Construction companies are infamous for their reluctance to adopt the latest technologies. Most of the largest companies have made the leap, but for small and mid-sized firms, the process continues inch by inch.
However, as contractors join the digital age and begin to reap the benefits of becoming more connected with fellow employees and the outside world via computers, laptops, tablets and smartphones, they also risk opening their systems up to cyber attacks.
"It's a tradeoff for connectivity," said attorney Michelle Schaap of Chiesa Shahinian & Giantomasi in New Jersey. It's the good and the bad sides, she said, of the belief that people need to be connected on demand.
These assaults on a company's computer systems and network happen for a variety of reasons — industrial espionage, access to client or employee information or just plain theft. So why are so many construction companies behind the curve when it comes to implementation of policies and procedures that would eliminate, or at least greatly reduce, the chances of a security breach? And what can they do to reduce their chances of suffering an attack in the future?
Why cyber attacker focus on construction will 'increase significantly'
As it turns out, contractors aren't the only ones lacking in this arena. "It is endemic to a number of industries," Schaap said. With the exception of the financial and healthcare sectors, "many industries still have their heads in the sand," she said.
Those orchestrating attacks know this fact as well. They're also aware that construction can be a lucrative, high-cash-flow business, which makes them it the more appealing to criminals, according to Percipient Networks CTO Todd O'Boyle. The small and mid-sized businesses tend to be prime targets "because many don't believe it will happen to them," he said.
Also, according to Jonathan Gossels, president and CEO of SystemExperts, construction companies aren’t typically focused on cybersecurity. They tend to be more focused on the task at hand, which is completing their construction projects within budget and on schedule, he said. Even the smallest companies are a target, though, according to CyberArk CMO John Worrall. "Everybody is a target for attacks because everyone has something of value," he said.
And make no mistake, cyber attackers have the construction industry on their radar. According to a recent SecurityScorecard report, construction ranked third for security rating among industries. However, Alexander Heid, chief research officer at SecurityScorecard, noted that the ranking wasn't due to the fact that construction firms were taking positive actions to combat potential threats. Instead, he said that although construction "is not yet considered a hot target by malicious actors" due to the fact that it doesn't "have the same massive IT footprint and surface area as other industries," he expects this trend to be "temporary."
"The focus of malicious actors on the construction industry is expected to increase significantly within the coming years as construction firms begin standardizing the integration of 'smart' devices and IoT devices such as thermostats, water heaters, and power systems," he said. "These new IoT devices will create a larger attack surface that previously did not exist."
How construction companies can combat the cybersecurity threat
Therefore,the time to formulate a plan to combat threats is well before an attack takes place. "Think about the problem, and have a response plan," Schaap said. "Treat it like another risk to your business, and plan for it. Plans will go a long way when the day comes that you have to deal with an intruder."
Common cyber attacks
Worrall said phishing expeditions are a component of approximately 90% of all cyber attacks, which highlights the greatest vulnerability of any cybersecurity protocol — people. A phishing scheme usually presents itself in the form of an email in which an attacker masquerades as a trustworthy source. The attacker's goal is to get the recipient to click on a link that will either give the crook access to the recipient's system or prompt the recipient to enter a user ID or password that the criminal can then use to gain access to financial or other private information.
While construction companies don't store the same kind of financial information a bank does, contractors sell themselves short if they don't think their records are valuable. Competitors could be looking for details on the company's next bid or building design in order to gain an unfair advantage, according to O'Boyle. Others are looking for sensitive employee data, like Social Security numbers, in order to engage in identity theft.
And growing by 400% in just the last year, he noted, is the use of ransomware in order to extort cash. The ransomware is most commonly downloaded into a company system via a phishing attack, according to O'Boyle. This allows the perpetrators to deny the company access to its own information until it pays a ransom, at which point the hacker releases the information back to the company.
The first step
Worrall said the first step for companies that have multiple connected users is to install a privileged account security solution on each device. This way, an attack will be confined to a single device. The security of a contractor's data — both at rest (sitting on company servers) and in transit (being transmitted via email or other means) — must also be protected, and Schaap said this is best accomplished through encryption. Even if intruders obtain encrypted data, they won't be able to use it. When it comes to data on servers, she said, companies needs to set different levels of permission so that, for example, a field worker can't get into employee payroll files.
Contractors should also silo, or partition, information so that if an attacker is successful in gaining access to one part of the company's data, they don't have automatic access to everything else. Some companies place extremely sensitive data on a server that's not even accessible through a network in order to ensure no breaches occur, according to Schaap. If an employee leaves the company or is fired, network administrators should shut down access right away, even if it seems harsh or unnecessary. "You have to protect the integrity of the company and company information," she said.
At the very minimum, Schaap said, companies should utilize the latest updated firewall and antivirus software, although those tools may be not be useful in combating the most recent virus and security threats.
Another factor for construction companies to keep in mind is the liability that comes with not having a robust cybersecurity policy in place. If the company knows its systems are vulnerable because they've had outside consultants do an analysis that finds current or previous breaches, then the company could be deemed negligent, even criminally so, if another attack occurs and compromises employee or client information.
These events are an incredibly costly mess to clean up and can have a devastating effect on the businesses that experience them. Schaap said that more than 50% of attacks are on small businesses — those least likely to have full-time IT staff on board or extensive cyber policies. Of the small companies that do experience a significant security breach, she said, half are out of business within a year. Schaap added that there is cyber insurance available, but the premiums are high, and it still doesn’t relieve a company from its obligation to protect its sensitive information.
Why a focus on employees is the key to stronger security
The key to all of this, of course, is getting the message to employees that they have to follow the rules regarding personal use of connected company devices. Even though many people are familiar with how to avoid potentially dangerous emails, there are still those who don't realize the damage they can cause by clicking on just one link. Education is incredibly effective at reducing the chances of a successful cyber attack. "Make it part of standard safety training," O'Boyle said.
In addition, Schaap said, companies should make it clear to employees they will not be disciplined if they accidentally allow an intruder into the system. "If your firm has a culture of fear, the shoe shopper" who had a lapse in judgment and simply clicked on the wrong website won't tell you about the situation, which could result in an even more severe breach of security, she said.
Of course, Gossels said, contractors should have a clear policy about acceptable employee use, which would include a prohibition on visiting "shady sites." Nothing good ever comes from visiting gambling or pornography sites, particularly on a company device, he said. Even the best laid plans, however, aren't completely foolproof.
"You have to be realistic about what's possible," Worrall said. "You can't expect every employee to be an expert. The attacker has to get lucky once. Employees have to be perfect 100% of the time, and that's just not going to happen."