The construction industry, known for its physical projects and on-site activities, is increasingly becoming a target for cyberattacks. This shift is driven by the industry’s growing reliance on digital tools and technologies, making cybersecurity a critical concern for construction companies of all sizes. The recently publicized vulnerability in a widely used construction accounting software is just one example of the risks faced by the industry.

How attackers are targeting construction companies 

• Ransomware: One of the most common threats, ransomware attacks involve encrypting a company’s data and demanding a ransom for its release. These attacks can be devastating, causing significant downtime and financial loss. 
  
• Phishing: Attackers often use phishing emails to trick employees into revealing sensitive information or downloading malware. These emails can appear legitimate, making them difficult to detect. 
• Business email compromise (BEC): In BEC attacks, cybercriminals impersonate company executives or vendors to trick employees into transferring funds or revealing confidential information. 
• Data theft: Hackers target construction companies to steal valuable data, including intellectual property, financial information, and personal data, that can be sold or used for further attacks. 
• Siegeware: A newer threat, siegeware targets smart building technologies, allowing attackers to take control of building systems. This can lead to significant disruptions and safety concerns. 

Why cybersecurity is a concern for construction businesses 

• General reliance on IT: Like any business, construction companies rely on typical IT systems to operate. Email, shared files, and accounting software are just as critical to running a construction company as heavy equipment. As a result, construction companies are just as susceptible to a traditional cyberattack as any other company.
• Digital transformation: The adoption of building information modeling (BIM), Internet of Things (IoT) devices, and smart building technologies has revolutionized the construction industry. However, these advancements also introduce new cyber risks. 
• Data sensitivity: Construction companies handle a vast amount of sensitive data, including project plans, financial information, and personal data of employees and clients. A data breach can lead to severe consequences, including financial loss, legal issues, and damage to reputation. 
• Operational disruption: Cyberattacks can disrupt construction operations, leading to project delays and increased costs. For example, ransomware attacks can lock critical systems, halting construction activities until a ransom is paid. This could mean significant financial losses from job sites idled for days or missing key delivery milestones.

Additional risk factors

Companies may face additional cybersecurity challenges if any of the following factors apply:

• Limited resources: Companies may lack the financial and technical resources to implement robust cybersecurity measures, leaving them more vulnerable to attacks. 
• Lack of awareness: If employees are not well aware of cyber threats and best practices for avoiding them, there is a higher risk of successful phishing and BEC attacks. 
• Inadequate security measures: Companies might not have dedicated IT staff or advanced security systems, making it easier for attackers to exploit vulnerabilities. 

Mitigating cyber risks 

To protect against these threats, the construction industry and its companies should adopt robust cybersecurity practices. (Even small companies – construction enterprises of all sizes can be targets for attack.) This starts with developing a cybersecurity program that is aligned with the company’s size and needs. 

At minimum, any program should include: 

• Employee training: Regular training sessions can help employees recognize and avoid phishing attempts and other common cyber threats. 
• Access controls: Implementing strict access controls helps ensure that only authorized personnel can access sensitive data and systems. 
• Regular updates: Keeping software and systems up to date can prevent attackers from exploiting known vulnerabilities. 
• Incident response plan: Having a well-defined, well-rehearsed incident response plan can help companies quickly and effectively respond to cyber incidents, minimizing damage. 

At CohnReznick, we routinely work with construction companies of all sizes to help them understand their unique cybersecurity challenges, then take proactive measures to protect themselves, their operations, and their data against cyber threats. We also help organizations that are experiencing a cyberattack repel the attack, resume business operations, and reduce their legal risk. 

Reach out with questions or to start enhancing your company’s cybersecurity protections.