Tempting targets: Contractors and cybersecurity

You might think your business is too “small potatoes” for cybercriminals to bother with, but that could prove costly. Construction businesses of all sizes make tempting targets for various reasons — not the least of which is that many contractors underestimate the threat. So it’s important to regularly review cybersecurity and take steps to improve it.

Common vulnerabilities

Over the past decade, construction businesses have increasingly adopted a variety of technological advances. Examples include cloud infrastructure, networked devices and building information modeling software. Perhaps you use project management platforms and client portals to share information with multiple parties, such as project owners, architects, engineers, subcontractors and vendors.

The great thing about these tools is that users can tap them at any time of the day or night, from a wide range of locations and devices. The bad thing about them is that they create many potential access points — what experts call the “cyberattack surface” — for cybercriminals to infiltrate your network and get to its treasure trove of valuable data. Construction businesses commonly store:

• Project owners’ banking or payment information,
• Employees’ payroll data,
• Estimating and bidding details,
• Contract documents,
• Building plans,
• Intellectual property, and
• Sensitive information about subcontractors and vendors.

In addition, reliance on third-party vendors or shared systems can introduce “supply chain” risks — meaning a weakness at a subcontractor or service provider could further expose your systems to cyber risks.

Most contractors lack in-house cybersecurity expertise and allocate insufficient resources to fully protect their operations. Moreover, in an industry where pressing deadlines are always looming, employees or others might cut corners on existing security measures, further compounding vulnerabilities.

Typical attacks

Cybercrimes evolve as quickly as technology itself, making it difficult to pin down the most dangerous or common at any time. Phishing and malware, however, consistently rank among the top threats in the construction industry.

Phishing refers to schemes in which cybercriminals trick victims into sharing sensitive information, including login credentials, or clicking links that install malware. Attackers are increasingly using artificial intelligence to craft highly convincing emails or even impersonate voices, making these schemes more difficult to detect. Meanwhile, malware includes 1) ransomware, which can lock critical data or systems and may involve threats to leak stolen information unless the victim pays a hefty sum, and 2) spyware, which stealthily transfers data to the criminals.

Another common threat is business email compromise. In this type of scheme, cybercriminals impersonate a trusted party — such as a project owner, materials vendor or subcontractor — to trick employees into wiring funds, changing payment instructions or sharing sensitive information. Contractors can be particularly vulnerable because they often juggle multiple jobs, vendors, invoices and payment deadlines.

In a recent, highly publicized attack, a small, family-owned construction business was victimized by phishing and malware, resulting in payment fraud. An employee opened an email believed to be from a materials supplier. It was actually a malicious phishing message laced with malware that cybercriminals used to withdraw $550,000 from the company’s bank accounts in just one week.

The consequences of any cybercrime can be devastating. In addition to losing the stolen funds, your business may have to delay work if its cash flow dwindles. What’s more, you might suffer reputational harm and end up on the hook for substantial remediation costs, including statutory penalties and legal damages.

Key countermeasures

If cybersecurity is something you’ve been procrastinating on, start with the basics. For example, prioritize security updates to systems and software. They often patch weaknesses that cybercriminals may already be exploiting. Leaving those vulnerabilities unaddressed is like leaving a door open for hackers.
Employee training is also critical. Staff members often unwittingly allow cybercriminals access to a construction business’s network. Teach your workers to recognize the telltale signs of phishing messages and other types of “social engineering.” While you do, restrict access to key systems and data by putting them on a “need to know” basis. And mandate multifactor authentication — especially for email, banking, cloud platforms and remote-access tools — so users need more than a password to log in.

Of course, even with strong cybersecurity measures in place, no system is completely secure. Prepare for potential breaches by creating an incident response plan (IRP) that contains formal procedures for reacting to a breach and restoring affected systems. Well-crafted IRPs tend to be more effective than on-the-fly reactions. You can base your plan on reputable guidance, such as the National Institute of Standards and Technology Cybersecurity Framework 2.0.

Risk assessments are vital as well because cybersecurity protections can quickly become obsolete. Thoroughly review your systems and safeguards at least annually — or whenever you adopt new software, add vendors, expand remote access or experience significant business changes. Assessments can help you identify gaps before cybercriminals exploit them.

Finally, consider how cybersecurity aligns with your broader risk management strategy. This includes evaluating cyberinsurance coverage, understanding policy requirements, and ensuring internal controls over payments and data access are appropriately designed and followed.

Don’t let it slide

Precisely what any construction business’s cybersecurity should look like depends on many factors, including its size, specialty and technology. But one thing’s for sure: Letting it slide exposes you to countless costly risks. Your financial advisor can help you prudently budget for protective measures and track your return on investment.