Cybersecurity in the Construction Industry – What You Need to Know

Risks, Policies, and Processes to Combat Cyberattack on Your Business

As we hurtle toward greater digitalization, cybersecurity in the construction industry is becoming increasingly critical. In a sector that employs more than 9.5 million people in the United States, contributing around 4.3% of the nation’s GDP, cyberattack is a real threat.

Are you at risk? The statistics say you are:

• Hackers attack every 39 seconds
• In 2018, more than 470 million online data records were exposed in the United States
• The average cost of a data breach is $3.86 million
• 63% of small and medium-sized businesses have experienced a data breach in the last 12 months
• 43% of SMBs have no cybersecurity plans in place

It’s not a question of if you will be attacked online. Cyber criminals are coming for you. The question is when:

• Are you one of the 43% of SMBs with no cybersecurity protection?
• Are you satisfied that your protection measures are strong enough to combat increasingly intelligent cyber criminals?
• What should you be doing to protect yourself, your vendors, and your customers from cyberattack?

You’re Attacked by Cyber Criminals – What Next?

The use of technology in construction is growing rapidly. Your employees are doing more work on connected devices (BIM, communication, invoicing) that expose your company to cyber threats. Should your business be breached, the damage caused could include:

• Downtime that halts your construction projects
• Theft of data, leading to loss of customers and potential loss of competitive advantage
• Loss of intellectual property, including blueprints and plans
• Damage to property and equipment that could lead to physical injury

You could be at risk of legal consequences and litigation because of mismanagement of personal data. A cyberattack may lead to damage to your reputation, loss of customers and sales, and a collapse in revenues.

How bad can things get? U.S. Securities and Exchange Commission data collated in 2015 concluded that ‘60% of SMBs that suffer a cyberattack go out of business within six months’.

Where Are the Biggest Liabilities in Cybersecurity in the Construction Industry?

According to the 2020 Verizon Data Breach Investigations Report, 67% of all 2019 confirmed data breaches were due to leaked user credentials, misconfigured cloud assets and web applications, and social media attacks, such as phishing.

What Should You Do?

In the war against cyber criminals, it is essential to implement a cybersecurity policy that puts in place controls and processes designed to thwart attacks. You should:

• Identify which of your assets must be protected
• Assess the risks to those assets
• Decide on your cybersecurity approach
• Budget to invest in your protection against your critical risks

Always Start with Your People

Your people are your weakest link – they always are in the digital space. You should train your people in good cybersecurity practices; provide and update key information; and make sure that all your people know what to do if a security breach has taken place, or they suspect a breach is being attempted.

Here are a few questions you should address:

• Do your systems require multi-factor authentication to reduce the risk of exposure?
• Do you have a suitable strategy to secure your digital assets?
• Have your people received comprehensive training about cybersecurity?
• Are your back-end applications protected against common security threats from front-end access?
• Do you have appropriate in-house skills to drive your cybersecurity program?

It is important to recognize that cybersecurity is an ongoing need. You must keep up to date with the evolution of threats to an increasingly digitalized construction industry. Risk assessments should never be seen as a one-off event.

5 Key Cybersecurity Areas to Cover

When developing your cybersecurity policy and processes, there are many areas you must address. These five key areas provide a useful starting point from which to design a comprehensive package of security measures:

1.     Network Security

Police the network perimeter, protect your internal network, monitor intrusions, and test your security controls.

2.     Risk Management (Information)

Establish a governance framework, produce risk management policies to support your efforts, and adopt a lifecycle approach.

3.     Risk Management (People)

Produce a user security policy, educate your people, maintain awareness of current and evolving threats, and manage user privileges. Assess the risks for people working on-site or from home, monitoring system access and traffic.

4.     Secure Configuration

Maintain inventories of hardware and software, conduct vulnerability tests, ensure you apply updates and patches in a timely manner, and create a policy to lockdown systems, servers, and routers set at a baseline of risk.

5.     Incident Management

Establish policies that ensure you monitor your IT infrastructure and all networks and systems within it. Continuously monitor network traffic to identify unusual activity that may indicate a cyberattack.

Cybersecurity in the Construction Industry – Don’t Be the Next Big Story

There have been several high-profile cases of cyberattack in the construction industry. Any breach of your infrastructure could be costly to your operations, reputation, and finances.

To mitigate against cyber criminals gaining access to your business and your data, it is crucial to develop comprehensive cybersecurity policies and processes, and have the right staff onboard to guide your organization.

Whether you wish to outsource your cybersecurity to a highly experienced and knowledgeable cybersecurity team, or hire on a contract or permanent basis, contact Pivot Workforce today.