Cybersecurity continues to be a top challenge for many companies and industry sectors, and the construction industry is no different. Additionally, certain characteristics of the construction industry make businesses more susceptible to cyberattacks. For instance, the number of repeated payments throughout a project involving many trade contractors, the prevalent use of apps to automatically process monthly payments, and the extensive use of tablets on job sites make the industry vulnerable to cybersecurity incidents.

In addition to ransomware and other cyber threats, the construction industry is most vulnerable to social engineering. Social engineering is when hackers impersonate someone, such as a developer or subcontractor, to gain access to the target’s IT systems. Because developers often have a large number of invoices that are paid to subcontractors on a regular basis, hackers gain access through a single point of entry. Many people are involved in the payment process, which provides hackers with many possible ways to break into the IT system.

Businesses in the construction industry must take cybersecurity seriously. While there is no one-size-fits-all approach to cybersecurity best practices, below we share five key considerations for companies in the construction industry.

5 Cybersecurity Issues that Businesses in the Construction Industry Should Consider

1. Potential impact of a cyberattack on the project. Cyberattacks don’t just have an immediate financial impact; they can also cause significant delays in construction projects. For instance, if a hacker obtains access to an IT system of one subcontractor, it can shut down the entire Project’s computer system, causing expensive delays throughout the Project, not just one trade. When assessing your cybersecurity risks, don’t forget to evaluate project-related impacts along with financial risks.
2. Appropriate cyber and criminal insurance. Depending on the type of fraud, claims for losses from a breach of an IT system or social engineering may fall under multiple policies. The amount of cyber and criminal fraud insurance will vary depending on factors such as the size of your business, reliance on technology, and other parties involved in the construction project. For instance, high-stakes, government-funded projects will have different cyber insurance needs than a subcontractor who does electrical work on residential home construction. Talk to experienced cybersecurity and insurance professionals to better assess the appropriate amount of cyber and criminal insurance.
3. Contractual rights in the event of a cyberattack. Not only are hacking situations costly in terms of time and money, but they can also lead to disputes about who is responsible for the damage. For instance, if a hacker gains access to a subcontractor’s IT system and then impersonates the subcontractor’s billing coordinator to divert payments from the developer, who is responsible – the subcontractor because its IT system gave a hacker access, or the developer because it submitted payments to the hacker’s account?
4. Supporting documentation within the supply chain. Because cyberattacks can feel like a stack of dominoes falling, it is essential to ensure that other companies in your supply chain are also appropriately protected from cyber risks. Consider requesting supporting documentation from subcontractors, suppliers, and other parties in the supply chain regarding their cybersecurity policies, practices, and insurance to better mitigate your own cyber risks.
5. Necessary cybersecurity training. Even the most robust IT-related safeguards aren’t enough to eliminate human error. Your staff must be appropriately and frequently trained on cybersecurity risks, safety protocols, and project controls. As hackers become savvier, businesses must tailor and update their cybersecurity training efforts accordingly.

For More Information:

Two Fundamental Shifts in the New “National Cybersecurity Strategy”

Five Things Every Business Leader Should do to Protect Themselves from a Cyberattack

How to Stay Ahead of Data Security Incidents with an Incident Response Checklist

[View source.]