July 12, 2019

Crime has always been a fact-of-life the construction industry. With expensive building materials and high-value portable equipment lying around in temporary locations, thieves have always been drawn to the sector like bees to honey.

Today’s cybercriminals also see construction as a source of ill-gotten gain.

Compared to sectors like banking and retail it isn’t obvious why construction businesses would be high-risk targets for cybercrime. But digital transformation is changing construction as much as it is any industry.

Breaches are growing in frequency as firms and contractors move to mobile working, and integrate IoT devices such as smart water heaters, thermostats, and power systems into their operations and the execution of building projects.

That’s creating an attack surface that didn’t exist before.

It means that cyber and physical security in construction have to be given equal weight.

Risks to the industry

Construction companies aren’t typically focused on cybersecurity. They tend to be more concerned with the task at hand: finishing projects to specification, within budget and on time.

They deal mainly in the tangible, and that makes the scale of virtual threats like cyberattacks harder to grasp. But the threat is real:

  • According to Forrester, 75 percent of companies in construction, engineering and infrastructure experienced a cyber-incident last year
  • Following the NotPetya ransomware attack in 2017, a global manufacturer of construction materials lost approximately €250 million in sales and €80 million in operating income as a result of nearly one month of downtime (Marsh & McLennan)
  • Traditional theft costs the industry £800m a year in the UK alone (Allianz Insurance)

As an industry construction holds vast amounts of high value information from employee data to intellectual property that cybercriminals can exploit for financial gain – or to satisfy other motives.

“Construction businesses often have high cash-flow, potential liquidity that makes them an even more appealing target.”

Imagine if someone gained unauthorised access to the design files for a bridge under construction. Altering a single measurement could affect the bridge’s load-bearing capacity and sow the seeds of a future disaster.

If the objective is blackmail rather than sabotage, the construction firm could find itself held to ransom in return for revealing which data had been manipulated.

Other industry-specific risks include:

A mobile workforce

Construction sites often incorporate temporary facilities like cabins and trailers with workers connecting remotely to business networks via laptops and handheld devices. IT security measures at remote sites are often weaker than back at HQ. And if a  BYOD policy is in place, workers have access to critical systems on their own devices from inherently insecure connections. The potential for a data breach under those conditions increases exponentially.

High employee turnover

Construction work can be temporary and involves employing contractors and sub-contractors at every level. That makes it harder to to arrange and deliver uniform IT and cybersecurity training, police policies, and monitor access permissions as employees rapidly come and go.

Ecosystem vulnerabilities

Construction projects typically involve collaboration between professionals from different disciplines, as well as stakeholders such as investors and owners. Plans, CAD files, blueprints sensitive financial information, and employee records may all have to be shared outside the company. Integrated construction and business/IT systems can be a treasure trove of data for cyberattacks.

Add compliance as another concern. As an industry construction is well accustomed to working within strict regulatory rules, but now has the added burden of following the rules around data storage and protection under GDPR.

Scale of the risk

In an analysis released last year, cybersecurity firm RepKnight found more than 600,000 stolen company credentials from the UK’s leading construction, architecture and property firms openly available to criminals on the Dark Web.

Over 450,000 of the breached credentials were from large construction companies. More than 110,000 came from leading UK architecture firms and just over 47,000 were associated with property developers.

These breached credentials have the potential to enable unauthorised access to corporate networks and shedloads of sensitive corporate data, from bids and tenders, to proposals, plans, drawings and client data.

Cybercriminals know this well. They also know that construction businesses often have high cash-flow, potential liquidity that makes them an even more appealing target.

Why a focus on employees is the key to stronger security

The construction industry lags behind others when it comes to taking cyber seriously. In some cases firms face a chronic lack of IT staff, inadequate budgets, and a degree of employee and management indifference to cyber threats.

There may be a tendency to underestimate their value as potential targets, so not enough is invested in cyber defence, leaving systems more vulnerable to breach.

Construction is underinvesting in cyber technology, and also needs to raise its level of investment in people.

Given construction’s highly mobile and transitory HR environment, ensuring that employees and contractors get the message about IT rules and procedures is crucial. There are still many people who don’t understand the damage they can do by clicking the wrong link.

With cybercriminals getting better at making their breach attempts look perfectly legitimate, training is essential to reducing the chances of a successful hack.

Human error – like clicking the link in a well-crafted phishing email – enables more hacks than it should. But even the best scams have telltale signs that are detectable when people have been taught to spot them.

As the construction industry continues to get to grips with cyber risk, firms could quickly build more resilience into their defence posture by creating a culture of security awareness.

Contractors and cyber-thieves are locked in a long-term struggle where the weapons and tactics change monthly. Unless someone invents a box that finally makes devices and networks impenetrable, treating cyber risk as a daily management challenge – and enlisting your own people to help – is the blueprint for secure sites and systems.

Want to learn more about empowering employees with security awareness training?  Sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: