The construction industry stands at the intersection of innovation and vulnerability, going through ongoing transformation in both business processes and technological advancement. In recent years the construction industry has become more digitally focused. Construction firms are using digital tools not only to send invoices and plan projects from the back office, but also on site to build walls and foundations or to survey progress in real time. What was once created and collected manually, is now going digital.
Although technical advancements provide a lot of opportunities for growth, if left unregulated and unmonitored, it can also be a source of high risk. Unfortunately, the industry’s lack of rigorous regulatory requirements and enforcement of data protection laws makes it an attractive target for cybercriminals looking to take advantage of the sector’s strong reliance on digital tools to extort money. The infrastructure, bank accounts, personnel data, project data, and sensitive company information are at risk because of the lack of proper cybersecurity resiliency in place.
A Ransomware attack is a common and profitable attack method for cybercriminals. Ransomware costs businesses worldwide an estimated over $20 billion a year, with other cyber-attacks on the construction industry sharply increasing after 2019. As construction companies manage thousands of files across multiple platforms and hundreds of employees across various sites, the threat landscape increases day-by-day. Managed service companies who monitor and respond to cyberattacks have been clear about the significance of the risk to the industry. In ReliaQuest’s 2023 Annual Cyber-Threat Report, the construction industry is ranked first on the most-targeted sectors list with an average of 226 incidents per year. The eCrime Ransomware and Data Leak site report from 2023 states that the construction industry was the most affected by ransomware.
The seriousness of these threats was highlighted when a large Canadian construction company was the target of a ransomware attack at the beginning of 2020. Although the business operations could carry on, the intrusion exposed confidential information, revealing the weakness in the cybersecurity protocols of the sector. The construction industry has experienced massive losses, including stolen or misdirected funds and failed bids due to system interruptions, as well as brand damage to future teaming arrangements, lost contracts, and customer confidence, on top of cascading cyber incident response costs like system restoration and ransom payments.
It is important to safeguard sensitive data from breaches and unauthorized access with the adoption of new technologies such as BIM (Building Information Modeling), Construction Management (CM) Software, AR/VR (Augmented Reality/Virtual Reality), 3D printing, Digital Twins, AI (Artificial Intelligence), Big Data, and IoT (Internet of Things) in construction industries. The increased use of robotics, drones, and smartphone apps creates new data points that need to be secured. The Building Management System (BMS) is also the most important digital development in the building industry. From a single central interface, these systems automate and manage all a building’s vital functions, including lighting, security, HVAC, and ventilation. While BMSs enhance operational efficiency and can significantly reduce energy consumption, they also represent a significant security risk. If breached, the potential for operational disruption and safety issues is substantial. Another key digital tool in the construction sector is estimation software which is used for calculating the costs associated with materials, labor, and other expenses, which are crucial for creating competitive and accurate project bids. These tools store sensitive data on pricing and business strategies, they become prime targets for cyber-attacks. A breach can not only lead to financial losses but also damage a company’s reputation.
Smartphones, laptops, and tablets are also used to access data, transfer information, and send communications to employees and clients. With so many devices, and without proper controls and security implementation it can be challenging to protect every single-entry point, presenting a multitude of possible openings for cybercriminals.
Why is the Construction Sector So Heavily Affected? Broadly speaking, it is because of the following:
- Lack of investment in cybersecurity infrastructure
- Complex Supply Chains
- Rapid Technology Integration
- Slow Regulatory Adoption
- Reliance on legacy systems
- Third-Party risks
- Lack of cybersecurity related regulations
There are robust strategies needed that can protect construction firms from cyber threats and safeguard systems, processes, data, customers, and brand. Implementing comprehensive security measures that not just cover endpoint security, but also advanced threat intelligence and network monitoring is crucial. These are some of the common strategies to protect an organization:
- Employee Training & Awareness: Conduct regular cybersecurity training and awareness sessions for construction staff to educate them on potential risks and best practices. Encourage employees to be vigilant and report any suspicious activities promptly.
- Regular Software Updates: Keep all software, including operating systems, applications, and security tools used in construction projects and office operations, up to date to patch known vulnerabilities.
- Firewalls & Antivirus Software: Implement robust firewall and antivirus solutions to detect and block threats. Ensure that these tools are regularly updated and configured properly.
- Data Encryption: Encrypt sensitive data both in transit and at rest to protect it from unauthorized access, including project plans, client information, and financial data.
- Access Controls: Enforce strong access controls with role-based permissions. Limit access to sensitive data and systems and implement MFA to access systems or data.
- Backup & Recovery: Regularly back up critical data and test the backups to ensure they are functional. Create a disaster recovery plan to expedite data restoration in the event of an attack.
- Incident Response Plan: Create a comprehensive incident response strategy outlining measures to follow during a cyberattack. Regularly test and update this plan and conduct tabletop exercises with scenarios relevant to the construction industry.
- Vendor Security: Assess the cybersecurity practices of third-party vendors and partners, such as subcontractors and suppliers, to verify they satisfy security standards, as they typically have access to critical project information.
- Regular Audits & Assessments: Conduct periodic security assessments and audits of construction management software, on-site devices, and office systems to identify vulnerabilities and weaknesses. Address these issues promptly to enhance security.
- Cybersecurity Policies: Develop and enforce cybersecurity policies and procedures tailored to the construction industry’s needs and risk profile, ensuring all employees and partners understand and adhere to these guidelines.
By embracing robust protective measures, the pillars of progress and security can stand together, ensuring a resilient future in the face of ever-evolving cyber-attacks.
