Typical Construction Industry Cyber Breaches – And What You Should Have Already Done

January 28, 2019

Cybersecurity remains an ever-present topic of interest across all industries, as potential and successful attacks continue to plague companies of all sizes. Due to several factors including slim budgets, resistance to change from company leaders, and a general underestimation of cybercriminals’ interest the construction industry as a whole has been slower than average to adopt the technology, protocol, and insurance coverage that is typically associated with a robust cybersecurity initiative. Unfortunately, cybercriminals are aware of this and continue to threaten the construction landscape.

Common Data Breach Techniques
While the motivations of cybercriminals are numerous and complex, two simple goals are thematic in most construction industry cyberattacks: money and personal information. In order to obtain these two valuable and sensitive items, cybercriminals can employee a variety of breaches. High profile cyberattacks in recent years have been driven by ransomware, a type of malware that encrypts vital systems and information. Once encrypted, cybercriminals demand a “ransom” from the company if they want to regain access.

Phishing scams are another popular breach tool used by cybercriminals and are especially prevalent, due to the fact they are completed through email, which most employees use frequently. Phishing scams involve a phony email, often from email addresses that appear safe, which includes attachments or hyperlinks that when opened, either download malware onto the system or take the recipient to a fake website to enter sensitive information. Construction companies are vulnerable to these types of cyberattacks for a number of reasons. High turnover across the industry and the existence of multiple jobs sites can make uniform company cybersecurity training, as well as the establishment and enforcement of protocol, difficult. Additionally, with an increasing number of vendors entering the market, the construction industry will only become a larger blip on cybercriminals’ radar.

Damaging Impacts
Depending on the size and severity of a cyberattack, the consequences could be widespread for a construction company and its employees, customers, and suppliers. From a purely monetary standpoint, the company stands to lose money in the cyberattack itself, but also in unplanned costs to hire the necessary IT professionals to clean up afterwards. Legal fees and regulatory fines are also a possibility, if the company is a victim of a cyberattack brought about by their own failure in the realm of laws and compliance.

The damage does not stop there. A company’s reputation takes a major hit in the event of a cyberbreach. Negative press often ensues and the general consensus from onlookers is that the company was not vigilant enough to protect themselves.

While the company itself historically takes the direct hit from cyberbreaches, employees, vendors, and suppliers also experience the run-off effects. Malware encryption can shut down critical processes like cash disbursements, preventing payments for vendors and payroll. It can even affect internet connection, impeding the bid submittal process and potentially preventing future business. In cases of cybercrime where personnel information is compromised, employees are faced with numerous possible consequences that range from the annoying, such as spam emails, to the life-altering, such as identity theft. With the use of cybertechnology ever on the rise, these threats are not a matter of if, but a matter of when. Luckily, there are options available for companies in the construction industry to mitigate these threats.

How to Protect Your Company
The development of a cybersecurity policy, either in-house or through an outsourced consultant, is often the first step for companies looking to develop stronger protection against cybercrime. These policies lay out the proper actions to prevent cyberbreaches and provide protocol for when breaches have occurred. The policies should be disseminated company-wide to help ensure all employees are informed.

Taken one step further, a company could require employee training on the policies in place, what to watch out for, and what to do if they think they have been a victim of a cyber scam. This is the most effective way for companies in the construction industry to mitigate the aforementioned risks.

In addition to a cybersecurity policy and employee training, there are certain IT defenses that all companies, even those with the most basic technology, should have in place. These defenses include firewalls and web filtering to prevent employees from accessing harmful websites; advanced threat detection, which scans all email attachments and hyperlinks prior to the receipt of the email; and strong user permission controls to limit access to areas of the network to only individuals who need it.

Another, often undervalued, mitigation tool is cybercrime insurance. Insurance alone is not sufficient to protect against the threat of cybercrime, but it is an effective way to round out a robust cybersecurity plan. Like other company safeguards, the mitigation of cybercrime threats requires time and money; therefore, companies should be mindful when budgeting that appropriate funds are allocated for this purpose.

While the upsurge in technology has offered countless benefits for the construction industry, cybercrime remains a pervasive and evolving threat. Immunity is impossible, no matter how many safeguards are in place, as hackers will always find new ways to infiltrate. However, understanding the motives, risks, and consequences of cyberbreaches enables companies to take the issue seriously and address it swiftly.

For more information, contact one of our risk advisory specialists at 301.231.6200.