Construction’s Cybersecurity Challenge

Failure to address cybersecurity threats increases contractors’ exposure to a host of threats to their brand and bottom
line. Negative press often accompanies cybersecurity incidents, causing reputational damage and potentially resulting in unplanned costs. Further, it can decrease a company’s market valuation, create new legal complexities and may give rise to fines from some regulatory bodies for noncompliance. All of these are possibilities when breach prevention and notification practices have not been managed or properly handled.

Construction companies face the same threats as other industries, given their reliance on IT systems and internet connectivity for business operations. However, limited attention to security risks—combined with a common belief that they aren’t a target—often make construction companies low hanging fruit for attackers.

Consider the impact on operations if an intruder gained access to a proprietary bidding model and sold it to competitors, or stole bank account credentials to conduct fraudulent transactions. Would the company be able to recover and remain competitive?

How Attackers Penetrate a Company’s Information
Confidential information can be compromised in multiple ways. Some of the various methods of attacking a company’s system require a high level of skill and time on behalf of the intruder, while others require little to no effort and can be performed by relatively inexperienced attackers. 

Following are examples of attacks.
  • Malware: A computer program with malicious intent. These programs often appear as harmless files that are designed to trick users to click on the file, yet cause them to reveal sensitive information.
  • Keyloggers: These invisible applications often silently install themselves after unsuspecting users open a malicious email attachment or web link. They allow intruders to collect passwords, credit card numbers and other confidential data as they are being typed on the keyboard.
  • Password attacks: This includes obtaining and determining a username and password. This can allow unauthorized users to access information via a “secured” system.
  • Denial of service: These attacks occur when attackers disrupt or impair valid users’ ability to access the company’s networks.
  • Unpatched software: A patch is an update to a computer program (e.g., Java or Adobe software) intended to close vulnerabilities that could be exploited by attackers. Unpatched applications provide an entry opportunity for attackers into a computer and network.
Ask the Right Questions
Thwarting cybersecurity threats is challenging, as intruders are using more sophisticated and evolving techniques to avoid detection. As such, it is imperative for a business to ask its IT staff and advisors the right questions regarding the security of critical systems and data. Following are some questions to consider.
  • Does the company depend heavily on third parties to support its IT systems or process financial transactions? 
  • Does the company have the capability to monitor for inappropriate use of the system or potential security events that might arise?
  • Does the company have a documented formal policy regarding use of corporate networks and data to limit the potential of exposure to unauthorized individuals?
  • Has access to critical systems and data been limited to appropriate individuals?
  • Have employees been trained on how to avoid exploits and how to report potential malicious activity on the network?
Answering these questions could highlight the need to consider establishing additional cybersecurity controls within an organization.

Take the Right Steps 
A few simple actions can be taken to reduce cybersecurity risks immediately.
  • Identify the company’s most valuable information and where that information is located on the network.
  • Establish internal controls and cybersecurity procedures that consider both internal and external threats.
  • Prioritize cybersecurity procedures to protect the most valuable information. Place the highest levels of protection around the most valuable information.
  • On a regular basis, evaluate the company’s cybersecurity controls and procedures for their effectiveness with thorough audits and technical assessments by resources with cybersecurity experience.
  • Establish a plan of action in the event of an adverse cybersecurity incident. Test the plan by conducting a simulation at least once a year.
  • Establish procedures to evaluate any third-party service providers (if applicable) and assess their cybersecurity processes.
  • Communicate cybersecurity measures to the entire organization and help every employee understand the threats the company faces, and their role in protecting the firm’s assets.
These suggestions provide a high-level first step in assessing corporate IT preparedness. Should additional resources be necessary to improve the company’s IT security infrastructure, consult a trusted third-party service provider to assess the firm’s IT structure and risks. Knowledgeable IT advisors can pOrovide the tools and counsel needed to help protect the company from cybersecurity breaches or other IT-related issues. 

When searching for a trusted third-party advisor, consider individuals holding established certifications in the industry, such as CISSP, CCE, CISA, CRISC and GCIH certifications.

In today’s evolving information technology world, addressing security risks can be critical to sustaining a strong brand in the industry. Businesses must take the steps necessary to protect their information and avoid damaging interruption of operations or, worse, becoming the next headline. 


Rodney Murray is a principal at Dixon Hughes Goodman IT Advisory and Rick White is a partner at Dixon Hughes Goodman Assurance Services. For more information, email rodney.murray@dhgllp.com or rick.white@dhgllp.com