Yes, even construction companies are vulnerable, and the sooner you acknowledge it, the sooner you can start protecting yours.
The construction industry is inching its way toward digital revolution, with many companies boosting productivity through the use of construction management apps, building information modeling (BIM) and connected equipment. While these tools can bring profitability gains, digital connectedness makes companies in any industry vulnerable to hackers and other cyber threats.
According to a 2016 Cybersecurity Report from SecurityScorecard, the construction industry has a relatively good security rating — not because it’s so well prepared but because of its small digital footprint. But as general contractors become more connected within their organization and to their AEC partners, they can expect a corresponding increase in cyber threats.
“Construction companies have the same vulnerabilities as companies in other industries simply because they can possess information that others will find valuable and want,” said Dave Tuckman, owner of GSWS Cybersecurity in San Diego.
What are hackers looking for? “Employee information is a popular target,” Tuckman said. This information often can be gained through phishing scams, in which emails that seem to come from a trusted source prompt the recipient to click a link to a spoofed website, reply with private information or open an attachment that contains malware.
Such was the case in 2016 when Turner Construction fell victim to a spear phishing scam. An employee sent tax information — including Social Security numbers and financial data — for current and former employees to a fraudulent email account. Around that same time, Whiting-Turner Contracting found that the vendor who handled its W-2 and 1095 forms may have compromised employee information.
Hackers may also want to get their hands on intellectual property or information that may provide a strategic advantage — for example, job quotes that reveal what contracts you’re bidding on and how much you’re bidding.
Small businesses in general face increasing risks from hackers, probably because they make for easier prey than larger businesses and may be more willing than individuals to pay a ransom to get their data back after a ransomware attack locks it. Symantec’s 2016 Internet Security Threat Report showed that in 2015, phishing campaigns targeted small businesses 43 percent of the time.
General contractors may present an even more enticing target than some other small and medium-size businesses simply because most employees aren’t sitting in an office with a secure server. If, for example, workers try to use a public Wi-Fi signal rather than heading back to the trailer for a secure Wi-Fi connection, they’re opening the company up to danger, since hackers can use special tools to intercept any data they enter, including passwords. Some hackers also set up rogue Wi-Fi hotspots labeled “free Wi-Fi” that encourage unsuspecting users to connect, at which point their information is compromised.
How to protect your data
There are a number of steps general contractors can take to limit their risk. These are good starting points:
- Teach employees not to open attachments or click on links from suspicious emails. Make this a regular reminder at company meetings or in newsletters.
- Install the latest security updates from software and equipment manufacturers.
- Set requirements that ensure employees use strong passwords.
- Require that company employees access the internet on their work devices only through a secure, encrypted signal.
- If employees regularly have to resort to using public Wi-Fi, sign them up with a virtual private network (VPN) provider.
- Work with vendors, including accountants and bookkeepers, that have good cybersecurity processes in place. Have a process for evaluating their cybersecurity.
While you’re thinking about cybersecurity, think about which data you consider most important to your company — what information you’d least like a hacker to access — and where it lives. This step is part of a risk assessment, which a cybersecurity firm or qualified IT expert can help you conduct.
“The assessment identifies what is critical to the organization. Once we know what’s critical we can develop a strategy to protect it,” Tuckman said.
Know who you’re going to turn to for help if you do get attacked. Tuckman noted, “In the same way it’s better to know which mechanic you are going to call before the car breaks down, have a plan in place for your technology and managing digital information.”
Finally, never get complacent. Attackers are constantly evolving their methods. The more you keep up with cybersecurity best practices, the better off you’ll be.