The Rise of Cybersecurity Risk in the Construction Industry

Ransomware attacks can lead to loss of confidential data and intellectual property and result in workforce injuries and property damage if autonomous equipment is hacked.
By David Friedenberg
September 27, 2020

Cybersecurity attacks are making headlines these days, and the construction industry is not immune. For some construction companies, recent ransomware attacks have led to the loss of confidential data or a systems shutdown. Cyberattacks can take many forms, and as they adopt more technological solutions, construction companies need to prepare to defend themselves.

From project, team and customer relationship software to drones and autonomous construction machinery, the construction industry technology has replaced paper documents such as project drawings, purchase orders, field directives and time cards. A company’s major assets are no longer just materials and equipment, but also technology devices that provide critical services and often represent significant investments.

With the adoption of technology comes the risk of cyberattack

Recent news examples of cyberattacks in the construction industry include ransomware attacks on Bird Construction in December 2019 and Bouygues Construction in January 2020. Ransomware works by encrypting the data within the breached system, preventing companies from accessing the data and critical systems without the encryption key, which is held by the attacker. The attackers then demand a sum of money to provide the key to decrypt the data; usually, requiring the ransom be remitted in cryptocurrency, such as bitcoin. Refusing to pay may result in not being able to access company data or systems in the near term, if at all. Paying the ransom creates a bigger market for this type of attack.

Ransomware is not the only threat. And ransoms are not the only damages. Here are a few of other threats to a business from cyberattacks:

  • Down time. The construction industry is heavily reliant on the ability to deliver projects per a timeline. An attack on company software or equipment can put this in jeopardy. Few project timelines can absorb 12.1 days of reduced productivity.
  • Breach of intellectual property. If the company has highly sensitive blue prints or schematics, a breach of these could mean major reputational damage and potentially lawsuits.
  • Breach of bid data. Having bid strategies accessed inappropriately can lead to loss of competitive advantage or job loss.
  • Workforce injuries. If autonomous equipment is overtaken, or physical access restrictions are ineffective, the result can be bodily injury to the workforce.
  • Property damage. Compromised equipment could cause or allow damage to additional equipment or facilities.

What can construction companies do to protect their assets from cybersecurity risks?
According to the 2020 Verizon Data Breach Investigations Report, 67% of all 2019 confirmed data breaches were due to leaked user credentials, misconfigured cloud assets and web applications, and social media attacks, such as phishing.

This means implementing good, common sense controls and processes can prevent a large majority of attacks. Start with an asset inventory to clearly identify what needs to be protected. Then conduct a risk assessment to evaluate the risks posed to these assets. This will provide a clear picture of vulnerable areas, and provide clarity about where to spend time, money and resources to address the most critical risks.

The weakest link in any cybersecurity defense system is always people. To protect their assets, construction companies should provide cybersecurity training and information for employees and also ensure that the company has the right security protocols in place if a data breach occurs.
How to assess internal cybersecurity risks

Here are some questions companies should be asking of their IT staff:

  • Do employees receive appropriate training and information about cybersecurity?
  • Are mechanisms in place, such as multi-factor authentication, to mitigate the exposure when people make mistakes?
  • Do web applications, which have back-end access to some of the most sensitive data, have appropriate defenses in front of them, blocking common web application security threats?
  • Does the company have the appropriate skills in-house to properly secure modern web applications?
  • Does the business have a comprehensive, layered strategy for security, or is it relying on “magic bullet” solutions to solve security needs?

Addressing unsatisfactory responses to these questions are a good place to start, but cybersecurity is an ongoing process that needs to be part of every construction company’s risk assessment and abatement protocols. With regular checkups and the right protections in place, technology can continue to drive the construction business forward into the future.

by David Friedenberg
David Friedenberg, CISA, CRISC, CISSP, QSA focuses in assessments of internal controls, vendor management, ERP system implementation and evaluation, cybersecurity and PCI compliance with Weaver, a national accounting firm. In addition to several industry certifications, he holds a Bachelor of Science in information system security from Westwood College. 

Related stories

When OSHA Cites You
By Michael Metz-Topodas
The best defense against an OSHA citation is just that: a good defense. Make sure your safety program has you prepared to respond—and keeps you from getting complacent about your workers’ safety.
Mitigating Struck-By Incidents on the Jobsite
By Rob Dahl
Some workplace injuries are more serious than others, but that doesn't mean mitigating them has to be more complicated.
Cultivating a Company Culture Committed to Safety, Mentorship and Education
By David Frazier
Mentorships, education and employee training programs still work wonders when cultivating a culture of wellbeing at your construction company.

Follow us

Subscribe to Our Newsletter

Stay in the know with the latest industry news, technology and our weekly features. Get early access to any CE events and webinars.