Construction companies embracing the exciting forms of technology sweeping the building landscape need to better understand the security risks to their sensitive data. They also need to be proactive.
Increased digitization of processes and integration of new software platforms into project modeling and day-to-day operations is leaving contractors increasingly vulnerable.
The recent cyberattack of Bird Construction confirms this. “Contractors are different than many other businesses in that they collaborate in a digital environment with many project stakeholders to bid on and perform work,” says global professional services firm Marsh McLennan.
The large number of collaborative trade partners and the increased use of mobile devices — phones, tablets and laptops —offer a variety of gateways for cyberattacks. “Building information modeling, geographic information systems, and integrated project delivery are quickly becoming cornerstones of the industry. And construction equipment and control systems are expected to become increasingly automated in the years ahead.”
When it comes to targets, size really doesn’t matter. Global insurer Chubb says that companies with 250 or more employees are twice as likely to be victims of cyberattacks as those with less than 50. Specific to construction, however, contractors of all sizes need to be concerned — it’s all about the domino effect when designers, suppliers and trade partners share or have access to critical data. Construction is further vulnerable due to the industry’s fluid work force and relatively high levels of employee turnover.
Cyberattacks have several effects. Breeches can compromise sensitive project and employee data. They can seriously erode trust in the company’s brand and reputation. Internally, cyberattacks cause downtime and costly delays while data breeches are repaired. And of course, there is the risk of a high-priced ransom demand from the attackers.
Things will likely get worse. Dr. Merrick S. Watchorn, Ethical Council for the Global Advisory Board for Computer Hacking, says cyber attackers are becoming emboldened due to the low costs and low risks associated with an attack versus the potentially high monetary return. He further explains that advanced cyber attackers are taking their time — intruding quietly and undetected, and then mining data slowly.
Watchorn also cautions that cyberattacks using Artificial Intelligence (AI) will be the next wave. “AI is nothing more than a series of steps and procedures based on an interaction. The programmer can say, ‘If this happens do this, and if this happens do that.’ Remember, this can be done at computer speed.”
The good news is that even the simplest procedures can pre-empt many cyberattacks, says the Online Trust Alliance, an initiative launched by global cause-driven organization The Internet Society. In their 2017 Cyber Incident & Breach Trends Report, they say, “93 per cent of breaches [in 2017] could have been avoided had simple steps been taken, such as regularly updating software, blocking fake email messages by using email authentication and training people to recognize phishing attacks.”
These basic steps are supported by experts like Watchhorn, who identifies humans as the weakest link. Third party consultancy services can offer the required employee training at all levels to help companies identify and prioritize areas of risk and to regularly evaluate control procedures. An increasing number of companies are also turning to insurance for protection against breeches. Some insurers offer policies that will fund possible ransom demands, although security experts caution that this only serves to embolden ransomware attackers.
Statistics Canada says that Canadian businesses spent $14 billion in 2017 to defend against cyberattacks. At the same time, more than 20 per cent of companies claim to have been victims of data breeches. In fact, the number of cyberattacks globally doubled from 2016 to 2017, according to Infosecurity Magazine.
Yet despite the increasing number and sophistication of cyberattacks, California-based research firm Ovum found that 84 per cent of the Canadian executives they surveyed felt their organization was “better than average” or a “top performer” in terms of cyber security.
Over confidence? Maybe. If so, it could represent a serious disconnect between current perceptions and future risks that must be bridged.
John Bleasby is a Coldwater, Ont. based freelance writer. Send comments and Inside Innovation column ideas to firstname.lastname@example.org.