Construction Risk

Is Your Construction Firm Prepared for Cyber Threats?

Innovations such as AI, the Internet of Things (IoT) and Building Information Modeling software help construction companies automate tasks, reduce waste and improve efficiency, productivity and safety. However, these technologies bring significant cybersecurity risks. 

As construction firms increasingly rely on digital tools and store large amounts of sensitive data, cybercriminals increasingly view them as attractive targets. As a result, construction businesses must take action to protect sensitive information from data breaches and other cybersecurity incidents that can create financial hardship and reputational damage.

Why Cybercriminals Target the Construction Industry

There are several reasons why the construction industry is an appealing target for cybercriminals, including:

• High-value transactions: Construction projects often involve significant financial transactions, making them attractive targets for ransomware, phishing attacks, and financial fraud. The high value of these transactions can incentivize cybercriminals to attempt fraudulent payments or extortion.
• An abundance of sensitive data: Construction companies manage sensitive data like blueprints, architectural designs, bids, contracts, and employee and client information. This data is valuable to cybercriminals, who can exploit it for financial gain through data breaches or sell it on the dark web.
• Complex supply chains: With multiple stakeholders and subcontractors involved in construction industry supply chains, each with potentially varying levels of cybersecurity maturity, the odds of network vulnerabilities increase. Malicious actors may target these weak links in the supply chain, as they may serve as potential access points for cyberattacks.
• Outdated cybersecurity measures: Many construction firms rely on legacy systems or outdated software that does not provide adequate protection against modern cyberthreats. These weaknesses present attractive opportunities for intrusion by hackers, who often seek out older systems with known vulnerabilities that are easier to exploit.

Common Cyberattacks and Why They Are Utilized

Cybercriminals use a variety of tactics against the Construction industry. These include:

• Ransomware attacks: These occur when cybercriminals gain access to a business’s computer system, encrypt the files, and demand a payment in exchange for providing a decryption key. This can be effective against construction companies because projects often have strict deadlines, making business interruptions extremely costly and prompting targets to pay the ransom quickly in an attempt to avoid further losses.
• Phishing attacks: Threats of this nature involve malicious actors tricking users into providing sensitive information (e.g., passwords) through fraudulent emails, text, calls, websites, or links. Construction firms often employ temporary staff and subcontractors who may not be familiar with a company’s internal communications. This makes phishing attacks especially effective, as cybercriminals can exploit this unfamiliarity and trick targets into revealing sensitive information or clicking on malicious links.
• Business email compromise (BEC): This type of attack occurs when a malicious actor impersonates a legitimate individual (e.g., a CEO or in-house counsel) or hacks into that person’s email account and fraudulently requests money or sensitive information. BEC scams are used against construction companies because large amounts of money and sensitive data often move between project stakeholders, so these requests may not raise a red flag and can easily go unnoticed.
• Supply chain attacks: Construction companies often rely on multiple subcontractors and third-party vendors, which increases the potential for cybercriminals to target less secure partners along the supply chain. Once a third-party vendor’s system is breached, attackers can gain entry into the main company’s network, compromising sensitive data.

Cybersecurity Best Practices for the Construction Industry

Although cyberthreats are numerous and evolving, construction businesses can take multiple safety measures to safeguard their computer systems and networks. Here are some examples:

• Employee training and awareness programs allow employees to educate their workers on cyberthreats. They also allow discussion on combating cyber risks by following the organization’s cybersecurity policies and procedures.
• Multifactor authentication can add additional layers of protection through authenticators—such as one-time passcodes or time-sensitive links—before a user can access a company’s network or system.
• Regular software updates and patch management can ensure software programs are best positioned to defend against the latest cyberthreats.
• Network segmentation divides a network into smaller parts so that if it is infiltrated, there will be security barriers to prevent lateral movement across the network.
• Data encryption transforms data into an unreadable, encoded format so malicious actors cannot decipher it without the correct key.
• Data backup and recovery systems allow businesses to quickly recuperate after cyberattacks (e.g., ransomware or DDoS attacks) because their data is stored in another place (e.g., external hard drives or a cloud) and can be quickly reloaded onto systems to minimize downtime.
• Vendor and supply chain management ensure companies select and work with vendors with strong cybersecurity practices. By carefully vetting partners, construction companies can reduce the risk of supply chain attacks.
• Incident response planning and testing allow construction firms to proactively build their cyber defenses by having policies and procedures to respond to cyberattacks and test their systems to find and repair weaknesses.

The Role of Cyber Insurance in Mitigating Risk

Even with a robust cybersecurity defense, no system is immune to attacks. Cyber insurance helps mitigate exposure to cyber-related losses, filling gaps that may be left by other policies (e.g., commercial property insurance, general liability insurance, etc.), which typically do not cover cyber-related events. It is specifically designed to cover business interruption and other financial losses that result from cybersecurity incidents, such as data breaches and ransomware attacks.

Talk to a Construction Insurance Leader

Cyber insurance policies vary in coverage, limits, and exclusions. To learn more about cyber insurance or for help selecting a policy that best suits the needs of your construction business, reach out to the construction industry experts at VTC Insurance Group. Give us a call at 248.828.3377 or visit vtcins.com.

This post is for informational purposes only and is not intended as medical or legal advice.