Why the Construction Industry Is a Top Target for Cyber Criminals
Construction companies may not always sell directly to consumers, but that doesn’t mean they are not at risk of a cyberattack. In fact, according to a report from the software security company NordLocker, the construction industry is at the highest risk for ransomware attacks, one of the most significant cybersecurity risks. This is due to various computer applications and technologies used in construction, which present countless opportunities for breaches.
Exposing Vulnerabilities
Construction companies are frequently targeted by cybercriminals due to their lack of stringent policies and technology to safeguard against cyberattacks. The industry’s heavy reliance on new and unprotected technology and software makes it an easy target for malicious attacks. Moreover, the increasing use of internet-connected devices that can be operated remotely further exposes vulnerabilities. Construction companies must prioritize upgrading IT infrastructures and implementing strong security measures to combat cybercrime effectively. This is an area that the industry has been slower to adopt.
Hacking the System
One of the most significant threats to construction companies is ransomware, a type of malicious software that encrypts data, making files, databases and applications completely inaccessible without an encryption key. The cybercriminal responsible for the attack then demands a ransom for the key. Ransomware can spread quickly across a network and cause significant disruption to operations, including shutdowns, delays in construction and loss of revenue.
Construction companies have been especially vulnerable to ransomware called “Seigeware,” which targets building control systems to disrupt daily operations. The Internet of Things (IoT) and Building Management Systems (BMS) are two digital properties that can be infiltrated when this occurs. Seigeware is especially destructive to construction companies that use “smart building technology,” which includes a multitude of unprotected technology units that cybercriminals can take control of.
The consequences of Seigeware can be devastating, affecting sensors, asset tracking, worksite security and machine controls. This can block the accurate measurement of inventory and can lead to inaccurate bid proposals if not caught in time. If cybercriminals can access and gain control of security cameras, they will be able to monitor the behavior of employees, examine materials and plan future potential attacks. Additionally, cybercriminals can also gain control of and manipulate BMS, a system that controls vital functions of the company building (lights, security system, HVAC, etc.).
Another technique cybercriminals use is stealing valuable intellectual property, such as patents, designs, construction processes, research and development documents and proprietary software. They also target customer lists, contracts, bidding information, business plans and marketing plans, all of which can be sold on the black market.
Construction companies are also vulnerable to less sophisticated fraud tactics, like receiving phony emails from legitimate vendors requesting future payments be sent to a bank account controlled by the criminal.
The Risks of a Cybersecurity Breach
Cyberattacks can have severe consequences for businesses, including legal fees, recovery costs associated with a breach, damage to reputation and loss of productivity. In some cases, a company’s entire supply chain operations may need to shut down to stop the spread and disable malware from a cyberattack. According to a report from WebFx, cyberattacks result in an annual cost of approximately $15.4 million for U.S. companies, with small businesses facing an average expense of around $8,700 per attack.
Smaller businesses are often less prepared to deal with cyberattacks due to their limited resources. They may be unable to afford dedicated IT staff, have inadequate or nonexistent network security, or lack a backup plan, making them more vulnerable to potential threats. They often cannot withstand the consequences of a cyberattack, including recovery costs, loss of vendors/customers, or because of a temporary shutdown of the business. According to Momentive’s recent survey of 1,200 small businesses on behalf of CyberCatch, 75% of small businesses stated they would only be prepared to continue operating for up to a week if hit with ransomware. If paying the funds demanded was not bad enough for these businesses, the total disruption to operations would make such attacks even harder to withstand.
Minimizing Risks
To avoid potentially devastating cyberattacks, it is crucial to prioritize conducting a risk assessment. By thoroughly evaluating your hardware, software, and data, you can pinpoint any weaknesses. It’s also important to examine how employees, vendors and other partners can access your network, as well as monitor third-party vendor security. Evaluating the policies and procedures for all existing and potential vendors is essential to ensure their vulnerabilities do not threaten your company. Consider undergoing service organization control (SOC) audits by certified public accountants to gain a detailed report on your internal control design and operating effectiveness. Don’t hesitate to request SOC reports and/or other internal control documents from vendors. Once the risk assessment is complete, implement internal policies, procedures and controls to prevent unauthorized access.
Taking proactive steps to avoid a cyberattack should also include company-wide training so that employees can recognize and respond to threats to help protect sensitive information. Implementing strict password policies and multi-factor authentication can significantly enhance security. Frequent software updates and security patch scans are essential to address vulnerabilities and weaknesses in a company’s systems and protect sensitive information. Additionally, having an incident response plan and a solid backup plan are equally important to minimize the impact of a breach and ensure business continuity.
Adding Cyber Insurance
Investing in cyber insurance is another critical step for construction businesses to safeguard themselves against cyber threats. While various types of insurance coverage are available, it’s important not to rely solely on general liability coverage. Some insurance companies may limit coverage to certain ransomware claims or exclude coverage for specific vulnerabilities. Insurance applicants are often required to provide more details about their data security control efforts before extending coverage, according to the 2022 Cyber Insurance Market Conditions Report published by insurance firm Gallagher. Insurance providers are well-versed in businesses’ cyber risks and can provide options to protect against cyber threats.
Conclusion
The construction industry remains highly vulnerable to cyberattacks, and the troubling trend of cybercriminals targeting this sector shows no signs of abating. Companies must proactively bolster their cybersecurity before it’s too late. By identifying the factors that contribute to their vulnerability and implementing robust security measures, construction companies can better safeguard their assets and operations, paving the way to continued growth and success of the industry.
Contributing author: Benjamin A. Sumner, CPA, is an audit partner with over 14 years of experience providing auditing, accounting and advisory services to a wide variety of privately-held businesses. For more information on this topic, contact Ben at bsumner@dmcpas.com or (315) 472-9127.