11 Tips to Protect Your Construction Company From Cyber Threats

Data breaches in construction increased 800% from 2019 to 2020, according to a recent study. A cyber security expert talks about how construction contractors can keep their companies safe from data breaches.

October 13, 2021
Gigi Wood
Data breaches in construction increased 800% from 2019 to 2020, according to a recent study. A cyber security expert talks about how construction contractors can keep their companies safe from data breaches.
Data breaches in construction increased 800% from 2019 to 2020, according to a recent study. A cyber security expert talks about how construction contractors can keep their companies safe from data breaches.
@denphumi - stock.adobe.com

It’s increasingly in the headlines, nightly news and on media sites; cyber security breaches are on the uptick. Some of the largest breaches this year have involved Colonial Pipeline, Facebook, Bonobos, Kroger, Parler and T-Mobile. While construction companies weren’t at the top of the list of biggest breaches of 2021 so far, the number of construction-related cyber breaches experienced a 545% increase from 2019 to 2020, according to the 2021 Data Breach Outlook Study by Kroll, a risk consulting firm. In construction specifically, that increase was 800% from 2019 to 2020.

According to the study, “a large North American construction company had to notify hundreds of thousands of customers due to an incident involving a stolen laptop that resulted in unauthorized email access.” While construction companies excel at working at remote jobsites, moving office work to work-from-home settings during the pandemic created challenges for the industry, the study says. There are other risks in the industry, as well. Devices connected to the Internet, from smartphones to wireless sensors, can work as portals granting access to company information. And when contractors pay subcontractors, those wireless transfers can potentially be at risk.

The construction industry was, at one time, fairly immune to security breaches. But in recent years, there’s been an influx of new technologies and new connections on jobsites that can make companies vulnerable to cyberattacks. At least 43% of those surveyed for the study said they felt ill-prepared for a breach. So what can construction companies do to prepare for a potential breach? We talked with Brian Lapidus, global practice leader for Kroll’s Identity Theft and Breach Notification practice, a division of Kroll’s cyber risk division, about trends he’s seeing and what contractors can do to keep their businesses safe.

Lapidus points out that businesses are better prepared now for cyber threats than they were 15 years ago.

“Fifteen years ago, I think a lot of the conversation was ‘Cyber who? Cyber what?’ And now they're willing to take an active approach to manage their risk,” he says.

Sometimes companies think they’re protected when they’re not, he says. For example, just because a business is in compliance, or in other words, has established protocols to address cyber threats, does not mean that business is protected from cyber threats, he says.

“I think often the board and the C-suite think about compliance as the cyber strategy, and it's not, it's not an effective cyber strategy,” Lapidus says. “Compliance is a checkbox. It doesn't actually reduce the risk. Now it may increase awareness, which is a positive, but it's never going to thwart the intruder. And so, that increase in accountability and that focus on doing more than compliance still needs to occur.” 

1.     Retain Cyber, Legal Experts

Before a threat is identified, one of the wisest decisions a construction business can make is to have a cyber expert and an attorney on file. Meet and have a brief discussion with these professionals, so you know who to call when a problem does arise, he says.

“Starting to search for a solution when you're in trouble, it's like figuring out who to call when your house is on fire,” Lapidus says. “There's a lot of damage that gets done before you can even get to the fire department, if you don't know where the fire department is. So having those things in place is really, really important.”

2.      Practice Response to Breaches, Like a Fire Drill

The next best move is for a business to practice its response to a cyber threat the way schoolchildren and some businesses practice fire drills. Performing training exercises, such as how to react to suspicious emails, can greatly reduce a company’s exposure to cyber threats, Lapidus says.

“A larger organization may do this monthly or quarterly; a smaller organization may not be able to do it with that frequency,” he says. “The goal, in my mind, is for there to be some organizational muscle memory when this event does happen, so that you can react and react quickly, because speed is sometimes the name of the game.”

3.      Keep employees trained

It’s also important to renew that training periodically. Doing so improves employee response to potential threats, Lapidus says.

“Your employees can be an amazing defense mechanism if you use them, and I don't think organizations are using them as effectively as they could today,” he says. “You have your technical solutions and then you have your human capital solutions and both of those together are far more impactful than one alone.”

 Kroll DiagramKroll

4.      Know Where Your Data Lives

Before a cyber breach occurs, find out where your company’s data – employee data, customer data, security data, proprietary data – is kept.

“Whatever it is, know where your data is, because if it's accessed, then you know what you need to fix,” Lapidus says. “I've unfortunately seen many clients who don't know where their data is, which, when they have a network exposure, triggers all sorts of notification requirements, that if they knew where the data was within their system, they may have been able to work with counsel to reduce the scope of that notification.”

5.      Stay Current on Tech

Have someone on the team who stays up-to-date on cyber security threats and technology, Lapidus says.

“It’s really hard to stay on top of new technology and new potential technology exposure but making sure that people on your team are aware of those things, staying up on it, and then sharing that information and filtering it back into the organization,” he says. “It reduces your risk, and all of these things are about reducing that risk. So when this happens your impact is small, and your response is fast and stable.”

6.      Use More Than Encryption

Encrypting data is a best practice within the cybersecurity industry, but it’s not enough to protect a company, Lapidus says.

“Encryption cannot be the only method of defense,” he says. “When it's used alone, it can give businesses a false sense of security.”

He suggests using a virtual private network (VPN) as an additional layer of security.

7.      Network monitoring

As a preventative tool, companies can monitor their networks to ensure all entry points are protected. Monitoring also helps inform a company about whether the network has been infiltrated by a cyber intruder.

8.      Ensure Wire Transfers are Secure

When contractors pay subcontractors and vendors, large sums of money exchange hands. Construction companies need to make sure those wire transfers are secure and safe from cyber threats.

“Those wire transfers and e-payments are opportunities for someone to insert themselves between a vendor and a contractor and the corporate side,” Lapidus says. “So, making sure that those are super tight is important. I think it reduces the financial risks there. You can do that by providing wire instructions and then forcing a phone call for a password or specific digits, but doing things to tighten up those gaps, I think, is something that would help the construction industry.”

9.      Appoint Someone to Make Decisions About Cyber Security

In various industries, such as healthcare, there is typically one or two people appointed to have access to cyber security information and decisions. Appointing someone at your construction company to be in charge of cyber security information and decisions is wise, Lapidus says.

“A lot of times in hospitals, at least certain people have access to certain information; it's a regulated industry,” he says. “They're required to lock certain things down. That rigor isn't required in the construction industry from my experience. Making sure that it's really clear who owns what, and who makes what decisions, and who should have access to what information is important.”

10.  Secure the Construction Ecosystem

In an office building, all the people, equipment and data are in one place. That’s rarely the case in construction.

“If everyone was in one building, it would be a whole lot easier, right? You would be protected by four walls and a network configuration and all of those things that can happen physically within one place,” Lapidus says. “Use of a VPN, use of best practices, controls around who has access to what information; it all reduces that risk of an exposure happening. That's something that I think is probably more unique to construction than anywhere else.”

11.  Protect Employees From Breaches

If a company were to experience a cybersecurity breach, it’s important to communicate with and protect employees from any potential risk.

“These organizations need to be cognizant of the impact that a breach of their data would have on their employees or those who work for them,” Lapidus says. “It's going to make it really hard for them to resolve those issues because they're on a jobsite during the day. They could be 50 feet up in the air, welding. And management is saying, ‘Listen, we lost your data, but we need you to resolve it yourself. And you may want to, you may want to call your bank.’ That's, that's putting your employees in a tough spot.”

To learn more about the study and cybersecurity vulnerabilities, read the study here.  

Related
Adobe Stock 250231748 Lev
How the Cloud Can Nullify Ransomware
November 7, 2022
Ransomware
Construction is the No. 1 Target for Ransomware Attacks
November 15, 2021
Travelers Infographic Crop
Cyber Risks Top the List of Business Leader Concerns as Cyberattacks Rise 150% Since 2015
October 6, 2021
Cybersecurity threats increasing for industrial systems
Report: Cyber Attacks a Growing Threat to Industrial Networks
July 13, 2021
Recommended
The construction industry already is adopting AI to fundamentally change and speed up the building process.
AI in Construction: What to Expect
Instead of wading through construction documents to determine appliance packages or contract obligations, workers can type the question into their cell phone and Chat GPT will provide the answer.
March 15, 2024
AI can play a pivotal role in optimizing supply chain processes even without a fully developed data strategy.
6 Steps to AI Adoption in Construction
By implementing AI in areas that don't require extensive data infrastructure, businesses can lay the foundation for a more innovative and resilient future.
March 6, 2024
Dynamic insights, gained using predictive models powered by AI, can help employees to make data-informed decisions which typically lead to enhanced project outcomes.
Construction AI Strengths & Weaknesses
The construction industry stands at the precipice of a transformative era fueled by artificial intelligence and ever-increasing pressure to build utilities, transport, energy, and housing to meet the needs of a growing population.
February 14, 2024
Latest
The UNDERHOOD40’s digital controls include telematics, built-in soft start, safety controls and diagnostics.
VMAC Launches Digital Controls and Telematics for UNDERHOOD 40 Air Compressors
The UNDERHOOD40’s digital controls include telematics, built-in soft start, safety controls and diagnostics.
April 17, 2024
Worker safety is an area where confirmation bias can have the most disastrous effects, exposing workers all types of potential dangers.
Overcoming Confirmation Bias in Construction Project Management
Confirmation bias can be particularly problematic in project and schedule management, where decisions must be based on accurate and comprehensive information.
April 16, 2024
Tool Management permits documentation of plant crushing tools and service life in SPECTIVE CONNECT.
Kleemann SPECTIVE CONNECT App with Tool Management
Tool Management permits documentation of plant crushing tools and service life in SPECTIVE CONNECT.
April 16, 2024
When a prospective site can be made suitable for building by extending utilities (such as water, electricity or gas lines) or infrastructure (such as paving or rail services), funding may be available to offset these costs.
Jobsite Due Diligence Can Prevent Costly Delays
Good building sites remain on the market. But many of those sites must be made good with early planning and intervention.
April 15, 2024
Understand the choices available to take the “hard” out of work on your dozers, excavators, motor graders, wheel loaders and compactors.
Take the 'Hard' Out of Work
June 13, 2024
Register
Learn the top four advantages of ease-of-use technology from this webinar.
Caterpillar
Burds accepts the overall winner trophy.
Caterpillar Competition Winner Talks About the Industry & Her Win
Kait Burds with Mortenson loves the industry and wants to see more women join.
April 12, 2024
Under the federal Occupational Safety and Health Act (OSH Act), employers have a duty to monitor worksites and prevent hazardous conditions from developing. As it does with other major industry sectors, OSHA issues specific regulations targeting the safety risks unique to the construction sector.
What Artificial Intelligence Means for the Construction Workplace
When integrating AI into their business models, construction companies should carefully weigh the costs and benefits of this technology.
April 12, 2024
The StrikeSmart PLUS controller works in conjunction with Hilltip’s TempStriker sensor, which continually monitors variables like temperature, humidity and surface conditions.
Hilltip Launches StrikeSmart PLUS Controller
The StrikeSmart PLUS controller works in conjunction with Hilltip’s TempStriker sensor, which continually monitors variables like temperature, humidity and surface conditions.
April 12, 2024
Adobe Stock 679258598 Gorodenkoff
3 Tactics to Boost Construction Fleet Performance
Telematics, IoT devices, and even AI integrations have the power to significantly improve construction fleet management when utilized effectively.
April 11, 2024
The concept adaptive reuse is the practice of repurposing abandoned, older structures for a different purpose than what they were originally intended for with the express purpose of extending the building’s life.
Commercial Building Reuse in the Work-From-Home Economy
As the American workplace adapts, the traditional 9-5 will likely continue to become less common. What does that mean for landlocked employers staring down half-empty offices?
April 10, 2024
TennaCAM 2.0 Heavy Equipment is fully integrated with TennaCANbus, which allows it to deliver ECU data alongside video telematics.
Tenna Unveils TennaCAM 2.0 Heavy Equipment Camera
TennaCAM 2.0 Heavy Equipment is fully integrated with TennaCANbus, which allows it to deliver ECU data alongside video telematics.
April 10, 2024
The software update, Value Pack 2.0, includes new features in the HP SitePrint Cloud and SW Suite, as well as increased functionality in the AutoCAD plug-in.
HP Unveils HP SitePrint Value Pack 2.0 Upgrade
The software update, Value Pack 2.0, includes new features in the HP SitePrint Cloud and SW Suite, as well as increased functionality in the AutoCAD plug-in.
April 10, 2024
Many technologies exist to help combat the massive (and growing) issue of construction waste.
Combating Construction Waste with Technology
Construction professionals play a large role in reducing the amount of waste produced on a project. However, the client’s decision-making can also be a factor.
April 9, 2024
The MY DEVELON digital platform is an expansion of the company’s existing DEVELON Fleet Management telematics offering.
DEVELON Introduces MY DEVELON Digital Platform
The MY DEVELON digital platform is an expansion of the company’s existing DEVELON Fleet Management telematics offering.
April 9, 2024
Customer Service 10860910
Exceptional Customer Service Starts with Confidence
Customers want to know that the employee they are working with is confident and will be able to serve them in a professional manner.
September 17, 2019
Screenshot 2024 04 08 145039
Breaking Down Dynapac’s SEISMIC Asphalt System
The technology is designed to increase compaction quality while also decreasing complexity for operators.
April 8, 2024
To untangle the mess created by hasty technology implementations, you need to identify the inefficiencies they have caused and configure systems to meet your business and employee needs.
Your Construction Firm is Falling Behind the Digital Curve
Digital maturity can’t be measured by the complexity of your solutions. You may have a more advanced tech stack than a competitor, but if it’s not driving results, your competitor has the upper hand.
April 8, 2024
As AI continues to reshape construction industry tools and processes, a parallel phenomenon unfolds–the race to construct AI data centers.
How to Embrace AI in a Tech-averse Construction Industry
The need for collaborative dialogue, ethical oversight, and responsible innovation is paramount to harnessing the benefits of AI while mitigating its risks.
April 5, 2024
While cranes play a vital role in the transportation, construction, and agriculture industries, among others, operating this type of equipment can be especially dangerous if proper protocol is not followed.
Crane Safety Report Published
As the crane industry continues to navigate major safety challenges, NSC and the NCCCO Foundation plan to continue to provide additional resources to educate crane operators, inspectors, and employers about potential workplace hazards.
April 4, 2024
Virtual Walkaround Inspection is the tool to use when training to identify equipment failures that are unsafe and impractical to replicate on real equipment.
CM Labs Adds Walkaround Inspection for Earthmoving Training Packs
Virtual Walkaround Inspection is the tool to use when training to identify equipment failures that are unsafe and impractical to replicate on real equipment.
April 4, 2024
BidScreen XL is an add-in to Microsoft Excel, enabling contractors to manage their projects directly from the platform.
Vertigraph BidScreen XL Takeoff and Estimating Software
BidScreen XL is an add-in to Microsoft Excel, enabling contractors to manage their projects.
April 4, 2024
Many construction workers say they find it distracting to work alongside drones, and there’s evidence that even when drones are operating at a considerable distance from humans they often lead workers to look away from their tasks.
Robots are Rewriting the Rules of Construction Safety
To make worksites safer for humans, we need a smarter approach to automation.
April 4, 2024
Whether it's support with succession planning or effective people management, its experts are uniquely positioned to skillfully guide contractors in harmonizing their personal, operational, and financial strategies.
Performance Construction to Focus on Contractor Community
With a shift to exclusively serving contractors, PCA’s Business Consulting services offer even more specialized guidance for its clients.
April 3, 2024
Image (6)
How 3D Milling and Advanced Data Capture Can Save You Serious Paving Headaches
At World of Asphalt 2024, Kevin Garcia (Trimble) discuss BIM, digital twins, and how the real way to fix your asphalt mat is what's underneath it.
March 25, 2024