Closing security gaps can help construction firms fend off cybercriminals

Modern construction companies have come to depend more on digital resources to get projects built. But a risk of cyberattacks comes with these technological advances.

Even though the construction industry traditionally has relied more on brick and mortar than networks and data, it’s no less vulnerable to hackers than other business sectors. In fact, construction firms might be even at more risk.

Since the industry has lagged in transitioning to modern technology, it’s also been slower to incorporate systems and protocols to protect against malware and data breaches. The end result is security gaps that leave construction firms’ networks susceptible to cybercriminals.

These breaches can be costly for companies. The average cost of a data breach was $4.24 million in 2021, a 10% increase over the previous year, according to research by IBM Security.

What’s more, a data breach can drag on for months unbeknownst to anyone in the company. IBM’s research found it took 287 days on average in 2021 to identify and contain a data breach. That’s seven days longer than the previous year’s average. And the longer it takes to identify and contain a breach, the bigger the company’s financial hit.

Here’s a guide to what types of breaches you should be aware of and the steps your company can take to protect itself.

How cybercriminals attack

Hackers can compromise your company’s network and sensitive information by identifying weak spots in your systems. These are a few of the strategies they use.

• Phishing: One of the most common schemes cybercriminals use is sending legitimate-looking emails to employees to trick them into installing malicious software or disclosing personal information, passwords, or banking information. According to Verizon’s 2018 Data Breach Investigations Report, phishing schemes and other forms of social engineering, such as fake ads, caused 93% of all data breaches.
• Ransomware and malware: The construction industry ranked third among North American industries in 2020 for reported ransomware attacks, with 13.2%of firms reporting at least one attack, according to research by Lumu. Hackers can use malicious software to gain access to assets such as intellectual property, building specifications, financial data, and even cranes and other construction equipment — and then hold them for ransom.
• Fake websites: Hackers often create spoof sites and email addresses to access your company’s network.
• Third-party vulnerabilities: Industry experts estimate third parties and vendors cause nearly two-thirds of security breaches. Cybercriminals exploit vulnerabilities such as weak passwords, unsecured hardware, cloud connections, and other third-party relationships.
• “Zombie network” attacks: Cybercriminals use a “zombie network” of bots to carry out what’s known as a Distributed Denial of Service, or DDoS, attack. In this type of attack, cybercriminals use these bots to flood a company’s server with internet traffic and disrupt its network. This traffic jam can prevent a company’s systems from functioning.

Risks of cyberattacks

When construction companies are hacked, they risk losses in several ways, including, but not limited to:

• Missed bid opportunities
• Business interruption
• Stolen blueprint designs
• Customer information theft
• Espionage by competitors
• Theft of financial records
• Sensitive information and contract details
• Theft of employees’ personal information and banking details

Build your defense against cyberattacks

Just as construction companies follow strict protocols to ensure job site safety, they also need to develop practices to help them avoid falling prey to a cyberattack. Here are a few bases to cover:

• Assess your risk. Identify sources of potential risk that could threaten your organization. Determine how your employees access critical systems and sensitive information.
• Update passwords. Aim to change them every 90 days, and always use secure, unique passwords.
• Invest in antivirus software. This will help protect your company from malware and other attacks.
• Keep your hardware and software up to date. Regularly update firewalls and install the latest security updates.
• Back up your data. Store backups of your firm’s critical information and applications offline in case your systems are compromised.
• Train your team. Educate your employees on how to identify and report suspicious network activity.
• Consider cyber insurance. You can purchase insurance to protect your company’s information assets and cover the costs incurred from business interruption, breaches, and cyberextortion.
• Monitor third-party risks. Ensure there are adequate security protocols for third parties that must access your data.
• Secure shared resources. Implement security controls for file sharing and create separate Wi-Fi networks for subcontractors.
• Look into hiring a firm to do a security audit. An outside firm can help you pinpoint any weak links in your company’s systems.

Protecting your business from cybercriminals can feel overwhelming. If you don’t know where to begin, our team of professionals can offer guidance and resources to set you on a path toward a secure cyber environment.