Bricks, concrete and data leaks: why the construction industry is prone to cyberattacks
Traditionally, construction companies don’t stand at the bleeding edge of IT. Most construction firms don’t have massive IT departments, and very few have more than the basics in place for managing data security. Most construction managers believe they won’t be targeted by hackers, but times are changing. Today, construction companies routinely handle sensitive client information and coordinate digitally with a host of third-party services and suppliers, creating both opportunity and incentive for cyberattackers to target them.
As an example, earlier this year, French multinational Bouygues Construction suffered a ransomware attack which forced the company to shut down its systems worldwide. For a construction company, even a short shutdown can have enormous cost ramifications.
But let’s talk specifics. Exactly what kind of cyber risks do construction companies really face? More to the point, what risks should they factor into their risk assessment?
Managing a fluid workforce
Construction teams and workers frequently move between worksites, relying on laptops, tablets, and smartphones to connect to business networks and manage communications. Since many workers are contractors or consultants, there is often a ‘Bring Your Own Device’ policy involved, which means making sure all data is appropriately secured can be quite the challenge. High turnover is another factor which makes standard types of cyber awareness training difficult. Many firms simply turn a blind eye to the security issues involved for the sake of convenience, but this can be a fatal mistake. All it takes is one breach for sensitive data to leak out, and the entire company could face a catastrophic shutdown. At the bare minimum, there needs to be a clear policy on passwords, user authentication and whitelisted devices.
Sharing sensitive data across multiple sites
Construction projects often involve teams from a variety of different disciplines working together, as well as the inclusion of stakeholders like owners and clients. Plans, blueprints, cost estimates, bids and employee records are shared across multiple sites and locations, frequently across different networks. If this data is mismanaged, this can be a huge security risk. Construction companies need to make sure their data is shared securely, and that they stay fully compliant with government and industry regulations for security and insurance purposes.
Working with third-party contractors and suppliers
Your own network can be as secure as a fortress, but if your partners, suppliers or contractors aren’t secured, their vulnerability can compromise your defences as well. Vulnerabilities tend to have a cascade effect, and a single attack at any point, or on any vendor, in the supply chain can spread like wildfire. The only defence is to make sure your firm only works with companies or parties that have baseline cybersecurity practices in place. That means reviewing their certificates or security credentials before choosing to work with them.
What construction companies need to do to stay secure
Here are some actions construction firms can take to avoid making the front-page news for all the wrong reasons.
- Train employees and workers on how to spot, avoid, and report potentially malicious activity on your network. Awareness training is by far the single most powerful cybersecurity measure you can take.
- Encrypt and secure your devices. Laptops, smartphones, tablets, wearables, all need to be properly secured and password protected.
- Regularly review and update firewalls and security patches. Consider using a VPN.
- Only work with security-accredited third-parties.
- Develop detailed data breach response plans. Advance planning can help you contain the damage from a breach and also minimise any resulting claims or regulatory action you might face.
Any breach or interruption that disrupts critical workflows and operations can be a substantial loss to a construction project. Although the risk can’t be eliminated, it can be managed. Construction companies need to start seeing themselves as digitally-enabled enterprises and accept the risks and the opportunities that come with it. Cyber threats aren’t going away, and as more and more construction firms adopt digital ways of working, the risks are only going to increase.