Cyber security and the construction industry

Cyber security is a growing challenge. Construction firms, in particular, are dealing with new risks. However, many companies have been slow to properly identify and address their cyber risk vulnerabilities.

Contractors, both large and small, hold vast amounts of information that is of interest to cyber criminals – from employee data to intellectual property. Understanding the threats may help contractors identify vulnerabilities and better manage recovery efforts following a cyberattack.

Cyber risks have shot up the global agenda in recent years, following a wave of high-profile data breaches. Successful attacks against tech giants show us the sophistication of today’s criminals, while 2017’s WannaCry ransomware strike highlights the often-untargeted nature of attacks, and the fact that no one is immune. 

Cyberattacks are not limited to data breaches, but also include business interruption and even physical harm. Only severe cases make it to the news because there are not the same reporting requirements as there are for data-breach incidents.

Risks facing the construction industry

Construction firms rarely hold large amounts of sensitive personal data, such as customer credit card information,  but this is no reason to be complacent. The sector is still ripe with information and opportunities that are appealing to cyber criminals.

When a cyberattack makes the headlines, it usually concerns sensitive personal data such as personally identifiable information or credit card information. A growing body of legislation exists regarding personal data, with many jurisdictions requiring notification to authorities and data subjects should a breach occur. Stories of personal data breaches therefore naturally receive the greatest exposure. However, personal data is just the tip of the iceberg. Enormous value exists in other types of data, and cybercriminals are rarely fussy about what they steal. Non-personal data is seldom subject to the same notification requirements and, since no one wishes to air their dirty laundry in public, the vast majority of cyberattacks are not publicized.

Valuable information

The construction industry holds vast amounts of information that is of interest to cybercriminals – from employee data to intellectual property – all of which can be potentially exploited for financial gain or other motives. For example, should someone gain access to the design files for a bridge under construction, changing a single measurement could drastically alter its load-bearing capacity. The organization could then be held to ransom in return for details of what the attacker has altered. The attacker may not understand the potential impact of what they have done, though in extreme cases their goal may be to cause the structural failure of the bridge. 

Protecting your organization against a cyber attack

In an increasingly digitized and connected world, cyber security needs to be considered at all stages of a firm’s operation. While it may seem daunting, cyber security can be approached in the same way as any other risk.

Keep informed and stay ahead of cybercriminals

Cybercriminals are continually evolving, modifying their techniques to sidestep defenses and exploit new avenues of attack. The construction industry needs to be equally proactive in its response, looking at the risks holistically and instilling a genuine culture of cyber security in the boardroom, on site and everywhere in-between.

Cyber security is not just an IT issue

Crucially, cyber risk should not be  seen as an issue solely for your IT department or provider. While IT infrastructure is an important factor in managing cyber risk, it is just one piece of a much larger puzzle. 

Create a cyber security framework for success

It is important for modern businesses to appreciate the likelihood that they will fall victim to some form of cyberthreat and cyberattack. Once cyber is accepted as a key strategic risk, organizations can progress to not only protect themselves, but plan how they will respond and recover when an incident occurs.