Cyberattacks pose a serious risk to the construction industry. Here’s how to mitigate the risk. By Carl Cadregari
Ransomware poses a risk to every industry, nationwide, however the construction industry faces heightened and unique challenges that make mitigating the risk of a security breach even more critical. Demonstrating this, Nordlocker recently analyzed 1,200 companies in 35 industries globally that were the victims of cyber extortion between 2020 and 2021, and the results showed that the construction industry faced the most instances of targeted attacks. In an industry that relies heavily on confidential documents like drawings, contracts, budgets, and engineering notes, cyberattacks can pose risks that range from the external sharing of protected information to the inability of developers to access the documents they need for the successful completion of a project.
With cyber criminals becoming more and more sophisticated over the years, the potential damage and costs related to a successful attack are more worrisome and disruptive than ever before. In fact, a US Government interagency report estimated that, in the next year, cybercrimes will cost American companies over $6 trillion in damages.
Thankfully, the more common these attacks become, the more intel industry experts have been able to gather to prevent future attacks and/or recover quickly if your construction business falls victim to a breach.
Stay up-to-date on data privacy and cybersecurity laws
Data laws and privacy regulations are ever-changing. To ensure compliance, construction developers and leaders should perform annual reviews of their data as it relates to the most up-to-date guidance to ensure that they are taking the proper safety measures. Establishing a process for this analysis will make certain that the review is done efficiently and effectively. For those that are busy with ongoing projects or don’t feel comfortable assessing data themselves, working with a third-party cybersecurity vendor can ensure that the reviews and updates are done by experts in a timely and accurate manner. However, if you are going to engage a vendor for a task of such importance, it is important that they understand your expectations around security and are meeting your mitigation standards.
Conduct regular internal risk assessments
Do you have user authentication systems in place? What about password protection? When’s the last time you changed your password? These are just a few and some of the simplest questions that construction leaders should be asking themselves often to ensure they don’t fall victim to easily avoided breaches. One of the biggest mistakes that leaders make is to have all important documentation stored on one device, with no external backup. The breadth of damage caused by a ransomware attack can be minimized by making sure that critical contracts, sketches, plans and more are all saved in multiple locations, especially on an external hard drive. For heightened protection, utilize what’s known as the ‘3-2-1’ rule for optimized security, including creating up to at least three copies of important data, establishing two different storage formats, and keeping a copy of important documents offsite. Lastly, pay attention to security breach alerts and consider implementing an Endpoint Detection & Response (EDR) solution and Mobile Device Management (MDM) application for proactive threat identification.
Block unauthorized user access
The more important the data, the harder it should be to access. Whether it’s limiting credentials to select leaders as information gatekeepers or setting up multifactor authentication, it should not be a simple task to find and review confidential materials and communications. Additionally, be sure to have a swift and effective system in place with your human resources or administrative team to remove credentials for employees immediately following their termination or willful departure from your company. While you hope that a former employee would respect the privacy of data, it’s best not to leave it up to chance.
Train your employees & hold them accountable
In today’s age, every onboarding schedule should have a cybersecurity element included. From there, annual trainings should be held to ensure that security measures are top of mind for employees. Once they have learned the basics and warning signs of an attack, challenge their understanding through methods like phishing email tests. Also, whenever baseline controls are updated, ensure that employees are notified right away so they can do their part in protecting sensitive data. While human error is inevitable, leaders can add layers of protection through programs like multi-attempt password locks or encrypting critical files as added safeguards.
Lean on your peers
The global construction industry is a massive community, and it’s likely that others in the trade have the same concerns and experiences when it comes to cybersecurity as you do. Participating in information-sharing forums, sitting in on speaker sessions, or even having a conversation with an old business partner can help construction leaders stay up to date on the most recent threats, draw insights from the mistakes of others, and learn about effective mitigation tactics with proven results. Another resource to consider is guidance made available by the US Computer Emergency Readiness Team (US-CERT).
Even with the strongest controls and prevention programs in place, a cyberattack is always a possibility, especially in a high stakes industry like construction. However, having the proper mitigation plans, training, and tools in place to protect your data can minimize damages and avoid costly disruptions.
Disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. If the reader of this has legal questions, it is recommended they consult with their attorney
Carl Cadregari is an Executive Vice President in the FoxPointe Solutions Information Risk Management Division of The Bonadio Group. He has more than 28 years of experience providing actionable technology, cybersecurity and data governance architecture, controls auditing and general cybersecurity planning. His experience includes over 18 years in regulatory auditing and standards compliance assessments, developing and executing programs predicated upon ensuring that client computer controls are functioning.