When it comes to cybersecurity, construction tends to fall behind other industries. The risks of phishing and ransomware are often discussed and thought to center around industries like finance, healthcare and big data; however, such risks are now prime for industries such as real estate and construction. Construction executives need to understand that the construction industry is a target, the cost associated with a cybersecurity attack and practical tactics to help mitigate risk.
Why the Construction Industry Is a Target
Valuable Information. Cybersecurity has become a seemingly unavoidable topic in the last decade because the value and accessibility of data have risen. With respect to construction companies, cyber attackers may be after information they can sell or use for their own benefit, including employee information, investor information and financial information. According to Experian, the going rate for certain personal information on the dark web ranges on average from $1 per non-financial institutional login or Social Security number, to $2,000 per passport.
Cyberattacks are not just after personal and financial information. Construction companies also house proprietary information that, if compromised, could undercut the competitive edge a company may have against its competition. Such information could include bid data, design materials pricing, profit/loss data, and other highly confidential information.
Unprepared Systems. More often than not, construction companies, particularly small to midsize companies, have not taken adequate cybersecurity precautions despite having systems vulnerable to attack. Underlying the valuable information that such companies hold can be a multitude of systems including servers, software and hardware. Such systems could be provided by a third party or owned by the company itself. The vulnerabilities could be inherent to each system individually, or exist within the gaps between these systems.
Information Sharing Practices. Of course, construction companies don’t live in a silo—information is often shared between developer and general contractor, between subcontractor and architect, and the like. Not to mention, information is often shared with third-party servicers like banks and accountants. Information is also shared within a company with employees, who could pose a security risk.
There are a multitude of costs associated with a cybersecurity attack. First, there are significant costs associated with the forensics of an attack—that is, to determine what happened and what information may have been affected. Then, there are costs associated with recovery—costs associated with getting a network up and running again, recovering information and sending notices to various parties that a company under attack may have an obligation to notify. In addition, such attacks could cause a loss of trust from customers and business associates, resulting in a decrease in business opportunities and market valuation. Last, an attack can trigger legal fines and investigations (note: there are laws that require companies to have adequate security systems!), and broken contractual obligations can lead to lawsuits.
Mitigation Tactics
Cybersecurity, as a topic, can seem insurmountable and convoluted. While this is a common instinct, there are some mitigation tactics that businesses can employ to help untangle their risks:
As construction companies become targets for cyberattack, owners and management must evaluate and work to mitigate their risks early on. Bad actors want the data these organizations have, and failing to protect the data means failing to protect the business.
Written by {{author.AuthorName}} - {{author.AuthorPosition}}, {{author.Company}} {{author.Company}} Contact Info: {{author.OfficePhone}} , {{author.EmailAddress}}
{{comment.Text}}