By Clive Madders
With every passing year, businesses are becoming increasingly reliant on digital technologies to streamline operations and delivery of services and, although slower paced, the Construction industry is no exception. Major assets like designs and data are now stored online and some firms are starting to adopt AI technologies, putting them at greater risk of cyber attack. These attacks have been rising quickly, increasing by 800 percent between 2019 and 2020, according to one study.
One of the most damaging threats facing the Construction sector are ransomware attacks, where a hacker will breach a company’s system and prevent them from accessing their own data, usually by encrypting it. The bad actor will then demand the payment of a ransom in order for this access to be restored. French construction firm, Bouygues, was hit by the popular maze ransomware in 2020, with hackers threatening to release 200GB worth of stolen data to the dark web. However, following standard guidance in these cases, Bouygues chose not to bow to the hackers’ demands.
As with many other sectors, social engineering remains a prominent threat. Phishing attempts are growing more sophisticated and cyber awareness among employees is unfortunately still lacking. Hackers use social engineering tactics like phishing to trick staff into providing sensitive information or downloading malware onto company systems. These attacks can often lead to fraudulent wire transfers, where the hacker uses a breached employee’s account to intercept communications with a payor and direct funds into their own account.
Short Term/Long Term Consequences
The consequences of a data breach for a construction firm can be serious. Although financial losses are difficult to come to terms with, the real lasting impact comes from damage to a firm’s reputation as a result of the attack. Data breaches may harm relationships with current clients, particularly if a hacker has been communicating with them disguised as an employee, but winning future contracts may also be harder for a company that has been victim to a cyber attack. Being seen as a company that is not able to keep its data secure has a strong impact on their credibility and this trust is hard to win back.
Attacks also tend to have a negative effect on a business’ ability to deliver their services, forcing operations to be put on hold while the incident is investigated and systems are restored securely. This is particularly harmful for construction companies needing to meet strict project deadlines.
Facing the Threat
How can construction firms mitigate the cyber threat?
There is a lot at stake for a construction firm if they get targeted by a cyber attack, so assessing the risks and establishing an effective cyber security strategy that is proactive rather than just reactive, is crucial.
Ransomware can take advantage of any vulnerabilities exposed within a company’s systems, so identifying these weak areas and any security gaps should be the first stage of any preventative approach. Carrying out regular vulnerability audits will help to find out where you are leaving potential entry points open to hackers and generally remedial advice is provided for your in-house IT team or MSP to act upon. One of the most common risk areas that these audits highlight is out of date operating systems. When systems and software are no longer supported, they stop receiving important security updates and could be exposing vulnerabilities for hackers to exploit.
Construction firms should also be wary of any third-party company they share information with or who can access their systems as supply chains can offer a useful stepping stone for hackers. It is a good idea to have a supplier policy to ensure any potential suppliers are meeting certain security requirements before you enter into a working relationship with them.
Aligning with recognized cyber security standards is becoming another popular way of tackling these security basics as well as getting valuable input from cyber security experts. A good option for companies starting out on their cyber security journey is the Government’s Cyber Essentials. The standard checks organizations against five core controls which, if aligned with, can help to reduce risk by up to 80 percent. Achieving certifications like this also offers demonstrable proof of a business’ commitment to cyber security and data protection.
The Human Factor
Technical preventative measures are vital, but the weakest link of any company is always going to be its people, with 85 percent of breaches down to human error. This is often employees falling victim to social engineering hacks or using weak passwords. Access to important assets should be limited as much as possible to protect the data. This can be done by conducting risk assessments within the organisation to understand the value given to each kind of data held and how bad the damage would be if it was breached. Limiting user access to only what they really need means the access hackers would have is limited too should they succeed in breaching the employee’s account.
The human risk has been exacerbated now that so many of us are working from home or using personal devices as it is much harder to monitor or control activity and the line between professional and personal lives becomes a lot more blurred. Running cyber training sessions throughout the year to reinforce security best practices can help to minimize these mistakes in your workforce and encourage cyber vigilance. Often employees are unaware of how large a part they play in the security of their organization, but this awareness can be the key to their engagement, attitudes and behaviors.
Quick Response
Of course, every good cyber security strategy will also need to incorporate more reactive measures as nothing will ever grant you 100 percent protection. Being able to respond to an incident in an efficient and timely manner and minimise the disruption means that even if your company does get hit by an attack, you will be well prepared. It is important to make it clear to employees how and when to report an incident and who will be responsible for handling it. Data backups should be made and checked regularly as these can be crucial for restoring lost or stolen data in the case of a breach. At least one backup should be stored in an offsite location that is not connected to your main network. Finally, many companies may choose to invest in cyber insurance, providing coverage for things like extortion and business interruption.
Cyber security is an ongoing process, but the threat is going nowhere. As the Construction industry goes more digital and the risk increases, establishing a strategy and investing time and money into it will go a long way towards protecting your firm. Focusing on a combination of technology and people and implementing both proactive and reactive measures is the answer to a strong cyber defence, putting your company in a good position as it faces the inevitable cyber threat.
Clive Madders is Chief Technical Officer and Assessor at Cyber Tec Security. With over 25 years’ experience in the industry, Clive has built up an extensive repertoire as an Enterprise Solution Architect, delivering managed ICT support services, cyber security certifications and advanced security solutions to help improve the cyber security maturity of businesses across the UK.