Cybersecurity in construction

(PHOTO: © PANUWAT / ADOBE STOCK)

In early 2020, a major Canadian construction firm, announced it had been hit by a ransomware attack. Although the company provided reassurance that they were able to continue with business as usual, there’s no doubt that sensitive information had been compromised.

But they are not alone. In fact, they are in good company. More than 85 per cent of Canadian companies were hit by cyberattacks over a 12-month period in 2021, and companies hit by these attacks spent $600 million to recover.

With the cost and frequency of cyberattacks rising, construction companies and contractors must adopt technological solutions with the right supports in place.

Whether adopting a complete software solution or even using a drone to survey a single site, business owners and leaders will need to learn all they can about cybersecurity, including why the construction industry is being targeted, what the risks are, and how to protect against them.

THE HIGH-TECH MOVEMENT

Though slow to adopt technological solutions, in recent years the construction industry has become more digitally focused. Today, construction firms are using digital tools not only to send invoices and plan projects from the back office, but also on site to build walls and foundations or to survey progress in real time.

Portable devices such as mobile phones and tablets are used regularly by a variety of workers, full-time employees and contractors alike. And even personal devices may be used to connect to Wi-Fi as well.

Each of these changes comes with benefits. For example, it may be a smart business decision to bypass the chronic labour shortage by building a brick wall with a robotic arm. Yet the change also leaves the industry vulnerable to attack.

Employees who are not careful to protect their own personal devices may not understand how susceptible they may be to bad actors seeking to infiltrate their systems. Business owners may not have the IT support they need in-house. And supervisors and other managers who work from home regularly may be unwittingly leaving their devices vulnerable as well.

Keep in mind, savvy cybercriminals know the big construction companies are already protected, so they are also going after the small and medium-sized firms, the ones without an IT department or other support team on call. But there’s no reason to leave yourself vulnerable to attack.

THE MOST COMMON CYBERATTACKS

Common cyberattacks include:

RANSOMWARE

Ransomware is software designed to prevent a person or company from accessing their files. Cybercriminals take control of a company’s digital system and demand a ransom payment before releasing it.

While ransomware targets all types of businesses, the construction industry seems to be especially susceptible. In fact, construction firms – like Bird or France’s Bouyges Construction – accounted for nearly 10 per cent of all ransomware attacks in Canada in 2021, likely due to the rapid adoption of technology solutions and the lack of security around them.

BUSINESS EMAIL COMPROMISE

In this attack, the criminal poses as an expert or trusted source and uses email to trick someone into sending money or sharing valuable information. The criminal can then use this information to his or her benefit, whether to gain access to banking or other financial information, or to steal money or other resources outright.

Construction is vulnerable to such attacks in part because construction firms work with so many other entities. Whether it’s subcontractors or suppliers, goods and money flow back and forth regularly, making it a challenge to spot a false claim or a scammer among all the legitimate transactions. In addition, some construction projects begin as part of a bidding process, which makes the details of a particular job public knowledge and easier to exploit.

STOLEN CREDENTIALS

For contractors working with multiple companies on multiple projects, security can come down to the strength of a single password. A bad actor gaining access to a system with one vendor may be able to gain access to multiple systems if they are linked.

That’s a risk in the construction industry, where subcontractors may work with a variety of general contracting firms or suppliers who together complete a single job. The subcontractor must have access to the digital project management system at the larger company, but this may create a weak link in the digital system that criminals would love to exploit. And a breach could impact any of the connected companies.

PROTECTING YOUR BUSINESS

With so many traps, construction firms must be careful when they adopt a digital solution. Technology can make life easier, but only if it’s secured and used appropriately. The proliferation of technology on-site only magnifies the risk, with an increasing number of devices and users to support and protect from attack.

Construction leaders looking to adopt new technology must stay on top of security needs and best practices to protect themselves, their businesses, and other companies they do business with.

Old software and obsolete applications are some of the easiest ways for cybercriminals to gain access to your organization’s data. In many cases, an exploit is made possible through vulnerabilities that may have been overlooked in a program’s outdated coding. Be sure to update software regularly and patch vulnerabilities.

Computers and hard drives, cell phones and tablets, and even printers and copy machines contain data that may be valuable to a cybercriminal. Before disposing of any equipment, be sure that the data is completely wiped so that it cannot be recovered.

Many of your employees may not understand how serious the risk is. Include cybersecurity training as part of your annual safety training and take it seriously. Teach all employees how to handle confidential information, how cybercriminals try to exploit weaknesses, and the different types of cybercrimes. Create a process for reporting suspicious activities.

Where a simple password isn’t enough, multi-factor authentication is a more advanced system that requires a user to verify his or her identity through multiple pathways. For example, in some cases a user may be required to sign in with a password as well as a system-generated code sent to a mobile device.

Adding extra layers of security makes it harder for cybercriminals to gain access to your sensitive data. Confidential information such as invoices, contracts, and other financial and legal documents all belong behind that extra security. Be sure employees have to submit multiple credentials before gaining access.

The risks are multiplying. And with human error generally understood to be the most significant concern, it’s no surprise that actively managing the risk can make a real difference. Insurers understand this too, and they are requiring construction companies to prove they’re a good risk before offering coverage. In 2023, construction professionals who understand cybersecurity, and who can demonstrate their care, will have the edge.

Jonathan Weekes is cyber leader at global insurance brokerage Hub International. He has more than 13 years of experience in commercial insurance with a focus on professional liability and cyber risk.