Increased digitization is helping construction companies work more safely and efficiently, writes commercial underwriter Northbridge Insurance.
Yet as more enterprises embrace robotics and automated systems, that growth comes alongside increased risks.
“The digital revolution is a double-edged sword for construction companies,” Northbridge says. “As construction and contracting technology is used more frequently on and offsite, cyber risks in construction continue to grow. The more computerized technology you use, the more vulnerable your business could become to things like ransomware, spear phishing scams, cyber fraud and digital hijacking.”
What is worrying is that in a survey of all industries on a global basis, a 2024 Munich Re survey found 87 per cent of corporate managers felt their companies were not adequately protected against cyber risks.
Few industries are as interconnected as construction. A normal part of conducting business requires third parties to have access to critical company data.
“Analyzing third-party risks continues to be a growing factor for construction companies, especially as more organizations are relying heavily on these partnerships,” writes Kristina Brown, senior manager, cybersecurity at security advisory firm Aprio. “This reliance on third parties has created unique vulnerabilities, as the cybersecurity measures in place between a construction company and a third-party lack consistent protocol.”
Alongside the various internal risks at the company head office that must be addressed, Brown also points to construction site offices located away from company headquarters. The data links between them can open up vulnerabilities that threat actors can exploit.
Among the assets Northbridge warns as “most targeted” and that could be held for ransom by hackers include architectural and engineering drawings, intellectual design property, financial information, personal information and detailed account information. Hackers might also target the accounts of contractors or subcontractors to gain access to client information.
Independent brokerage and consulting firm Woodruff Sawyer cites fake invoices and payment instructions as another common attack approach used by hackers. Another is spoofing, described as the impersonation of the victim company’s executives, customers or business partners such as a supplier, attorney or a supplier company CEO.
When hacks happen, there can be serious consequences. Consider the well-publicized case of Turner Construction in 2020. An employee mistakenly forwarded sensitive tax and earnings information to a fraudulent email address, placing 5,600 North American employees at risk of identity theft.
Developing a strong cyber security culture within the company, particularly when sharing data or emails with project partners, is often spoken of as the foundation of a cyber threat mitigation program. Brown goes further and suggests a couple of other strategies that every construction firm should adopt.
One is “penetration testing and vulnerability scanning.” These are either automated or hands-on simulated attacks that attempt to exploit and expose vulnerabilities in a network. Penetration tests are often used as a detective control to assess the effectiveness of an organization’s security measures. Another suggestion is regular cyber risk maturity assessments that give a detailed evaluation of an organization’s ability to manage and respond to cybersecurity threats.
Unfortunately, cyber risk consultancy Prevalent’s fifth annual Third-Party Risk Management Study suggests many organizations are making very little progress towards mitigating the risks of third-party security incidents.
Vivek Gupta, practice leader for IT advisory at Welch LLP, says most have not made the necessary investment in cybersecurity infrastructure, which is coupled with complex supply chains and reliance on outdated legacy data systems. This can make a construction company an easy target.
Big companies are not the only ones at risk. Even though attacks against large entities involve the largest dollar amounts, NetDiligence’s 2024 cyber claims study, based on analysis of over 10,000 incident claims from 2019 to 2023, revealed 98 per cent of claims were from SME’s with annual revenue under $2 billion.
“We continue to see SME clients transform their businesses to be more reliant on digital systems while failing to understand the inherent risks that come from complex digital ecosystems,” says Alden Hutchison, principal at management consultancy RSM US LLP.
John Bleasby is a freelance writer. Send comments and Inside Innovation column ideas to editor@dailycommercialnews.com.
Recent Comments