Many companies in the construction industry already adhere to strong risk management standards, focusing on the prevention and containment of workers’ compensation, property, liability and auto claims. Now, it’s important to devote equal attention to cyber exposures.
Cyber Threats in Construction
Construction industry technology is advancing. Whereas this can improve safety and efficiency, it also creates more cybersecurity exposures.
The National Center for Construction Education and Research says the building sector is going through a major shift driven by technology. Changes include the adoption of robotics, automation, augmented reality, and Internet of Things (IoT) devices. As these new technologies become integral to the construction sector, threats to these systems could put general operations at risk.
According to Equipment World, hackers target construction companies for numerous reasons, including the industry’s relatively lax cybersecurity standards and its dependence on data and digital systems. Even if hackers can’t use your data, they may try to extort payment from by holding your data and systems hostage.
Common Construction Industry Cyber Risks
Risk managers in the construction sector should be aware of several common cybersecurity risks, including:
- It’s reasonable to assume that everyone has received phishing emails and text messages from scammers posing as legitimate contacts to trick them into clicking on malicious links or providing sensitive information. However, phishers also target companies. Successful phishing attempts can give hackers the access they need to steal data or launch attacks. According to IBM, phishing is the most common vector for cyber infections – responsible for 41% of all attacks.
- You may associate ransomware with the healthcare, financial, and manufacturing industries, but businesses in any sector are vulnerable. In fact, construction companies are targets much more often than you might expect. NordLocker identified the construction sector as the most targeted industry in 2021. Ransomware attacks can shut down computer systems and the operations that depend on them, potentially delaying projects and leading to missed deadlines.
- Data Breaches. IBM says a data breach costs $4.45 million on average, as of 2023. Although construction companies might think they don’t have data that would be tempting to hackers, they might store more sensitive data than they realize, such as employee and customer records. Therefore, data security in construction is critical.
- Invoice Fraud. Invoice fraud is a growing construction industry exposure in which bad actors invoice your customers using your spoofed invoices with their own payment links. The customer sees your logo and pays the bill, unknowingly sending payment to a fraudster’s account. While this type of fraud doesn’t always involve a cybersecurity breach, it can easily be executed by hackers who have access to your customer list, invoice templates and other billing details.
Future Trends in Construction Industry Cybersecurity
In the near future, construction cybersecurity risks will likely increase due to technological advancements in both the construction sector and cyberattack tactics.
According to Deloitte, the engineering and construction industry will leverage generative AI and other new technologies to improve schedule optimization, cost controls, safety, compliance, quality assurance, and project design.
In addition to becoming more reliant on technology, construction firms are using a larger number of IoT devices. As a result, there are more targets for hackers. According to Forrester, one-third of global security decision-makers identify corporate IoT devices as the top target for external cyberattacks.
Meanwhile, hackers can leverage cutting-edge technology (including new generative AI tools) to compose phishing emails, write malicious code, and crack passwords. CNBC says generative AI tools have already been linked to an increase in malicious phishing attacks.
The good news is construction firms can also leverage AI – to fight cyberattacks. HubSpot says AI cybersecurity can predict, identify, and neutralize cyber threats.
The Cost of Cyber Incidents
Investing in cybersecurity may be a wise strategy in light of the massive costs associated with cyberattacks. A report from Sophos shows that it cost an average of $1.82 million to recover from a ransomware in 2023 – and that doesn’t even include any ransom paid.
Regulatory costs increase expenses, as companies are often required to notify individuals impacted by a breach or held responsible for failing to keep data secure. According to The Record, a British construction company was fined approximately $5 million by the U.K.’s data protection regulator after a ransomware attack exposed sensitive data on 113,000 employees. In the U.S., companies could run afoul of new state data breach notification laws. For example, California’s privacy enforcement actions include numerous multimillion-dollar fines, some of which are connected to phishing attacks and data breaches.
The Importance of Protecting Construction Data
In addition to recovery and regulatory costs, construction firms may face many indirect costs that are harder to calculate but still significant.
Business interruption is a serious risk. Recovery can take days, weeks, or even months. Following a ransomware attack, Sophos says 47% of construction companies lost a lot of business and revenue, whereas 46% lost some business and revenue.
For the construction sector, business interruption can lead to project delays, which can result in missed deadlines and breached contracts. The reputational harm may be even more detrimental in the long run. Although customers might see the companies that suffer ransomware attacks as victims, ransomware is a known risk and companies are responsible for keeping their systems safe. If you’ve demonstrated lax cybersecurity in the past, other companies may become wary of working with you.
Best Practices for Cybersecurity in Construction
You can reduce the chance of a cyber incident and minimize your losses by following proactive cybersecurity best practices:
- Work with a data security consultant. Bring in an expert to conduct a cybersecurity risk analysis to fix vulnerabilities before hackers find them. This approach will also show potential partners and clients that you are serious about cybersecurity.
- Prioritize cybersecurity from the top down. A common mistake is to assume that only the IT department needs to worry about cybersecurity. Since many attacks target individual employees, this approach doesn’t work. Just as physical safety is everyone’s responsibility, so is cybersecurity. Train your workers on cybersecurity best practices, such as using multifactor authentication, avoiding malicious links, and updating systems.
- Consistently follow up with your team. Cybersecurity training isn’t a one and done effort. Regularly remind employees of best practices and warn them of potential threats. Your cyber insurance partner can help you educate and test your employees.
- Include all devices in your cybersecurity efforts. You might be surprised by how many devices you have on a construction site and in your offices. Any IoT device, laptop, and other portable device with internet access could create an open door for hackers.
- Proactively communicate your invoicing practices. To help control the risk of invoice fraud, clearly communicate your invoicing practices up front so customers know what to expect and are better equipped to spot spoofed invoices.
- Develop a cyber incident response plan. By being prepared, you can speed up your response and recovery.
Do You Have the Right Cyber Insurance?
Travelers reports that 52% of construction companies lack cyber insurance. If a cyberattack impacts your company, cyber insurance can cover many of the costs while also helping you navigate the situation in a way that mitigates the damage.
Contact the team at Watkins Insurance Group to review your options for cyber insurance. We’re here to help.
