The construction industry has seen a significant rise in cybersecurity threats as it continues to adopt digital technologies. According to a 2023 report by the Construction Products Association, the industry’s digital acceleration has made it a prime target for cybercriminals, with cyberattacks in construction increasing by 78% over the past two years.
A study by Total IT reveals that 43% of data breaches in the construction sector are due to internal actors, with 21% resulting from unintentional actions by employees, such as clicking on malicious email links. The rise in ransomware attacks is particularly concerning. For example, in 2021, a major ransomware attack targeted a top construction firm, resulting in significant data loss and operational downtime.
Cybersecurity threats in construction are varied and include phishing, ransomware, and malware. Phishing remains a prevalent issue, with attackers often using sophisticated techniques to steal sensitive information. Ransomware attacks, where data is held hostage until a ransom is paid, have also become increasingly common.
To combat these threats, construction companies are implementing endpoint security systems, employee cybersecurity training programmes, and enterprise file sync-and-share (EFSS) solutions. Endpoint security, which includes proactive defence measures like Endpoint Detection and Response (EDR) and patch management, is essential in preventing malicious code from infiltrating networks. Employee training programs are crucial as well; they educate staff on recognising and avoiding phishing attempts and other cyberthreats.
Overall, the construction industry must prioritise cybersecurity to protect sensitive data and maintain operational efficiency in an increasingly digital landscape. The implementation of robust security measures and ongoing education for employees will be key in mitigating cyber-risks and safeguarding the industry against future attacks.
We ask two experts on how robust cybersecurity be ensured throughout all stages of building and construction projects.
Denys Schwartz, Director and Independent Consultant within the Construction Industry at Gluck Advisory
These days, significant building and construction projects rely heavily on contract management software to streamline project management and ensure efficiency. However, with the increasing use of digital tools, it’s crucial to prioritise cybersecurity to protect sensitive contract and commercial information for both owners and contractor/builders.
To start, it’s important to conduct a thorough risk assessment to pinpoint potential cybersecurity threats and vulnerabilities specific to your project, such as unauthorised access to sensitive contract data, phishing attacks targeting project stakeholders, inadequate encryption for data storage and transmission, vulnerabilities in third-party vendor systems and insufficient access controls within contract management software. This assessment will guide the development of a comprehensive cybersecurity plan tailored to mitigate these risks throughout the project’s lifecycle.
A key element in safeguarding your data is choosing robust contract management software. Modern systems should come with advanced security features, including strong encryption for data at rest and in transit. This encryption ensures that sensitive contract details are shielded from unauthorised access. Additionally, the use of software with multiple layers of security, such as firewalls, intrusion detection systems and regular security updates, to offer comprehensive protection against cyberthreats.
Within your contract management software, set up strict access controls to limit who can view or modify contract information. This means implementing role-based permissions and requiring multi-factor authentication, which helps ensure that only authorised individuals can interact with sensitive data.
Ongoing training is another critical component. Regularly educate all team members involved in contract management—like project managers, contract administrators and legal staff—about cybersecurity best practices.
In addition to preventative measures, having a clear incident response plan is vital. This plan should outline how to quickly identify, contain, and manage any cybersecurity incidents affecting contract management. A well-defined response strategy helps minimise the impact of breaches and ensures everyone knows their role in addressing an incident.
It is important to note that vendor management also plays a significant role in maintaining cybersecurity. When working with third-party vendors, include stringent cybersecurity requirements in your contracts. Regularly audit vendors to ensure they adhere to these standards, helping to protect against potential vulnerabilities introduced by external parties.
In summary, a comprehensive approach—including risk assessment, secure technology, access controls, training, incident response and vigilant vendor management—ensures strong cybersecurity throughout the project lifecycle, keeping sensitive contract and strategic commercial data secure and effectively mitigating cyberthreats in construction projects.
Nick Hyatt, Director of Threat Intelligence at Blackpoint Cyber
The construction industry is in a unique position when it comes to cybersecurity, as many of the projects that organisations in the vertical work on have components that aren’t controlled by the organisation itself. This presents several challenges that have interesting implications, as many projects involve third parties. In general, the types of cybersecurity challenges faced during building and construction projects can be broken down into three categories:
1. Data security: There is a lot of sensitive data controlled by multiple parties during construction projects, including financial data. Considerations should be taken into place during the project for:
2. People and process: Construction projects often involve many stakeholders – Each of these entities may hold sensitive data and are all entry points for threat actors and adversaries. Many of the same recommendations apply from a people and process standpoint, too.
3. Technology: While focusing on network security is important, the construction industry faces new and interesting challenges in the nature of the tools being used on project sites. With the increasing usage of wearable technology, drones and connected sensors, it’s even more important to consider security risks around these technologies.
Some questions to consider when thinking about cybersecurity around construction projects:
– Compliance certifications – are contractors and vendors certified to handle the data involved?
– Security transparency – What processes and procedures do contractors and vendors have in place to protect the data they may be handling? What data will they be handling, and where will it be stored? How will it be transferred?
– Do contractors have an incident response plan in place? A security incident at a third party during a project can have catastrophic consequences, especially with the proliferation of ransomware attacks in the construction space.
– Do contractors and vendors have a business continuity and disaster recovery plan in place? As we saw with the recent IT issues around the globe, understanding and having contingencies in place is very important when not only cybersecurity incidents occur, but also unexpected technological disruptions.
– Do contractors and vendors have security awareness training in place? Security awareness training is key to ensuring that common attacks are spotted and stopped before they become major incidents. Individuals are often common targets for attacks, so ensuring that tools and training work together in conjunction to protect environments is very important.
While there are many aspects to cybersecurity and this covers just a few, thinking about these questions during the scoping process can often save a lot of headaches down the road!