In February, hackers reportedly attacked Canadian general contractor Bird Construction using ransomware, encrypting vital data and demanding money in return for a way to access the data once again.
Nearly half of construction executives surveyed said they think their firms are destined to be victimized by a cyberattack, but nearly 70% haven’t assessed their risks or developed a response plan for that scenario, according to the Travelers Business Risk Index. Attacks are increasing for companies of all sizes, but medium-sized and small businesses are the targets more often than not. At the same time, only 51% of businesses have cyberinsurance.
Construction Dive spoke with a number of cybersecurity experts to determine what the best practices are in the face of an attack.
Every company should have a response plan, insurance and a relationship with a data analyst who can quickly help investigate the magnitude of the issue, said Richard Volack, chair of Peckar & Abramson’s cybersecurity and data privacy practice. If a construction firm doesn’t have any of those, the next step after a hack is to do damage control by fixing that, Volack said.
Ensuring all stakeholders including the CIO, CTO or data czar can be in the same room to make a decision about a cyber attack response rapidly is essential, Volack told Construction Dive.
Decisions need to be made in terms of how to find out how the attackers made their way into the system, what information they have, what needs to be done to recover the information, who needs to be informed of the hack and — perhaps most important — how to proceed with work during the response.
In the event of a ransomware attack, it’s important to find out which devices may still be able to work and which cannot. If backups are available through hard drives and USBs, that can help with office work continuing.
“It’s essential to realize that if all your computers do get nuked by an attack that any new machines you add to your network run the risk of also becoming compromised the moment they get a network connection,” said Richard Henderson, head of global threat intelligence for Lastline, a California-based cybersecurity detection provider.
Luckily for construction, a hack of private data doesn’t necessarily mean physical work needs to stop on site, said Chris Kennedy, the chief information security officer for AttackIQ, a company that simulates attacks and breaches to test readiness.
That said, it’s important to determine how much money or data would be lost if certain contracts or a customer’s data could not be accessed can be helpful in laying out the timeline of damage control, and how long work on site can continue.
No matter what, being unprepared is going to be costly in the long run, and not having the proper insurance or protective measures can create huge issues and expenses, experts say.
“If you are completely unprepared, where have you been?” said Jonathan Care, a senior director analyst with Gartner.
To pay or not to pay?
When important data is encrypted and held for ransom, experts say a decision needs to be made fast about whether or not to pay the hackers, but their opinions on whether or not to do so differ.
“In many cases, it is worth it,” Kennedy said, noting the choice to pay the attacker is a “business decision.” Sometimes, the data is so essential that the cost is worth it enough to get the encryption key and access it again, he said. Even then, executives can’t be sure the key will be given and the one payment will satisfy the hacker.
Care disagreed, saying he finds it inadvisable to pay a ransomware attacker, as the business has no idea if the key will be given and access to their own data be permitted again. There are other ways to remove a hacker from the system, Care said, and even though they can take time and outside help, paying an attacker is a gamble with no guarantee of paying off
Messaging and communication
Once a breach occurs, contractors need to be aware of where their employees who have compromised data live, Volack said. States have different requirements for the amount of time necessary to respond to ensure employees know they have been hacked.
Construction companies also have to face the fact that they have multiple stakeholders involved in every project, which can impact who has what information. Contractors, architects, subcontractors, owners and the government may have access to personal data of employees involved in a project that could be jeopardized in a hack.
That’s when it’s the responsibility of the CIO and other executives to do their due diligence to determine how they’re sharing their information and with whom, Kennedy said.
“Companies try to build a wall around the important stuff, but the reality is most companies have a lot of connections and data connections and sharing with various companies,” Kennedy told Construction Dive.
Where to start
Across the board, experts agree that construction firms need a response plan in place, even if it’s as simple as having employees switch to flash drive usage until an issue is resolved. Even then, ensuring decisions are made quickly and the correct people are contacted go a long way for the response time.
Construction’s on-site work is not immune to hacks either, as private data, drawings and other vital information can make continuing work a challenge. According to experts, rehearsing and having a strategy ahead of time is one of the best ways to respond to an attack.