Written by Simon Hughes, SVP of Global Distribution & GM UK, Cowbell
In an increasingly digital world, today’s construction industry is at somewhat of a crossroads, seeing innovation meet vulnerability.
On the one hand, the rapid integration of advanced technologies – from Building Information Modeling (BIM) and project management software, to cloud-based collaboration tools and IoT devices – has revolutionised how construction projects are designed, managed, and executed. In fact, RICS’ Digitalisation in Construction Report 2023 shows a 43% rise in construction firms consistently using digital processes compared to 2022, supporting areas including cost estimation, prediction, planning, and control, as well as enhancing progress monitoring and health, safety, and even wellbeing.
On the other hand, however, this digital transformation – despite its benefits – also opens the door to significant cyber threats, with some of the top trends including:
- Tech lacking robust security controls: Some of theadvanced technologies utilised by the industry – particularly IoT devices such as sensors, drones, wearables, and smart machinery – often lack robust security controls, drawing attention from potential attackers.
- Remote workers using unsecured networks or devices: An increased reliance on remote collaboration tools and cloud services – a trend that originated during COVID-19, but has continued – also widens the scope for phishing attacks, malware infections, and unauthorised access, if remote workers use unsecured networks or devices.
- Interconnected nature of the supply chain amplifying cybersecurity risks: The numerous vendors, subcontractors, and suppliers that construction firms rely on each represent a potential weak link in the cybersecurity chain. Any supply chain attacks targeting these entities can then have a cascading effect, impacting multiple stakeholders involved in construction projects.
Enjoying this article? Sign up for our FREE newsletter!
Couple these issues with the fact that construction businesses often have high cash flow, a large number of high-value payments between subcontractors and suppliers, and the fact they process – and have access to – valuable data, they’re not just an attractive target for cybercriminals, but an easy one.
As such, it’s unsurprising to see an increase in construction-based cyberattacks across the world. From UK-based Bam Construct’s attack, which disrupted its IT systems and affected ongoing projects, to the US-based Turner Construction Company’s ransomware attack by the Maze group, which stole and encrypted sensitive data, including personal information and project details, these breaches really highlight the construction sector’s vulnerabilities and the critical importance of cybersecurity.
If not properly prepared, protected and educated in the cybersecurity department, the disruption from an attack can be catastrophic for a construction business; downtime, delays in project timelines, loss of bids, reduced productivity, financial implications, reputational damage, loss of trust and further business.
8 steps to bolstering cybersecurity
With this in mind, construction businesses need to action the following steps to protect their operations, ensure project continuity, and maintain their reputation in an increasingly digital world:
Step 1 – Implement cybersecurity awareness training: Lack of employee training continues to leave construction businesses woefully unprepared and vulnerable. As such, employee training and awareness about potential cyber threats is top of the list. Whether it be phishing attempts, malware or another threat, if staff know how to recognise and respond to them effectively, the likelihood of successful attacks will be greatly reduced. While it’s harder to enforce strict IT security protocols with temps, and office-based workers are likely to be better trained and aware of cyber risks, all employees, whether manual or office-based, temporary or permanent, are likely to need access to sensitive information, and therefore need cybersecurity training. Enforcing strict privileged access controls might also help alleviate issues.
Step 2 – Implement Multi-Factor Authentication (MFA): Ensure you and your team use MFA (whereby you must provide multiple forms of identification to access systems or data) for an extra layer of security – especially for email, banking and purchasing. For not much extra effort and no financial investment needed, it will reduce the risk of unauthorised access in case passwords are compromised.
Step 3 – Back up data: Regularly backing up critical data ensures that even if systems are compromised or data is lost due to cyberattacks, businesses can recover their information and continue operations with minimal disruption.
Step 4 – Keep devices and apps up to date: Keep phones, laptops, computers and tablets up to date at all times, ensuring manufacturers’ regular security updates are loaded to protect devices. It’s another quick, easy, and cost-free tip.
Step 5 – Review your supply chain: Having a clear picture of your supply chain is essential for securing it. Ensure you have a comprehensive list of all your suppliers and partners, and identify the highest priority ones based on risk. Include subcontractors, starting with your top-priority direct suppliers. You can then conduct regular security audits to identify and mitigate vulnerabilities, and ensure all partners adhere to the same stringent cybersecurity standards as your organisation.
Step 6 – Create an Incident Response Plan (IRP): Develop an IRP that outlines procedures and protocols to be followed in the event of a cyber incident, ensuring that you can respond effectively and resume operations quickly. Coordinated IRPs that include supply chain partners are also a sensible idea, ensuring a swift and unified response to any breach.
Step 7 – Cyber insurance: Cyber insurance can provide an additional layer of protection and financial support in the event of a cyber incident. Many cyber insurers will also be familiar with construction challenges and opportunities, and provide additional resources and guidance, such as:
- Understanding and acknowledging uncertainty to build resilience and excellence in underwriting practices.
- Harnessing the power of data analytics, AI and other technologies to gain insights into risk patterns, identify emerging trends, and enhance decision-making processes.
- Developing a culture of continuous learning and adaptation.
- Segmenting risks based on their unique characteristics, which allows insurers to tailor coverage and pricing strategies effectively. In terms of construction, this might include delays in manufacturing operations, which can create a significant disruption in supply chains, or losing bids to competitors due to a cyber incident.
Step 8 – Learn from past incidents: Finally, should an incident occur – and the chances are it will at some point – it’s important to review what has happened, learn from any mistakes, and take action to reduce the likelihood of it happening again. As well as reviewing any actions taken during your response, ensure you review and update your IRP, and where necessary, make changes.