The construction industry is full of challenges, from tight deadlines to abundant physical hazards. Professionals in the sector understand this, but they may overlook the prevalence of cyber risk in their organizations.
Cybercrime doesn’t top many construction firms’ priorities because it historically hasn’t been a relevant issue for the industry. However, the need for better cybersecurity has grown increasingly dire as contractors embrace more digital technologies.
The State of Cyber Risk in Construction
More than 75% of construction and engineering companies have experienced a cybersecurity incident between 2017 and 2018. Since then, cybercrime has only become more common across the board, yet protections in the industry haven’t kept pace. More recent statistics show that the sector is more vulnerable than ever.
Data breaches in construction rose by 800% between 2019 and 2020, and at least 43% of firms say they’re not prepared for one. Considering the massive uptick in successful attacks, the number of those who actually aren’t prepared is likely higher. Cyber-risks could become even more common as more cybercriminals realize this industry’s vulnerability.
Why Is Construction at Risk?
These abundant cyber-risks come from a few notable trends in the industry. Most notably, construction companies have embraced new technologies faster than they’ve implemented controls to secure them.
Many firms have started using Internet of Things (IoT) technologies to enhance worksite safety and manage progress. As helpful as these devices are, they also expand these companies’ attack surfaces. Similarly, construction teams have moved from paper workflows to the cloud, introducing new vulnerabilities.
The second trend is a widespread lack of cybersecurity expertise. Since the industry isn’t used to managing these technologies, firms are largely unaware of the risks they present. Those that are aware lack the necessary knowledge and experience to provide sufficient security.
The industry’s reliance on fluid workforces and third-party services introduces more risks. Securing these workforces and processes poses a larger challenge than traditional office environments.
What Can Contractors Do to Minimize Cyber-Risk?
Understanding this cyber-risk landscape is the first step in becoming more secure. Once construction teams are aware of these vulnerabilities, they can follow these steps to minimize their risk.
Train Employees in Cybersecurity Best Practices
As in any sector, the weakest link in construction cybersecurity is its employees. Construction is the No. 1 targeted industry for ransomware, which often starts with social engineering attacks. Employees who can spot phishing attempts are less likely to click malicious links or expose private data accidentally.
Cybersecurity training should be mandatory for all construction workers. That includes learning common phishing signs, responsible password management and the consequences of failing to employ these best practices.
Regular refresher training is also important, given most employees’ unfamiliarity with these measures. Firms should train and test their workers at least annually to make sure these practices remain at the top of their minds.
Secure IoT Devices
Another crucial step to minimizing cyber-risks in construction is securing teams’ IoT networks. One of the best ways to protect IoT devices is to segment systems so devices that need different information and connections are separate. This segmentation will ensure one breached device can’t act as a gateway to the rest of the network, minimizing impact.
It’s also important to change IoT devices’ default settings to require stronger, unique passwords and update automatically. These gadgets could feature known vulnerabilities that cybercriminals may look to capitalize on unless updated regularly. These devices often lack built-in security, so teams must also use anti-malware software on IoT networks.
Monitor and Minimize Third-Party Risks
Even if a construction company has sufficient internal security, it faces cyber-risks from third parties. Software vendors, supply chain providers and other partners typically have access to sensitive internal data. As a result, any vulnerability in these third parties effectively becomes a danger for the construction firm itself.
Research shows that 51% of surveyed businesses have suffered a data breach from a third party, with 74% stemming from giving these partners too much access. Construction firms can minimize these risks by restricting third parties’ privileges. These companies should only have access to what’s necessary to do their job and nothing more.
Construction companies should also monitor third-party security risks before partnering with other businesses. Asking for proof of reliable controls can help ensure minimal risk from the beginning.
Have an Emergency Response Plan
Construction companies should understand that no measure is perfect. Some amount of cyber-risk will always be present, so firms need a backup plan to mitigate successful attacks.
Specific steps will vary depending on contractors’ particular situations, but they should include a few common themes. Businesses should have offline and online backups of all sensitive data to minimize losses. These plans should also include specific steps for how to communicate a breach and who’s responsible for what in bringing systems back online.
The Construction Industry Must Take Cyber-Risk Seriously
Cyber-risks are abundant in the construction industry, but firms don’t have to take these challenges lying down. Companies can take effective steps to minimize and mitigate their vulnerabilities once they understand why they’re at risk.
These steps aren’t comprehensive but are a crucial starting point for construction cybersecurity. They’ll become all the more important as cybercriminals continue to target the industry.