This article was originally published in Construction Today (September 2023). Reproduced with permission. © 2023 Finelight Media Group.

The adoption of new and advanced technologies has allowed for a digital transformation across business industries. Infrastructure and services supported by technologies such as artificial intelligence (AI), advanced analytics (AA), cyber-physical systems (CPS), machine learning (ML), and robotics have paved the way for increased productivity, efficiency, connectivity, and stronger service offerings. However, the unpredictable risks and challenges embedded within the digital era, particularly as related to cybersecurity, are often overlooked in the excitement of embracing new technologies. The limited regulation and guidance in the construction industry, paired with both the incredible advancement in technology and the ever-evolving threat landscape, has resulted in the construction industry being one of the industries most impacted by cybersecurity incidents.

The construction industry has not traditionally been associated with cybersecurity concerns because of the misguided perception that it handles and stores limited personal and sensitive information. However, regardless of the industry, a cybersecurity threat can expose all of a company’s digital assets, including proprietary business plans, acquisition strategies, employee and client data, and other confidential information. The construction industry is not immune to these data security concerns and is also faced with arguably even more data at risk given its heavy dependence on third parties, including subcontractors and off-site manufacturing vendors. The personally identifiable information (PII) and, where relevant, the protected health information (PHI) of employees, contractors, and third parties that is collected, stored, and shared during construction projects provides ample opportunity for intrusion across multiple working streams and transactions; the advancement of digital project management solutions such as Building Information Model (BIM) renders this data more immediately exploitable.

Exposure of proprietary construction plans and designs, facilities security information, and other valuable interpersonal property (IP) also poses a physical security risk to a construction project’s success and longevity. No matter the type of confidential information, a data compromise can severely interrupt the building process and cause potential delays on project sites, ultimately harming the company’s reputation.

In addition to misperceptions around the amount of sensitive personal information and business data handled by construction companies, the construction industry is notoriously slow in keeping up with relevant privacy and security regulations. This is due to several factors:

• Most project costs are incurred by contractors, who are trying to reduce overhead costs. Effective and meaningful technology and software implementation and the accompanying data privacy and security compliance require a dedicated corporate resource, which eats into a contractors’ profitability.
• Construction projects are schedule driven—delays to the project schedule costs money. Implementing and monitoring compliance with policies and procedures can take a tremendous amount of time on the part of the contractors. With tight schedules and shrinking profit margins, contractors can be slow to implement required processes, especially if compliance requires additional personnel.
• The intrinsic culture and resistance to change that exists within the industry can make it difficult to embrace the associated challenges that come with new technologies and processes if international standards are not used as guidance.

In addition, the industry is largely unregulated, which has contributed to a lack of preparedness and the tendency to overlook critical data governance initiatives. In 2021, a report by IBM Ponemon found that 74% of organizations within the construction industry are not prepared for cyber attacks and do not have an incident response plan in place.[1]

Among the biggest cybersecurity risks facing the construction industry are ransomware and data theft. Although construction companies have continued to adopt and rely upon next-generation technology solutions, the majority of these companies operate end-of-life (EOL) operating systems using inadequate firewalls without sufficient baseline security controls in place. In 2022, K2 Integrity was retained by a U.S. property management and construction company that had suffered a data breach and owed ransom to an unknown threat actor. K2 Integrity’s investigation determined that one of the construction company’s third-party vendors was behind the incident, constituting an insider threat, and that the vendor was acting under the guise of the construction company to successfully extort clients, including the construction company itself, for financial gain. The information technology assessment conducted by K2 Integrity after the investigation found that poor access management and weak cybersecurity controls at the construction company resulted in unauthorized access by the third party.

According to Cybersecurity Ventures, in 2021, construction-related companies were among the third most common industries to experience ransomware attacks that year, with 13.2% of firms reporting at least one attack.[2] And the construction industry continues to be named as one of the most commonly targeted industries, with manufacturing and industrial sectors experiencing the most ransomware and extortion incidents, according to the 2023 Q1 KELA Cyber Threat Intelligence report.[3]

Construction companies now have the burden of ensuring the integrity of data is preserved and its availability is managed with proper access controls. As the industry shifts from traditional legacy information technology (IT) to digital acceleration plans, its cybersecurity standpoint needs to evolve from perimeter-based to data-oriented and risk-based. Advanced network design, segmentation, robust detection, and appropriate incident response are among the initiatives that need to be deployed to minimize the business impact of a cyber incident. Not all construction companies are equally vulnerable to cyber attacks given the nature of their business, access to information, and reliance on advanced technologies; however, without a proactive stance on cybersecurity, the construction industry remains susceptible to security incidents.

As the construction industry continues to grow, it must also ensure that its cybersecurity defenses are bolstered to prevent project disruptions, delays, and financial losses. K2 Integrity is prepared and ready to assist construction companies from both a proactive and reactive standpoint when it comes to cybersecurity concerns. Our team of Construction and Real Estate (CRE) and Cyber Risk Services (CRS) professionals have years of experience in understanding how to identify, prevent, and manage security risk within the construction sector. By engaging in K2 Integrity services such as cybersecurity assessments; training, education, and awareness measures; policies and procedures augmentation; supply chain risk management; and data governance initiatives, construction companies can limit the entry points of attack and keep their data secure.

[1] “Construction Industry: Data Security Considerations,” The National Law Review, 1 April 2022: https://www.natlawreview.com/article/construction-industry-data-security-considerations.

[2] “Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031,” Cybersecurity Ventures, 7 July 2023: https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031; “Cyber Risk and the Construction Supply Chain,” Marsh McLennan Agency, April 2021: https://www.marshmclennan.com/insights/publications/2021/april-/cyber-risk-and-the-construction-supply-chain.html.

[3] “Ransomware and Victims and Network Access Sales in Q1 2023,” KELA Cybercrime Intelligence Center, 2023: https://www.kelacyber.com/wp-content/uploads/2023/04/KELA_Research_Q1-2023_ransomware-and-network-access-sales.pdf.