The construction industry’s reliance on digital data and devices has reshaped the construction process. When used properly, digital technology facilitates collaboration and increases productivity. However, growing dependence on digital innovation has also rendered construction companies a prime target for cybercriminals. The stark, inescapable reality is that the construction industry has been experiencing an alarming increase in cyber attacks over the last five years. Construction companies should mitigate the risk of cyber attacks by formulating a comprehensive plan that addresses the reasons why the construction industry is particularly susceptible to cyber attacks, anticipates methods used by cybercriminals, and proactively implements effective risk-mitigation tactics.
Why Is The Construction Industry Uniquely Vulnerable To Cyber Attacks?
In recent years, the construction industry has become one of the most frequently targeted industries by cybercriminals. One analyst found that cyber attacks on construction companies doubled from 2023 to 2024.[1] Between 2023 and 2024, phishing and ransomware attacks on construction companies increased by 83% and 41%, respectively. [2] Construction companies are attractive targets of cybercriminals for many reasons, such as:
Lack of Proper Training: Construction companies traditionally focus on mitigating their many commercial and legal risks. This has led many of them to neglect cybersecurity training, rendering the workforce susceptible to phishing and other cyber scams.
Frequent Changes in Personnel: Construction’s high rate of labor turnover compared to other industries exacerbates gaps in cybersecurity training and creates a perception that the benefits of training and awareness are fleeting.
Networks Of Project Participants: The network of diverse project participants (design professionals, contractors, subcontractors, suppliers, sureties, owner representatives) gives cybercriminals an array of access points to project data and can make it difficult to reliably manage data security within the network.
The Nature of the Data: Construction companies possess valuable and confidential data such as financial records, payment details, banking credentials, and payroll information, as well as proprietary design documents and bid data.
Time-Sensitive Decision Making: When “time is of the essence,” as it always is in construction, industry participants may prioritize speed over security, which can render cyber risk a secondary concern or an afterthought.
Outdated Software and Systems: Many contractors use legacy software and IT systems that are not regularly (or cannot be) updated with software and operating systems that prevent exploitation of cyber defenses, i.e., security patches.
Inadequate Cybersecurity Budgets: Smaller construction companies, and even some larger outfits, view investments in cybersecurity as unnecessary deductions from their bottom line.
Focus on Physical Safety: The traditional “security” concerns of contractors include compliance with OSHA, protection of materials and equipment, and securing the job site against workplace injuries, which can sometimes blind contractors to intangible cyber threats.
Regulatory Compliance Challenges: The construction industry must navigate cybersecurity regulations regarding, for example, confidential employee data, which vary by jurisdiction, change over time, and often impose harsh penalties for noncompliance.
How Do Cybercriminals Attack Construction Companies?
Cyber attacks are often perpetrated by sophisticated criminal organizations whose primary targets are construction companies. These well-funded organizations typically employ a team of cybercriminals that includes researchers, software engineers, and operational planners. Recent high-profile cyber attacks on construction companies include a $9 million ransomware attack on a Canadian contractor and another on a Chicago-based contractor that adversely impacted more than 1,000 people. The good news is the methods employed by these organizations are well known within the cybersecurity community:
Phishing attacks occur when fraudulent emails from accounts posing as known entities mislead employees into revealing sensitive information. For example, mimicking an email from an equipment supplier could induce an employee to share financial information with a cybercriminal.
The term “social engineering” refers to a situation where an individual is psychologically manipulated into divulging confidential company information or unwittingly forfeiting control of an entire operating system. For example, an attacker convinces a contractor to misdirect a payment because the attacker successfully impersonated a vendor’s accountant in a plea to make whole on accounts receivable.
Ransomware attacks are one of the most common and successful forms of cyber attacks on the construction industry. In a ransomware attack, the construction company is forced to make a substantial payment to access data locked down by malicious software that a cybercriminal installed in the contractor’s IT system. For example, a contractor pays a significant ransom because its project managers’ inability to access the project drawings threatens to delay the project and expose the contractor to liquidated damages.
Malware attacks involve the use of malicious software to infiltrate IT systems, steal data, or disrupt operations. Such attacks are similar to ransomware attacks, the primary differences being that the victim often has no knowledge of the attack until being notified by affected third parties such as banks or employees, and the attacker has no intent to return the stolen data to the victim. For example, the cybercriminal sells sensitive financial data that it obtained from a project manager who downloaded malware disguised as legitimate software.
Fraudulent invoices are deceptive bills that trick organizations into making unauthorized payments. For example, a hacker uses an email address similar to supplier’s email address to deliver a false invoice that mimics the supplier’s invoices.
Which Risk-Mitigation Tactics Enhance Cyber Security?
As cyber attacks on construction companies escalate, it is imperative that construction companies proactively safeguard their operations. Implementing the following tactics will help mitigate the risk that a cyber attack will be successful:
Cyber Education: Comprehensive cybersecurity training with regular updates is one of the most effective ways to mitigate cyber risk. Educated staff are far less likely to fall victim to cyber scams. Many companies offer cybersecurity training that can be tailored to a company’s specific needs, including KnowBe4, SANS Institute, and the Center for Information Security Awareness.
Routine Risk Assessments: Cyber risk assessments and ongoing evaluations of cybersecurity protocols enable companies to continually improve their cybersecurity defenses.
Cybersecurity Technology: Antivirus, anti-malware, intrusion-detection, and data-encryption software protect sensitive data by preventing data breaches.
Data Backup and Recovery: Reliable, frequent, and secure data backup protocols expedite the recovery of data after a cyber attack.
Multi-Factor Authentication: MFA enhances the security of a username/password with additional verification factors such as a one-time passcode sent via text or email.
Software Updates: Mandating the prompt installation of software updates with the latest security patches eliminates known vulnerabilities that cybercriminals exploit.
Contractual Call-Back Requirements: Requiring verbal verification of wiring instructions prior to any and all payments prevents fraudulent wire transfers.
Incident Response Plan: IRPs document processes and procedures that manage how a company responds to a cyber attack. The primary goal of an IRP is to reduce the time it takes to identify, contain, and remediate an attack.
Cybersecurity Experts: Cybersecurity professionals tailor cybersecurity measures to a company’s unique digital environment.
Cyber Insurance: Cyber insurance policies protect against the costs and fees associated with cyber breaches. The financial impact of a successful attack includes costs to retain forensic investigators and legal counsel, absorb business interruption losses, comply with statutory notification and credit-monitoring requirements, and/or make a ransom payment if the attack involves ransomware.
Contractual Limitations of Liability: Robust limitations of liability in a contract can, for example, cap or shift liability for cyber attack damages.
Indemnity Agreements: Carefully review indemnity clauses to determine who bears responsibility for securing data and managing cybersecurity losses.
Conclusion
While cyber risks in the construction industry are substantial, they are not insurmountable. The key is to be proactive by implementing as many cyber risk-mitigation tactics as possible, as soon as possible. With proper planning, training, technology, and risk management, even a traditionally analog industry like construction can build a strong defense against digital threats. Mitigating those threats will ensure business continuity, protect the valuable data and IT systems that drive modern construction projects, and help ensure projects are completed on time and on budget.
[1] Iacono, Laurie, et al., Q1 2024 Threat Landscape Report: Insider Threat and Phishing Evolve Under AI Auspices, Cyber Threat Intelligence Reports (May 22, 2024), available online at: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q1-2024-threat-landscape-report-insider-threat-phishing-evolve-under-ai
[2] Dilgen, John, Report Shows Ransomware Has Grown 41% for Construction Industry, Reliaquest (Nov. 12, 2024), available online at: https://www.reliaquest.com/blog/report-shows-ransomware-has-grown-41-for-construction-industry/
“With approximately 900 lawyers across 17 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide.”
Please visit the firm link to site
