying to understand cyber risks should begin by identifying and understanding what data and information are used in the business and within its data systems. The following questions can serve as a starting point to this understanding by classifying data from less to more critical:

1. What do we deem as confidential? Do we have confidential information? Does any of this data have regulatory protection requirements? Where is this data stored? Do outside entities/business partners/vendors have this data in their systems? Examples of such system data may include:
   • Employee information – payroll and other personal and financial employee information. If that information were to be exposed, the employer has obligations under state and federal law to inform the affected personnel.
   • Construction data – owner’s plans and specifications; Davis-Bacon Act data, which includes subcontractor employee data; and other confidential or proprietary data of the owner, designer, or a supplier. You may have a contractual obligation to keep that data secure. In addition, construction plans may include security system information, which can be used for a later, more traditional attack on the physical assets of the business.
   • Valuable company data – intellectual property, trade secrets, company financial information, and other confidential company data that could be used by a competitor.
2. If our systems were breached and data was changed, what would the impact be to the company?
3. If our data or systems became unavailable, what would be the impact to our day-to-day operations?
4. What can compromise the confidentiality of our data?
5. What can cause a loss of availability?
6. What can challenge the integrity of our data?

This list is a starting point, and CFMs should consider asking their IT staff or service providers to assist in helping them to better understand their data and systems.