Construction had another rough year in 2023 dealing with cybercrime.
According to a study by encryption software firm NordLocker, construction ranked as the top industry target for cyberattacks in two of the past three years.
Of the 18 industries they surveyed, construction firms represented 12 per cent of all attacks, ahead of finance and manufacturing. Other studies suggest nearly 60 per cent of AEC firms have experienced an attack over the past two years, with general contractors the hardest hit.
It’s not only AEC firms being targeted. Cybercriminals can find a way into data systems through the client as well. Efforts to prepare against attacks require a full team effort.
Why is construction so attractive to cybercriminals?
“One reason is the industry’s reliance on many computer programs, including computer-aided design (CAD), building information modeling (BIM), and cloud-based tools for collaboration,” says NordLocker. “Another reason is many construction companies have either a limited cybersecurity plan or none at all, and haven’t adequately trained their employees on identifying cyberattacks.”
Bryce Austin, technology keynote speaker and principal of TCE Strategy, says protecting against cybercriminals doesn’t have to be an uphill battle.
“At its heart, cybersecurity is about risk mitigation. Just like other risks, there’s no way to guarantee a data security event will never happen. All we can do is be well prepared, if or when it does.”
It’s important to recognize where attacks come from and to be proactive. Actions can range from simply quantifying the risk and accepting it, mitigating existing risks to an acceptable level, or even transferring them to a third party.
One of the most popular lines of attack used by cybercriminals is “phishing.” It’s not complicated. Employees receive fraudulent emails that compel them to respond, potentially inducing them to reveal important personal information like credit card or social security numbers.
Austin also cites other strategies, such as “hopping, scraping, aggregating and exfiltrating.” All of these involve targeting sensitive corporate or third-party data.
Austin explains the industry is also vulnerable due to multiple bills and vendors. This creates a risk for false requests for payment through wire transfers. Money is lost, but more importantly a false request could open a path for criminals into the company’s payment processes. He recommends a simple solution of phone calls made directly between individuals familiar with each other prior to any release of funds.
Continual training and awareness need to take place across all those personnel having access, directly or indirectly, to critical data.
Multifactor authentication when logging into systems and devices, secure administrator credentials and backups through a trusted third-party cloud provider are protective processes becoming more popular as well.
However, as Austin points out, “Some cloud providers take cybersecurity much more seriously than others. Choose your cloud provider wisely.”
One of the most heinous consequences of a cybercrime is a ransomware attack, when attackers demand payments to either unfreeze computer systems or return data. The majority of victim companies feel they have little option but to pay.
An approach companies can use to reduce the risk of a ransomware attack is to use encryption keys at their end.
“Encrypting sensitive files helps prevent attackers from gaining access to that information,” says technology services company InterVision. It also prevents an attacker from using your information, should your files fall into their hands during a breach.
New developments may offer the possibility of reversing the encryption processes often used by cybercriminals after they steal files.
Nubeva Technologies, a cybersecurity company specializing in decryption, recently announced successful results of third-party evaluations of its Ransomware Reversal technology conducted by cybersecurity non-profit MISI. The company’s patented technology enables fast and easy recovery from such attacks, eliminating the need to pay ransoms.
Damage from cyberattacks is expected to grow to over $10 trillion globally by 2025. With the construction industry clearly exposed, constant attention and adaptation is required. It sounds like a great new year’s resolution.
John Bleasby is a Coldwater, Ont.-based freelance writer. Send comments and Inside Innovation column ideas to editor@dailycommercialnews.com.
Recent Comments
comments for this post are closed