Cybersecurity Resilience in Construction: Building a Defense Against Cyber Threats 

Cybersecurity continues to play a critical role in the construction industry. Between the growing number of devices connected to the internet without proper segmentation; reliance on legacy systems, databases, and servers; and unhardened mobile offices, the construction industry has a substantial target on its back.  

When you have an increase of internet of things (IoT) and operational technology (OT) devices, legacy systems, and networks that are not properly hardened, threat actors can leverage known vulnerabilities to gain a foothold into your environment to access data and install malicious software.  

Common cyberattacks on construction companies

It shouldn’t come as a surprise that ransomware, phishing, and data breaches continue to be the three biggest threats not only negatively impacting construction companies, but nearly every other industry as well.  

• Ransomware attacks can be detrimental to a construction company, especially if a threat actor is able to gain access to critical files, such as federal projects or information on clients. If a threat actor deploys malicious software into your environment, they can block your access to your company’s systems and networks until a ransom is paid. This could cause substantial damage for construction companies from halting operations to causing significant delays to order supplies for projects.

• Phishing attacks are a quick and easy way for threat actors to gain access into your environment through a deceptive email aimed to trick employees into using their credentials to login into systems, networks, and databases. Once access is gained, they can deploy malicious software in your environment.   

• Data breaches are on the rise in the construction industry due to slower adoption of regulations, a surge in digitalization, and an increase in exposure to third parties. If a piece of malicious software is deployed onto a device and spreads throughout the environment, cybercriminals can keep a covert pulse on what is going on and slowly collect enough data to leak.  

The best protection against these common cyberattacks is a three-fold plan that includes: a robust cybersecurity program, patch and vulnerability management, and adherence to general security practices.  

Unique vulnerabilities in construction projects

Analyzing third-party risks continues to be a growing factor for construction companies, especially as more organizations are relying heavily on these partnerships. This reliance on third parties has created unique vulnerabilities as the cybersecurity measures in place between a construction company and a third-party lack consistent protocols. If a cybercriminal gains access to the network and systems of a third-party, while it may not directly impact a construction company’s environment from an IT perspective, it does potentially impact their supply chain and ability to meet project commitments.  

Further, within the construction industry there is an inherent need for satellite offices to ensure on-site project management. Often times these offices are created quickly to adapt to client needs, which may leave them unhardened or misconfigured. Threat actors can use these vulnerable networks to gain access to an organization’s environment, which may lead to the attacks mentioned above. 

Why cybersecurity matters in construction

Projecting sensitive data and ensuring project continuity and safety is paramount in the construction industry. Having proper and effective cybersecurity costs a lot less than responding to a ransomware incident or a data breach. Why? Because at the end of the day, you do not have to deal with the costs associated with fixing the issue that caused the breach or the cost of the ransom, and you don’t have to repair the reputational damage from client and revenue loss. Proactively protecting architecture drawings, project plans, bids, proposals, blueprints, customer information, and other critical information becomes paramount to keeping the trust of your customers and protecting your organization’s critical information.  

Strategies to mitigate cyber threats 

As construction companies continue to adopt digital capabilities and more devices are connected to the internet, analyzing and identifying vulnerabilities in your environment is more important than ever. This can be done in a variety of ways, but two strategies standout: 

1. Penetration testing and vulnerability scanning identifies holes in your systems or networks caused from unidentified security gaps due to a variety of things from misconfigured firewalls to improper patching.

2. Cyber risk maturity assessments analyze not just your vulnerability and patch management practices, but your entire environment from governance to protection to detection.  

Building a strong cybersecurity culture

An effective cybersecurity program doesn’t stop at solutions. Creating awareness across all levels of your construction company is crucial as well as continual updates and improvements to security protocols. At the most basic level, construction companies must foster a culture where all employees from executives to on-site workers understand the importance of cybersecurity and their role in protecting company data. This can be done by educating staff about cyber risks, implementing strong password policies, requiring mandatory security awareness training from the top-down on an annual basis, and identifying data that needs to be protected and controlling access to it.  

Remember, leadership plays a key role in a culture shift to prioritize cybersecurity within the company. This commitment not only protects company data but reinforces trust among clients and third-party vendors.  

The evolving nature of cyber threats requires continuous improvements to security protocols, updating software and systems, and conducting consistent training and awareness programs for all employees. Aprio, a premier business advisory, tax and accounting firm, can develop a robust cybersecurity program by providing services such as vulnerability scanning, penetration testing, and cyber risk maturity assessments.