2018 Cyber Risk Outlook: What Construction Executives Need to Know

Unless the world stops using computers, cyber crime will continue to increase in the coming years.
By Jeffrey M. Dennis and J. Nathan Owens
December 4, 2017

Unless the world stops using computers, cyber crime will continue to increase in the coming years. Ransomware remains one of the most immediate challenges for most businesses, including construction, given the numerous avenues of intrusion available to cyber hackers.

In addition, expect to see an increase in attacks against building automation. These attacks are of particular concern to construction companies, as commercial builders are faced with the very real proposition that cyber criminals will attempt to infiltrate command and control systems, which could lead to the compromise of security, HVAC, electrical, elevator and potentially other major building components.

An attack of this magnitude may subject commercial builders to significant liability and pose a threat to life safety issues. Without proper preparation, construction companies may be in the crosshairs for opportunistic cyber criminals looking to exploit weaknesses in cybersecurity systems.

Construction executives should have an understanding of their company’s cyber risks, what their firm has done to protect against an attack, and what additional steps may be needed to avoid a costly cyber attack or breach. Following are four steps that provide a solid starting point for this exercise.

Identify the Company’s Digital Assets

Every construction company possesses data and information that must be protected—whether it is confidential employee or customer information, or trade secrets and other information that provides a competitive advantage. Some, if not all, of this information is stored electronically. Identify the information and its exact location within the business’ computer system.

Examine Existing Security Measures

Once the information is identified, determine what, if anything, is being done to protect it. An honest examination of existing internal technological security systems is critical.

  • Is the computer system protected by a firewall?
  • Are internal human resources files encrypted?
  • Is inbound and outbound network traffic monitored for anomalies?
  • Are physical files secured in a confidential manner?

While this is a daunting task to someone untrained in cybersecurity, a variety of resources exist to assist. In addition to cybersecurity vendors that specialize in this analysis, several governmental entities have identified guidelines, or minimum standards, that should be met to protect against cyber crime. The National Institute of Standards and Technology has issued a set of guidelines known as the “Framework for Improving Critical Infrastructure Cybersecurity” to help organizations manage cybersecurity risk. At the state level, the New York State Department of Financial Services recently released a comprehensive set of cybersecurity requirements.

Although construction companies are not yet required to comply with all of these standards, they provide steps that should be considered to protect against cyber attacks. In addition, should a breach occur and litigation ensue, a court may look to these standards as a baseline from which to determine whether a company took appropriate action to protect against a cyber attack.

Train Employees Rigorously

The importance of training employees as the first-line of defense against a cyber attack cannot be overstated. Employee mistakes are routinely the way cyber criminals launch cyber attacks.

Given the proliferation of ransomware attacks, it is imperative that all employees are trained on how to avoid a cyber intrusion. Attacks come in various forms, such as phishing and social engineering, and from various sources: fake emails, compromised links, or enticing social media click-throughs. Any one of these could lead to cyber infiltration or the launch of a damaging ransomware attack, all of which could have expensive consequences.

To reduce the risk from these attacks, a comprehensive training program should be instituted. Have a professional train and test employees, in person or online. Employees who fail these tests get remedial training. This training program should be ongoing, consistent and measured.

Set Contractual Expectations and Obtain Insurance Coverage

Incorporate specific cyber-related external risk management strategies to shift the risk of an attack away from the company. A business can have the best internal security and training program, but it’s still vulnerable if a vendor with access to its computer system does not.

Contracts with vendors and subcontractors should set forth specific requirements that must be followed to ensure they are not a cyber risk. Contracts also should require a vendor to indemnify the company in the event a cyber event occurs.

As a fail-safe, seriously consider managing risk through the purchase of a cyber liability insurance policy. Comprehensive cyber insurance can protect the company and act as a safety net should all other efforts fail. As cyber insurance policies evolve, carefully analyze any policy to ensure that appropriate coverage is provided.

The cybersecurity landscape is vast and changes quickly. Following these steps will put a company on the path to avoiding a damaging cyber attack and managing risk in the event a breach occurs.

by Jeffrey M. Dennis
Jeff Dennis is a Partner and the Head of Newmeyer Dillion's Privacy and Data Security practice. He advises his clients on a multitude of privacy and cybersecurity related issues, including proper preparation, compliance, risk avoidance and breach response – with the goal of advancing his clients’ business interests through the implementation of a strong privacy and data security governance structure. 

Related stories

Five Trends Influencing Today's Construction Delivery Patterns Cover Art

Five Trends Influencing Today's Construction Delivery Patterns

By Mike Putnam
From labor and supply-chain challenges to innovative tech and ESG strategy, here are the factors shaping construction delivery now.
ABC Members Invested $1.6 Billion To Upskill 1.3 Million in Construction Workforce Education Cover Art

ABC Members Invested $1.6 Billion To Upskill 1.3 Million in Construction Workforce Education

ABC released its 2024 Workforce Development Survey and found investments into leadership, health and safety education were up from 2022.
Top Three Trends That Will Continue to Impact Construction Through 2024 Cover Art

Top Three Trends That Will Continue to Impact Construction Through 2024

By David DeSilva
The second half of 2024 is likely to present the same problems to the construction industry—supply-chain issues, labor shortages and more—but you can approach them with different solutions.

Follow us

Subscribe to Our Newsletter

Stay in the know with the latest industry news, technology and our weekly features. Get early access to any CE events and webinars.