By now, most contractors are well aware of the threat of cyberattacks. However, at least one recent survey indicates that many construction companies still aren’t adequately protecting themselves.
In mid-October, insurance giant Travelers released the results of its 11th annual Travelers Risk Index. On the one hand, the survey found that 80% of responding contractors “believe having proper cybersecurity controls in place is critical.” On the other, more than half (56%) don’t have an incident response plan, and almost half (45%) don’t use multifactor authentication.
Construction as a target
The construction industry has been historically slow to adapt to new technologies. So, it’s not entirely surprising that many construction companies lag in cybersecurity. But make no mistake: The danger is real.
Contractors are attractive targets for cybercriminals — not only because of the mobile nature of your operations, but also because of the many ways cyberattacks can do damage. Examples include:
- Disrupting or delaying projects with a ransomware or malware attack,
- Disclosing confidential bid information,
- Stealing business or personal data of project owners or other participants, and
- Copying proprietary designs, blueprints or specifications.
Cybercriminals can also cause property damage or bodily injury by deleting data, altering building plans, interfering with security or safety systems, and virtually tampering with internet-connected vehicles or equipment.
Bear in mind that critical third parties in your supply chain can be victimized, too. Cyberattacks on suppliers and vendors can interfere with your ability to obtain fuel and materials, negatively affecting project timelines.
Internal controls
To better protect your company, regularly conduct cybersecurity assessments. These involve taking inventory of your hardware and software, as well as mapping your network, data flows and access points. Also, identify all your users. They may include not only employees, but also vendors and project partners such as architects, engineers and subcontractors.
Ultimately, you want to spot every potential vulnerability. Armed with this information, you can then implement internal controls and external protections to reduce the risk of a breach. Just as important, thorough assessments should enable you to develop and continuously improve an incident response plan to mitigate the damage if a cyberattack occurs.
Many internal controls related to cybersecurity are probably familiar to you by now, but they’re worth reviewing. Standard measures include:
- Requiring strong, regularly changed passwords,
- Using multifactor authentication to further prevent unauthorized access, and
- Implementing endpoint detection and response tools to monitor for and prevent intrusions.
In addition, keep mobile devices and computers current with the latest updates and security patches. Educate employees to help them identify and avoid phishing attacks and other threats. Staff training is essential because most cybersecurity breaches originate from human error rather than technological failures.
Another critical strategy is to follow rigorous backup protocols to ensure that you can resume operations quickly if a cybercriminal destroys or blocks access to your data. Backups should be encrypted, stored off-site and segregated from everyday systems to ensure they’re accessible in the event your main network is compromised.
A strong defense
Another interesting stat raised by the Travelers survey is that 50% of responding construction businesses lack cyberinsurance. Indeed, the right policy can help mitigate the financial impact of many types of cyberattacks. But it’s important to shop carefully and work with an insurer familiar with your company and the industry. Contact our firm for help identifying and managing all the costs of establishing and maintaining strong cybersecurity.
© 2024