Cybersecurity and the Construction Industry

Contractors must take steps to protect proprietary information against cyberattacks, including bid data, materials pricing, profit/loss data, employee information and banking records.
By Greg Davis
June 20, 2018

Few businesses think they will be targets of cyberattacks, either because they are not large enough or do not have information hackers desire. The construction sector is a prime example of an industry that possesses large amounts of private information that would be desirable to a hacker. According to HUB International, “the construction industry lags behind others when investing in high-level security and keeping up with current threats, and hackers are well aware and take advantage.”

What are Hackers Targeting?

Construction companies have proprietary information that requires protecting, including bid data, designs, materials pricing, profit/loss data, employee information, banking records and other highly confidential information.

Cyberattacks can involve the financials of a company in at least two ways. First, a hacker can deploy a phishing email to have money wired to their account or they can hold data hostage until the company pays a large fee to the hacker. Second, a prized possession of any hacker is personal information of employees. Private information, such as social security numbers, mailing address and other payroll data could be compromised if the company is attacked. The hacker can use this information themselves or sell it for profit.

Who is affected when a construction company suffers a cyber-attack?

A company is affected physically and its reputation can be damaged. “Negative press often accompanies cybersecurity incidents, causing reputational damage and potentially resulting in unplanned costs. Further, it can decrease a company’s market valuation, create new legal complexities and may give rise to fines from some regulatory bodies for noncompliance,” said Rodney Murray, Dixon Hughes Goodman. Attacks, such as a denial of service (DOS), can cripple a company from processing data. The company may not be able to pay vendors. Third-party and vendor information could be at risk, further spreading the cyber-attack. Employees are affected if the company is unable to process payroll and employees fall behind on their own bills. Lastly, shutting down internet access may prevent companies from submitting bids; potentially losing large amounts of money. When analyzing who is affected by cyber-attacks, it extends beyond company losses to employees and their families, vendors and suppliers.

Not all data breaches are the fault of the company or employee. Often, to streamline a process or to reduce costs, businesses outsource functions to third-party vendors. For example, iSqFt reported on two large general contractors who were the victims of a data breach. One contractor’s outside vendor that prepared the contractor’s W-2 and 1095 tax forms reported suspicious activity on that vendor’s systems. Employees of another company reported fraudulent tax filings being made in their names. Outsourcing can be a good way to save money, but companies need to ensure they are contracting with reputable partners. Make sure vendors proactively fight against cyber-attacks and offer guarantees if data is compromised.

How are cyberattacks happening and how can they be prevented?

Michael Erdman, writing for MyIT, said, “Construction brings together people from all walks of life including different education levels, locations, languages, and more. The constant change in staff makes it difficult to consistently train everyone.”The best and the most difficult way to prevent incidents is to train employees. If field employees are not technically savvy enough to operate their devices beyond how they were originally trained, they may open email attachments that contain harmful executable files, reply to a wrongful email with sensitive data or click pop-ups that cause harm to computers and networks. To lessen human error, construction companies can install web filters to limit what employees can view on the internet and email filters to reduce the amount of unwanted spam email. Firewalls should be installed and the latest security patches applied.

Along with employee training, other challenges are the lack of IT staff, insufficient budgets and employee and management resistance. Normally, the IT Department does not generate income, so it may not have the same influence as other departments, which means smaller budgets to hire qualified personnel, purchase security hardware and software, and properly maintain these systems. When preparing yearly budgets, tangible items, such as outdated computers or printers, are frequently the priority while cybersecurity needs are overlooked. Employee and management resistance can hinder the IT department from establishing and enforcing policies that protect the company. TeamLogicIT recommends that users should change their passwords at least every 120 days and “current IT industry consensus holds 'strong' passwords should be at least 10 to 15 characters and include a mix of lower case and capital letters, numbers and special characters.” Unfortunately, employees and supervisors may feel that changing passwords is an inconvenience and the IT department is unreasonable.

What actions can construction companies take once they become victims of a cyber-attack?

Gemma Moore,, says “Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.” Isolating the event may be difficult. If a specific computer or network location can be identified as the source, disconnecting the location or the affected device can prevent the attack from spreading. Begin removing the threat and auditing computer systems to determine the extent of the damage. Once data has been restored and systems are operational, review security policies and make necessary changes to prevent future attacks. Cyber insurance, a new form of post-protection has emerged in recent years due to increased cyberattacks. According to Jeffrey Dennis and J. Nathan Owens, Newmeyer Dillon, comprehensive cyber insurance can protect the company and act as a safety net should all other efforts fail. Cyber insurance is intended to help victims of cybercrimes cover expenses and losses incurred due to an attack.

It might be impossible to stop all cyber-attacks, but with a better understanding of how data breaches occur, companies can prevent a large percentage of attacks. Cybersecurity can be expensive and companies simply do not budget resources to protect themselves, their employees and other stakeholders. “Recent network attacks and data breaches have demonstrated that cyber security events can quickly accumulate significant costs, inflict reputational damage, and produce long-term ramifications,” according to Marsh & McLennan Companies.

Contractors who are victims of an attack should first identify the threat and determine the degree of exposure. Next, defuse the attack and establish who and what has been affected. Take ownership of the attack by notifying those affected and by making proper changes to security policies to avoid future attacks. Cyber-attacks are increasing in all industries and the best form of prevention is education. Train employees not to open suspicious emails, use caution when clicking links in unfamiliar websites and know what to avoid posting on social media. Proper prevention can help construction companies avoid future cyber-attacks and protect overall company and employee data.

by Greg Davis

Greg is enrolled at East Carolina University pursuing a B.S. degree in Information and Computer Technology. He is the Network Administrator for S. T. Wooten Corporation. Maintaining a reliable network, preventing intrusions and educating employees on possible threats should be top priorities of I.T. professionals.


Related stories

2024 Is the Year to Finally Rid Your Company of Check Payments
By Matt Butler
If you can't beat them, join them. 2024 is the year for automation—from artificial intelligence to robots in the field to automation in the back office.
AI and the Optimization of Construction Projects
By Rahul Shah
Artificial intelligence will enhance your project quality across a variety of functions and applications—but it will need a human workforce to do so.
2024 Is the Year for Autonomous Robots in Construction
By Giri Baleri
Robotics for construction are only getting better. This should be the year you integrate them into your company's operations.

Follow us

Subscribe to our newsletter

Stay in the know with the latest industry news, technology, and our weekly features. Get early access to any CE Events & Webinars.