News

November 9, 2020 | Written by: Maura McGowan

Cybersecurity Risk Within the Construction Industry

As the construction industry increasingly begins to depend on technology for its day-to-day operations, there is an added exposure to a host of new cyber threats. Although some construction firms may still believe they are immune to a compromise – that’s extremely inaccurate. In fact, according to a Forrester survey, more than 75 percent of respondents in the construction, engineering and infrastructure industries reported they fell victim to a cyber incident within the last 12 months. Failure to address cyber threats and implement preventative measures can pose risks to construction companies’ bottom line, their reputation, and potentially result in legal concerns for noncompliance.

What exactly are the potential cyber risks construction companies are facing? There are multiple methods cyber criminals use to gain access to important credentials, financial information, and company data. It’s important to be aware of these attack techniques, as well as educate employees to identify the risks. According to Verizon’s 2020 Data Breach Investigations Report, social engineering is the leading technique cyber criminals use to target the construction industry. The goal of social engineering attacks is to convince victims to electronically wire funds or provide sensitive information that can be monetized. Typically, cyber criminals impersonate upper management executives through business email compromise (BEC) tactics. Ransomware is also used to target construction companies. This cyberattack method is often deployed through phishing tactics that lure recipients to click on malicious links or attachments in an email. Cyber criminals demand to be paid ransom in exchange for restoring access to the hijacked data. According to the Coveware Ransom Market Report, the average ransom payment increased to $111,605, which is 33 percent higher than Q4 of 2019. Ransomware attacks are not only financially costly, they also result in company downtime and business interruption. The average days of downtown for Q1 of 2020 is 15 days per ransomware attack. Over two weeks of hindered productivity is considerable for businesses of any size. In order to prevent costly social engineering and ransomware attacks from infiltrating a business, each employee should understand the nature of these techniques and how to identify the dangers.

Not only are cyber attacks costly for construction companies’ bottom line, but there is also the risk of liability to others. For instance, construction firms have access to sensitive information that hackers find valuable including intellectual property, building blueprints, and proprietary assets of their clients. They also have access to clients corporate banking and financial account information – which are prime targets for cyber-attacks. Therefore, in the event of a social engineered or ransomware attack, not only is a construction company’s sensitive information at risk, but so are the clients. This can have damaging effects to a construction firm’s reputation, as well as potentially result in legal battles for noncompliance. In addition to prioritizing cybersecurity, it’s extremely important for construction companies to be aware of the liabilities, fines and penalties that exist in the event of an attack – all of which are difficult for a firm to recover from.

So, what can construction companies do to reduce cybersecurity risks? First and foremost, firms should evaluate their current cybersecurity practices and fully acknowledge if their business would be able to recover from an attack and remain competitive. Businesses will need to establish policies and training to begin reducing risks immediately. Companies will also need to determine if they have the capabilities to monitor systems for inappropriate use and potential security threats that may arise. Documented formal policies need to be written and communicated in the event of an attack or audit. Additionally, employee training is a critical aspect to successful cybersecurity practices. On-going practice of identifying phishing attempts can save organizations from costly cyber-attacks. While these suggestions provide a high-level start, it may be necessary to consult a cybersecurity expert to improve IT security infrastructure.

As cyber criminals continue to advance and evolve their methods of attacking, it’s of utmost importance for the construction industry to keep up. Don’t let your firm fall victim to a costly cyber-attack because you lack the proper IT security procedures and practices. If you’re looking for a trusted partner in cybersecurity to protect your company from cybersecurity breaches, reach out to Business Information Group today.