Why Construction Companies Should Educate Employees About Cybersecurity

The construction industry is not immune to cyberattacks. Why cybersecurity is important and what your construction firm can do about it.

Why Construction Companies Should Educate its Employees About Cybersecurity
Adobe Stock Images | By sveta

During these turbulent times, every company should be concerned about cybersecurity. One of the best ways to ensure your safety and that of your staff is educating your employees about cybersecurity dangers and best practices. A lot of businesses do not think they need to be worried about hackers and cybersecurity. Unfortunately, the construction industry has a reputation for lagging behind in terms of security and education regarding current threats. Skip forward and read about real-life examples where hackers targeted construction companies.

The average cost of a data breach in 2020 was $150 million.

Construction companies hold a lot of valuable information that hackers would love to get their hands on. A data breach could mean losing customers, destruction of your reputation, and even financial ruin. Most companies could not afford to take that chance.

Examples of the valuable data that scammers may target:

  • Employee information, including social security numbers or bank details for direct deposit
  • Big data
  • Material pricing
  • Company financials (profit/loss)
  • Designs or blueprints
  • Bank records and other financial reports
  • Sensitive or confidential information for private contracts (government installations, etc.)

No industry is immune to cyberattacks, including the construction industry. According to data breach statistics from BigCommerce, the average cost of a data breach in 2020 was $150 million. Can your construction company sustain a loss of that magnitude?

Some other statistics of data breaches from Rival Security include:

  • Your chance of a data breach is roughly 27%.
  • 84% of companies lack IT security.
  • Every 39 seconds, there is another attack.
  • In 2019, there were 1,473 cyberattacks.
  • The U.S. is the most targeted county.

How Can Hackers/Fraudsters Target Your Company?

There are various types of methods that hackers use to target and execute fraud upon your company. Some of those include:

DDoS Attacks. Cybercriminals can use Distributed Denial of Service (DDoS) attacks to disrupt your operations and crash your server or network. These types of attacks could also present vulnerabilities, so hackers could install malware or ransomware and take control of your technology.

Third-Party Vulnerabilities. Often, scammers get in through a backdoor by exploiting third-party vulnerabilities such as weak passwords, unsecured hardware, apps, or connected cloud services.

The more your entire company takes responsibility for keeping things safe, the better. 

Phishing. Most data breaches occur through phishing campaigns. Phishing is when fraudsters send legitimate-looking emails to a company's employees, tricking them into installing malicious software on their device or giving out personal information like logins. A good example would be hackers sending an employee an email that looks like it came from the HR department asking to confirm their social security number. The employee enters the information and hits send without ever wondering if it was legitimate. 93% of all data breaches were due to phishing scams.

Malware or Ransomware. Another dire threat to construction firms is malware and ransomware. Malicious software can do everything from copy or lock your data, change security settings, add you to a malicious network, consume resources, and even remote control your systems.

Spoofed Email or Websites. Fake websites and email addresses are another way scammers get into your network.

Social Engineering. Either through fake ads or building trust another way, cybercriminals use social engineering to extract valuable personal data or logins.

Real-Life Examples Where Hackers Targeted Construction Companies

A major federal and provincial construction firm in Canada, Bird Construction, was breached last year, and the attack included ransomware. Although they recovered quickly, the government noticed that the company handled many government-sponsored construction projects. When a data breach occurs, many connected customers or vendors may suffer.

According to ConstructConnect, Turner Construction incurred a data breach when an employee sent W2 information to a fraudulent email address. The hackers had spoofed the email address, and the data stolen were names, addresses, social security numbers, and bank details. That was plenty for identity theft and fraud.

A high-level construction firm Whiting-Turner Contracting also suffered a data breach when a third-party vendor handing their W2s and tax forms were breached. Employees of Whiting-Turner Contracting reported that scammers were filing fraudulent tax returns in their names.

Four other notable construction vendors, Central Concrete Supply Company out of California, Century Fence out of Wisconsin, Trinity Solar, and Foss Manufacturing, have been hit with similar attacks. In 2016, 100 construction firms lost volumes of data due to data breaches. Since then, that figure has skyrocketed.

What You Can Do to Protect Your Company

When your entire organization from the top down is invested in cybersecurity, your company data will remain safer.

Here are a few ways you can protect yourself and your company.

  • Outline particular hardware and software policies and guidelines. Perhaps you don't allow any external devices to connect to your Wi-Fi network without monitoring software installed.
  • Set rules upon your firewall to block access to malicious websites.
  • Enforce strict password management.
  • Educate your staff about cybersecurity using specialized training, real-life examples, and tests.
  • Stay on top of emerging threats and provide regular updates to your entire team.
  • Create a disaster relief plan and perform mock drills to see how well your team responds.
  • Hire an outside IT firm to perform penetration testing and a security audit.
  • Update software and firmware to ensure the utmost protection. 

Educating yourself and your staff about cybersecurity could reduce your risk of exposure and eliminate attacks. The more your entire company takes responsibility for keeping things safe, the better. For example, if a fraudulent email comes in, an employee will know how to verify the sender's address and check on the information before doing anything. They will also know that it can be dangerous to click links in unsolicited emails because they often lead to malicious websites and software downloads.

With proper training, your staff will know how to spot scams, secure settings on devices to keep things safe. The more your staff knows about how to respond to cybersecurity threats and best practices, the better.

Go over these key points with your employees:

  • How to spot and what to do about phishing emails.
  • What social engineering is and how it works.
  • Never click links in email or text before verifying where they came from.
  • Never download software from untrusted sources.
  • Use strong passwords and never reuse them elsewhere.
  • How to craft strong passwords using a combination of symbols, numbers, and lower and uppercase letters. Use examples to "show" employees.
  • How and why to use two-factor and multi-factor authentication.
  • Keep software and hardware updated with the latest firmware and security patches.
  • Use antivirus software to protect against malware and other intrusions.
  • Never give out personal information to anyone who requests it without verifying who they are and why they need it.

About the author

David Lukić is an information privacy, security, and compliance consultant at IDstrong.com. The passion to make cybersecurity accessible and interesting has led David to share all the knowledge he has.