Private company data on employees’ computers has made businesses across many industries attractive targets for hacks. The construction sector, like many others, is unprepared for an attack, cybersecurity experts say.
Nearly half of construction executives think their firms are destined to be the victim of a cyberattack, but 68% haven’t assessed their risks or prepared a plan, according to the 2019 Travelers Business Risk Index.
The index also reported that attacks are increasing on businesses of all sizes across industries. The number of large businesses victimized has increased by 73% since 2015, while the number of medium and small businesses victimized increased by 100% and 200%, respectively, in that time period.
Incidents related to phishing — sending fraudulent emails to induce individuals to reveal personal information such as passwords and credit card numbers — have increased noticeably in the last five years, according to attorney Richard Volack, chair of Peckar & Abramson’s cybersecurity and data privacy practice.
After going after bigger targets like hospitals, financial companies and governments, hackers are attacking other industries for their vital information, Volack told Construction Dive. Construction is “ripe for the taking,” he added, because hackers can target employees’ personal information — such as their social security numbers for opening credit cards — as well as information about the companies’ classified plans or specs on government projects.
How hackers do it
Volack said hackers will “spoof” their way into a construction firm’s system, pose as subcontractors and message company accountants, claiming to have a new routing number. Other times, a hacker will pretend to be an executive and email an employee asking for vital information at a 4 p.m. on a Friday, in hopes the spoof will go unnoticed.
Most of this type of hacking is done by professionals, not by teenagers in a basement looking for information for fun, said Merritt Maxim, a Forrester Research vice president and research director serving security and risk professionals.
Fake emails used for phishing are increasingly legitimate-looking in their appearance, Maxim told Construction Dive. Spelling errors can be a quick indicator, but sometimes they’re not so easy to catch.
Other times, it’s ransomware. Hackers have taken over the computer systems for large facilities like dams or water treatment plants and held them for ransom, demanding payment in exchange for not erasing vital information, Volack said.
Adaptations need to be made both in the home office and in the field, Volack said. The convenience of internet-enabled equipment is attractive, but hackers can use it as a back door to information, or even take over security cameras with factory passwords. Even newer technology like drones can be taken over through the internet and used or held ransom by hackers.
Smaller and medium-sized businesses are often targets, experts say, because they have fewer resources to protect themselves, and no thought-out plans.
What to do about it
The Travelers study found that only 51% of all U.S. businesses it surveyed have purchased cybersecurity insurance, and despite the fears many companies share, few are implementing important security training and safety measures.
Insurance policies can be a step in the right direction, and can help mitigate losing money when it is routed to hackers. But it’s important to understand exactly what each plan covers, especially for smaller businesses, Volack said.
Dependence on passwords can make it easier for hackers to make their way into systems. Two-factor authentication is a common form of protection that allows users to keep passwords, while using some other device, such as their cellphone, to enter a second code. Updating to two-factor is a simple upgrade, Maxim said.
Using antivirus software can help as well, Maxim said, adding the relatively low-cost software can be updated and can discourage hackers.
Establishing better cybersecurity measures can also directly impact ventures in the future. Larger firms that share digital information with smaller contractors should require that those firms have a certain level of cybersecurity protection going forward, Maxim said. Hackers could use an entrance through a smaller company’s weak security to gain access to a larger company’s data. That means a small electrical subcontractor with weak security could be a door into a malicious attack of a large general contractor.
Both experts agree that contractors need to have a protective attitude. Hacking happens to all businesses, and a lot of the data a company stores can be sold on the dark web.
“Don’t fool yourself and say it’s not going to happen to me,” said Volack.