Remember the good old days when the most common forms of cybersecurity threats involved getting an email from someone claiming to be a wealthy prince or mere data breaches? For better or worse, those days are long gone. One of the biggest current worries for business owners is becoming the target of a much more sophisticated cyberattack. Similar incursions into hospitals and government agencies tend to receive most of the media’s attention, but businesses across all industries are being targeted. When it comes to protecting any business online, ignorance isn’t bliss, and construction companies are fast becoming a key target for these kinds of attacks.
“Construction companies are likely being targeted because of their limited awareness of cyber risks and their lack of cybersecurity,” said David DeSilva, head of construction at The Hartford. “While technology is an integral part of daily business, many companies may not have adequate firewalls and protection to ward off sophisticated hackers as cybersecurity isn’t top of mind.”
DeSilva said the average downtime for organizations subject to a cyberattack is 20 days, with ransom demands spiking dramatically in 2022, reaching more than $400,000 per attack in Q4.
The most common types of cyberattacks
- Ransomware – These can be the most terrifying for any business owner. A third-party gains access to your computer systems, shuts it down and demands a substantial payment to restore service and access.
- Business email compromise – Construction companies are especially vulnerable in this regard because of their extensive use of suppliers and subcontractors – all of which are typically coordinated via email and involve the exchange of considerable sums of money. If hackers can obtain access to a company’s email accounts, they can re-route payments or solicit tax information under the guise of a legitimate business-related request. According to FBI statistics, this form of fraud resulted in an estimated loss of $2.7 billion of operating revenues in 2022.
- Credential vulnerabilities – “Many times,” DeSilva said, “contractors have open data connections with their customers for things like electronic bill paying and project management. When these connections are linked to their customers’ other important systems, it creates an environment for attackers who’d like nothing more than to steal as much information as they can. Once they have the contractor’s credentials, those cybercriminals can take valuable information from the contractor’s customers.”
Best practice protections
Remember the old PSA that used the tagline “The more you know” to educate the public on a range of topics? That slogan applies perfectly to construction companies and the need to remain vigilant against the threat of cyberattacks and the extreme monetary impact they can have. After all, it’s hard to protect against something you’ve failed to recognize is happening. For email compromise, especially, it’s crucial to keep an eye open for potential phishing attacks and take necessary responsive actions against them when they do arrive in your inbox – and they will.
Regarding ransomware, it’s imperative to identify potential weaknesses in your systems and fix them immediately. According to Matthew Magner, head of specialty cyber underwriting at The Hartford, this includes systems such as Microsoft’s operating system and VPN applications for remote access, in addition to proprietary in-house systems. “The impact of ransomware isn’t limited to ransom payments and clean-up costs,” Magner said, “but it may also include reputational damage.”
Beyond technical protections and general awareness, it’s important to educate employees on the risks – and hallmarks – of cyberattacks, including conducting anti-phishing exercises, while also implementing multi-factor authentication protocols for all users, especially those with access to critical data such as financial transactions.
Once the low-hanging fruit of general awareness and basic safety protections are put in place, DeSilva strongly recommends construction companies maintain frequent offsite and encrypted backups of all company data, deploy a VPN for all remote access to company systems, prepare an incident response plan and ensure all SPF domains and DKIM records are properly configured.
“A comprehensive cybersecurity strategy and incident response plan,” Magner said, “helps ensure the appropriate processes and technology are in place to help mitigate risk.”