Are Cyber Threats Real in the Construction Industry?
Are you still wondering if cyber threats can affect your business? If you are, then you couldn’t possibly be ready for them… Such a mistake on your part!
Construction company owners may be misguided in their thinking that by largely running the business by pen and paper, they are safe from black hat hackers from all over the world, but that is not quite the case. As the industry is being digitised, so does the type of threats endangering it change. (To learn more about security threats everyone may fall victim to, read one of our previous articles.)
Just to show what kind of cyber threats lurk in the dark, here are just a few of the most common ones:
- Data breach – Online business data is consisted of people’s payment credentials, but also their personal health information, intellectual property and so much more. Once breached, these huge amounts of information can be abused directly or sold on the black market.
- Brute force attacks – They are executed by programs which attempt to guess users’ credentials by trying out as many combinations as possible. There are also reversed brute force attacks, where a single password is tested against as many usernames as possible.
- Ransomware – It is a form of malware that hijacks a database or a system, either to encrypt it and make it worthless to the user, or to lock it down so the user cannot access it – until they pay ransom. Of course, there is no guarantee that even paying ransom will help the victim restore their possession.
- Scareware – This is another form of malware, which generates pop-ups similar to those from antivirus or antispyware software, firewall applications or registry cleaners. They usually signal that a large number of problems (such as infected files) have been found on the computer and offer the user to buy software to fix the problems. In reality, no problems were detected and the suggested software purchase may actually contain the real malware.
- Backdoors – Typically, a backdoor attack is a malware that enables an unauthorized entrance to a computer system, not by fighting or manipulating the security measures, but by bypassing them altogether. There are no smoking guns or traces that an evil act has been committed, which makes backdoors especially hard to discover.
- Phishing – A form of manipulation where the hacker pretends to be a trustworthy source. They may even clone a regular website or an email in order to appear harmless and legitimate. The point is to trick you into performing an action – enter sensitive information or click on an attachment that contains and immediately executes malware.
- Defacement – It is not always done for nefarious reasons. Hackers sometimes do it just for fun, to stroke their omnipotent egos, or to test their skills on a playground, practicing for something bigger. By breaking into a server, the hacker can change the looks or content of the targeted website. It often happens via SQL (code) injections.
By the same token, believing that running a small construction company will keep you off the cyber predators’ radar won’t exactly keep you safe. In the cyberspace, we are all the same. In fact, small businesses may be in even more danger from cyber attacks than high-profile companies. (Read about 5 biggest security myths in one of our previous blog posts.) It is a fact that small businesses possess more digital assets than individuals, but they also have less sophisticated security than big brands. For that reason, thinking you can hide because you are small is dangerously stupid.
Have in mind that 60% of small businesses that get hacked go out of business in within 6 months! Quite a price to pay for thinking you are too small a target, don’t you think?
On the other hand, large contractors are not immune to the threat coming from cyberspace either. In fact, the Target data breach from 2013 stemmed from an Advanced Persistent Threat (APT) attack on their mechanical contractor. In other words, hackers gained access to Target via an employee of the mechanical contractor who had access to Target’s electronic billing system. Between Target and the associated financial institutions, the estimated damages were up to $400 million for this breach alone. Turner, AECOM and Whiting-Turner are just a few other larger contractors who have been victims of hackers and the negative publicity that goes with it.
According to Douglas Zuzic, Information Systems Manager at Richard Crookes Constructions, the biggest cyber threats in the construction industry point to a giant rise in fraudulent head contract and subcontract claims.
“The industry has low volume but high value transactions when it comes to invoices and claims. So what’s happening is that, because of their high value, they’re on the radar of scammers and cyber-criminals. They’re collecting all the names of construction companies’ CFOs and executives, as well as details and emails of the accounting teams. What they do is they submit a claim saying that their bank account details have changed, and they are providing new – fake – details.”
It is important to know that there are a number of ways to mitigate the risk of cyber attacks on construction companies:
- Maintain a risk transfer instrument (insurance policies) – Social Engineering coverage can usually be found on an Errors & Omissions (E&O) policy while standalone Cyber Liability policies are available for other risks. However, cyber liability policies are not standardized from one carrier to the next and can have a wide variation in coverage and cost. Coverages you want to look for include:
– Third Party (Privacy/Network Liability, Regulatory Liability, Media Liability and Technology E&O
– First Party (Theft/Fraud, Crisis Management, Business Interruption, Data Restoration, Notification Costs and Cyber Extortion) - Strategies for buying Cyber Liability coverage – They include you having adequate limits/sub limits, retroactive coverage, vendors’ errors and omissions, making sure Personal Identification Information (PII) is broadly defined, liability associated with handling data of others, loss of data not just theft or unauthorized access, crisis management coverage, align cyber insurance with contractual indemnity, scrutinize prior consent provisions (i.e. Crisis Management) and strategize additional insured coverage with vendors
- Adhere to a proper background screening for both new hires AND vendors
- Engage a reputational risk advisor and outside counsel specializing in cyber security/litigation now to be prepared for what could happen later
- Provide periodic training to your employees
- Develop an incident response plan
- Implement and enforce the use of a Written Information Security Program (WISP) – The attorney general stated early in 2017 that Massachusetts will be moving from education to enforcement of this protocol meaning that any and all employers with personal identifying information of an employee are required to have a WISP
- Hold an internal meeting with a cross-section of employees to identify vulnerabilities in order to:
– Assess the risks to your entity
– Identify the systems data and hardware that require protection
– Define the key players who are responsible for maintaining security and leading the response plan when an attack occurs
– Communicate the plan to executives and management and get them to champion the initiative
– Monitor and report on the plan’s effectiveness - Constantly update firewall, anti-viral software and software patches
TLDR: Yes, cyber threats in the construction industry are real – with large sums of money involved, there are always those who want their piece of the pie and are not afraid to commit a crime to get it.
Or you can have us do it all for you!
We have over 275 clients who are more than satisfied with our services. On more than 1500 websites we actively monitor, nearly 55,000 security threats were successfully prevented using our solution. Not only do we perform full WordPress security scans on the platform itself, we examine and secure all plugins in order to make sure there are no security threats. The websites under our protection are watched 24/7 for threats and updates, allowing the businesses they represent to thrive. Finally, the already compromised websites are fixed by being thoroughly cleaned of malicious content and protected from future threats.
Since no cyber threat can be removed permanently on the Internet, we will keep your defense line firm and evolving with security practices to keep you safe.