Articles|April 01, 2019
Hackers on the Jobsite: Cyber Attacks Target the Construction Industry
By Jeff Cavignac
President CPCU, RPLU, ARM
Article courtesy of AXA XL By Conor Mulcahy, Claims Specialist, Cyber Professional
Today’s construction operations are deeply reliant on technology. Drones inspect jobsites and return results to cloud-based databases. Wearable technology alerts workers to jobsite hazards. Technology solutions such as virtual reality, augmented reality, connected jobsites and advanced tracking help site managers better manage project outcomes and safety, and predict and mitigate risks.
Yet all of the technology comes with one overarching hazard—the possibility of a cyber breach. According to a 2018 study, companies in all industries share a 27.9 percent probability of experiencing a data breach involving 10,000+ records in any given 24-month period. While the number of reported data breaches in construction is relatively low, the cost of a data breach is not. In fact, the average cost per each record compromised in a data breach is $148. If a construction firm has a breach of 10,000 records, the costs are nearly $1.5 million.
Thanks to its dependence on technology, the construction industry is increasingly vulnerable to cyber threats. As more electronics appear on jobsites and in daily operations, the risk of hackers exploiting security loopholes increases.
One threat faced by construction companies is the possibility of a ransomware attack. Ransomware is malware, deployed through the internet, that encrypts the files on a business’s computer systems. The business must pay a ransom, often in the cryptocurrency Bitcoin, in order to obtain a decryption key to regain access to the business’s own computer systems.
Another disturbing cyber threat that has emerged in recent years is an email scam that uses actual email accounts from the targeted business. This scam is similar to traditional email phishing scams in that hackers send fraudulent emails in an attempt to trick employees into sending wire transfers. However, instead of using spoofed email accounts, cyber thieves are now infiltrating email systems and sending fraudulent requests from actual user accounts. Such emails are tougher to detect as fake. Whereas a spoofed email contains a different email address than the user’s regular email, the hacked emails are identical in every way to a request from a company employee or executive. Few employees would question a monetary transfer request coming from the company’s accounting department.
Construction firms can ill afford such incidents. Because construction project success is dependent on meeting timeline and contractual obligations, any delay in business operations could result in serious financial loss, including:
- Delay damages: Depending on contract language, construction firms could be penalized for delayed project completion. Such delays can cost contractors twice—once for the damages paid to the client and again for the business costs associated with the delay.
- Business interruption: A downed computer system could mean that contractors are unable to start other scheduled projects on time or keep current employees on the job and productive.
- Cash flow issues: Delays could mean material storage costs, extensions to insurance policy periods, additional wages and workers compensation exposures and expenses, site facilities rental extensions and lack of expected money from the delayed project.
- Subcontractor delays: Subcontractor obligations elsewhere could further delay a successful project completion.
- Cost of remediation: Depending on how many client and vendor files are compromised and how long it takes the construction company to identify the breach, the costs could mount quickly. And it’s rare that a company notices a breach immediately—the average time between breach and identification is 197 days. Plus, remediation takes time—an average 69 days from discovery to containment.
Reducing Data Breach Risk
The first line of defense against cyber threats is an educated employee population. Your company should teach employees about the methods hackers try to use to infiltrate company systems, including phishing and email mirroring scams, and encourage employees to scrutinize any messaging that contains suspicious links or requests changes to payments or bank accounts. Consider employing the following additional safeguards.
Payment change verification process
Have a procedure in place for changing payment information, such as how many people must sign off verbally, who those people are and the steps to take when such requests are received.
Train employees on social engineering methods
Employees should know the protocol for links contained in emails and for requests for sensitive information about employees, vendors or company files. Most breaches occur when employees inadvertently grant access to cyber thieves.
Require regular password changes
All users should be required to change passwords at regular intervals and set up complicated passwords containing a combination of numbers, letters and characters. Employees should be warned not to keep passwords written or stored on devices or work spaces. Also, consider using two-factor authentication for anyone logging into company systems.
Update anti-virus software Install regular updates to newer anti-virus programs and consider upgrading if your software is outdated or no longer supported.
Review insurance policies
Understand what’s covered and what’s excluded. Is cyber liability covered by your current policies and, if so, to what extent? Do you have a policy that provides first-party data breach response and crisis management coverage? What additional products may be needed to better mitigate cyber loss?
Construction companies are as vulnerable to a cyber breach as any other type of business. Cyber thieves are looking to attack companies whose systems offer the easiest entry points, and the construction industry is an ideal target precisely because the industry has only recently become more digitized and has been slow to protect itself.
As hackers continue to search for vulnerabilities in construction company systems, employers should assess their security gaps and create processes that help all employees identify and thwart attempted cyber breaches. By doing so, companies involved in construction projects potentially can avoid the costs and headaches associated with data breaches and instead focus their attention on completing their projects on time and on budget.
Posts|November 23, 2020
Understanding Employee Safety and Your IIPP
By Chris Malicki
Safety Risk Advisor
Posts|November 19, 2020
Educate & Protect Video Podcast: AB 685 Notice Requirements and Reporting
By Diana Dix
Human Resources Risk Advisor SPHR, SHRBP, HCS