SAN FRANCISCO — Although leading financial and government leaders like Warren Buffett and Kirstjen Nielsen, the former secretary of the Department of Homeland Security, have called cybersecurity the No. 1 threat to U.S. businesses, many construction industry leaders don’t see it as urgent.
The risk is growing — phishing attacks increased by 250% last year — but construction CEOs typically rank data security far down their list of concerns, Philip Weaver, senior director of IT for Warfel Construction Co., said during a session at this week’s ENR FutureTech conference.
This perspective is partly due to that fact that many contractors don’t think they have anything of value for a hacker to steal, said Richard Volack, partner and chair of data privacy and cybersecurity practices at law firm Peckar & Abramson.
“The risk isn’t fully understood by people who should be in the know about this,” Weaver said.
In reality, the panelists said, there is much at stake, including employees’ social security and W2 information, bank account numbers, birthdates and plans and specs for sensitive projects such as tunnels, bridges and power plants.
In addition, the construction industry is particularly vulnerable to hacking because of its reliance on mobile communication and file and data sharing among many parties. Firms of all sizes are at risk, Weaver said, noting that 50% of all attacks in the country are targeted to business with less than 1,000 employees.
With the average cost of a data breach at $3.8 million, construction firms have more to lose than simply stolen data, the panelists said. Many attacks are aimed at interrupting business operations, sometimes in exchange for ransoms, which often start at $500,000, according to Volack. Until the ransom is paid, daily activities are crippled.
”Think about it: How long can you go without your critical systems and critical data in your daily operations? One day? Two days? Two weeks? A month?” he said. “These are not uncommon time frames if you have a ransomware situation.”
The panelists said they have seen clients’ systems rendered useless because companies failed to prepare upfront for an attack, said Scott Takaoka, vice president of Aon's Cyber Solutions Group. Comprehensive cybersafety starts with buy-in from top executives, and must be budgeted for on a yearly basis, not as a one-time event. "The objective is to continually reduce the window of exposure and improve resilience over time," he said.
“It’s no longer OK to say I wasn’t aware that this was a threat.”
Vice President of Aon's Cyber Solutions Group
Although it’s one of the most at-risk segments of the U.S. economy, the construction industry has one of the worst track records for being prepared to stop cyber attacks, Volack said. Research shows that 55% of construction firms don't take the proper computer security measures until after there’s a breach, according to Weaver.
“Construction is in the top five industries for outdated internal systems,” he said, and having a backup system is usually not enough.
There are several steps that contractors of all sizes should take in order to safeguard their data. Preparing for a breach involves more than just the IT department and includes creating a team of outside consultants who will be ready to act at a moment’s notice. The plan needs to encompass employees, subs, suppliers and other partners, Weaver noted.
"The construction supply chain has a lot of vulnerability,” he said.
To combat increasingly sophisticated and aggressive cyber attacks, Takaoka recommended a multipronged approach, starting with putting several specialists in place including a digital forensic consultant, attorney, crisis communications specialist and a team of internal stakeholders. “It’s not a one-time thing where you install some technology and say I’m done,” he said.
Takaoka also recommended insurance for enhanced risk mitigation. Only about 15% of U.S. construction companies have cyber insurance, he said, even though they can be held liable if anything happens to their employees’ or partners’ sensitive data. “It’s no longer OK to say I wasn’t aware that this was a threat,” he added.
Takaoka, who frequently receives calls from executives looking for help after their firms have been hacked, urged audience members to have a game plan ready. “We have a saying that you don’t pick your team on the day of the Superbowl," he said.
Construction pros should also consider the following steps, the presenters said:
- Implement a security education, training and awareness (SETA) program.
- Get serious about password security and require two-factor authentication at a minimum.
- Use the “principle of least privilege,” where users are granted access only to the information they need to do their job.
- Think beyond computers and software to other tech-enabled products, such as HVAC, fire suppression and waterflow systems. “All of these have computer chips inside them,” said Weaver. “Most of them have easily accessible factory-set control settings and passwords that must be changed. If not, you’re leaving yourself open to vulnerability because a lot of factory passwords are on the internet and can be hacked in two seconds.”
- Keep up with advances, including the latest patches for software. Many cybercrimes, including the massive 2017 Equifax data breach, could be prevented by adding a simple software patch. “You have to check every day to make sure you’re up to date with the program you have, and what’s coming out that’s even better,” said Volack.
- Consider a penetration test, where “ethical hackers” attempt to find their way into your system. With the findings from the test, firms know where to make adjustments. “It’s exactly like a fire drill,” Takaoka said.
- Because it’s impossible to know exactly where or how the next cyber criminal will strike, prioritize your most critical data first. “You can’t do everything so place your bets carefully,” Takaoka said.