When it comes to cybersecurity, construction tends to fall behind other industries. The risks of phishing and ransomware are often discussed and thought to center around industries like finance, healthcare and big data; however, such risks are now prime for industries such as real estate and construction. Construction executives need to understand that the construction industry is a target, the cost associated with a cybersecurity attack and practical tactics to help mitigate risk. 

Why the Construction Industry Is a Target

Valuable Information. Cybersecurity has become a seemingly unavoidable topic in the last decade because the value and accessibility of data have risen. With respect to construction companies, cyber attackers may be after information they can sell or use for their own benefit, including employee information, investor information and financial information. According to Experian, the going rate for certain personal information on the dark web ranges on average from $1 per non-financial institutional login or Social Security number, to $2,000 per passport. 

Cyberattacks are not just after personal and financial information. Construction companies also house proprietary information that, if compromised, could undercut the competitive edge a company may have against its competition. Such information could include bid data, design materials pricing, profit/loss data, and other highly confidential information. 

Unprepared Systems. More often than not, construction companies, particularly small to midsize companies, have not taken adequate cybersecurity precautions despite having systems vulnerable to attack. Underlying the valuable information that such companies hold can be a multitude of systems including servers, software and hardware. Such systems could be provided by a third party or owned by the company itself. The vulnerabilities could be inherent to each system individually, or exist within the gaps between these systems. 

Information Sharing Practices. Of course, construction companies don’t live in a silo—information is often shared between developer and general contractor, between subcontractor and architect, and the like. Not to mention, information is often shared with third-party servicers like banks and accountants. Information is also shared within a company with employees, who could pose a security risk. 

The Cost of a Cybersecurity Attack 

There are a multitude of costs associated with a cybersecurity attack. First, there are significant costs associated with the forensics of an attack—that is, to determine what happened and what information may have been affected. Then, there are costs associated with recovery—costs associated with getting a network up and running again, recovering information and sending notices to various parties that a company under attack may have an obligation to notify. In addition, such attacks could cause a loss of trust from customers and business associates, resulting in a decrease in business opportunities and market valuation. Last, an attack can trigger legal fines and investigations (note: there are laws that require companies to have adequate security systems!), and broken contractual obligations can lead to lawsuits. 

Mitigation Tactics 

Cybersecurity, as a topic, can seem insurmountable and convoluted. While this is a common instinct, there are some mitigation tactics that businesses can employ to help untangle their risks: 

• Take inventory of software and hardware assets. The first step to mitigating cybersecurity risks should include taking inventory of the company’s software and hardware assets. This can include servers, printers, laptops and cell phones. Software can include programs and apps—for example, programs that assist with employee compensation or a backup cloud program. 
• Map out data flows. The next integral step is to map out the flow of data, which includes understanding what information the company encounters and what the company does with it. Take, for example, information about investors. When a potential investor approaches the company, the company likely collects a slew of confidential information—information about net worth, income, portfolio and contacts. Where is this information being stored? Is the company sharing this information? If the company vets investors through a third-party vendor, this information is being shared with them for that purpose, which should be reflected on the data map. 
• Establish a cybersecurity framework. After a company has built an understanding of its information assets and how data flows through them, management should choose a cybersecurity risk management framework. The Cybersecurity Framework provided by the National Institute of Standards and Technology (NIST) is a framework likely to serve construction companies well because of its thorough, customizable guidelines. In response to an executive order, NIST first published its CSF in 2014 to provide critical infrastructure organizations (healthcare, transportation systems, nuclear power) with best practices for reducing cyberattack risk. NIST helps organizations mitigate cybersecurity risk by identifying controls that can identify assets, detect anomalies, protect against vulnerabilities, and, in the event of a breach, respond and recover.
• Implement cybersecurity controls. In addition to the other tactics detailed here, there are a handful of key cybersecurity controls every company should have in place (and additional supporting controls, depending on size and complexity). Stakeholders should document and prioritize critical products and services, and prioritize controls that protect these key assets. Network devices must be protected with strategies like using intrusion detection and prevention systems, ensuring anti-virus and patching installation occurs as soon as an update is available, and enabling encryption for data stored within and sent through the company network. Logical access controls include enforcing password parameters (complexity, failed-attempt lockout), employing multi-factor authentication for remote access and regular review of user access permissions across the network and for critical applications. Critical data should be backed up daily, with regular testing of backups. 
• Implement adequate security processes, including an incident response plan. Incident response plans are two-fold. First, companies should implement plans to prevent a gap in business operations if a cybersecurity attack occurs. Second, companies should implement a plan to notify any third parties as may be required under contract or law. Companies that encounter personal information may have responsibilities under federal or state law (all 50 states have a breach notification law) that may require notice to individuals whose data is affected or to government agencies.
•  Train, train, train. No policy is effective without proper training on how to implement it. One big mistake that companies make is to not adequately train staff in the cybersecurity space. Are employees taught to use their Virtual Private Network (VPN) if they are accessing the company’s network offsite? Do employees know whom to contact if they encounter a phishing email? Do they know how to identify a phishing email? At a minimum, employees should receive formal cybersecurity training annually, with continual reminders of their cybersecurity responsibilities.

As construction companies become targets for cyberattack, owners and management must evaluate and work to mitigate their risks early on. Bad actors want the data these organizations have, and failing to protect the data means failing to protect the business.