The Importance of Cyber Security in the Construction Industry
The time when cyber risk was mostly a data breach-related issue is over. With the explosion in ransomware attacks, business email compromises, fraud and stolen credentials, cyber is now everyone’s risk. And as it continues to increase, construction companies have become a target.
Ransomware: The No. 1 Cyber Threat
In construction, cyber risks may not seem like a relevant issue. The construction industry may not seem like an obvious target of cyber criminals compared to industries like healthcare, retail or technology – but that’s changing.
Earlier this year, Canadian contractor Bird Construction and French contractor Bouygues Construction were both hit by ransomware attacks. Ransomware attacks often focus on companies that will be immediately impacted by the disruption caused by the attack. Construction companies are likely being targeted because of their limited awareness of cyber risks and their lack of cybersecurity.
In addition, ransomware can cause a substantial interruption to the complex supply chain of construction projects. And as attacks become more sophisticated, ransom demands have gone up dramatically. In fact, it’s not uncommon to have ransom demands in the range of several millions of dollars – that’s on top of the interruption loss incurred even when the ransom is paid.
Construction Companies Are Prone to Business Email Compromise Fraud
A unique feature of the construction industry is the extensive use of sub-contractors and suppliers, which involves a high degree of payments flowing to and from construction companies. Additionally, construction projects are often part of a public bidding process. The details in this process include information about the project and the winners. This makes construction companies an attractive target for business email compromise fraud. This is a deception scam where cyber criminals send fraudulent email messages disguised as legitimate invoices or wire transfer requests. The money is then transferred to the criminal’s account instead of the actual payee. In 2019, almost 24,000 of these incidents were reported to the FBI for a total of $1.8 billion in stolen funds.
Contractors Are Vulnerable to Having Their Credentials Stolen
Many times, contractors have open data connections with their customers for things like electronic bill paying and project management. When these connections are linked to their customers’ other important systems, it creates an environment for cyber attackers who’d like nothing more than to steal as much information as they can. And once they have the contractor’s credentials, those cybercriminals can take valuable information from the contractor’s customers.
What Can Construction Companies Do To Protect Themselves From Cyber Threats?
Everything has to start with cyber risk awareness and understanding what the financial impact can be to the business in the event of a successful attack. Social engineering continues to be an integral part of many attacks simply because it’s the path of least resistance. As it relates to business email compromise fraud, it’s the main attack method.
When it comes to ransomware attacks, criminals exploit a number of critical vulnerabilities in systems and applications that are used by most businesses, such as Microsoft’s operating system and VPN applications for remote access.
Outside of standard technical cybersecurity protections, the following measures can greatly reduce construction companies’ exposure to cyber threats:
- Employee cyber risk awareness training, including anti-phishing exercises.
- Requiring strong passwords and using multi-factor authentication for users with access to critical data and applications or involved with wire transfer changes or approvals.
- Having a procedure in place to authenticate the legitimacy of requests for payment and changes to wire transfer instructions.
- Maintaining good open port hygiene and only running those operating system services that are absolutely required for the network operation. Remote desktop protocol is an example of a commonly exploited service in ransomware attacks that is rarely critical to operations and should be shut off.
- Ensuring that critical vulnerabilities are patched within 30 days of release by the vendor.
- Maintaining frequent back-ups and encrypting or storing back-ups off-line to prevent cyber criminals from encrypting or destroying the back-up as part of the attack.
- Using VPN for remote access. For organizations with remote users, the VPN provides a secure channel through the Internet to the organization’s private network.
- Preparing for the worst with an incident response plan (IRP). This prescribes the way a business will respond to and manage the effects of a security attack.