While there is no industry that is immune to cyber-attacks, a study by Cybersecurity Ventures, published in 2021, and a follow-up study by Safety Detectives, found that construction was the third most common industry hit by ransomware attacks. In all, it made up 13.2% of all ransomware attacks in North America.
Ransomware attacks are when hackers gain access to sensitive documentation, and lock it with password encryption. This could consist of HR files, accounting information and payroll, client information, and other sensitive documents.
But the goal of the hackers is not to take the information and exploit it—they’re not stealing credit card numbers. Instead, they send a ransom note to the owner of the information saying that if the ransom is not paid, the valuable information will never be released. It will effectively be deleted.
Construction is a ripe target for cyber attackers, primarily because most construction companies are small-to-medium-sized businesses and don’t have an in-house cybersecurity team. A study published by IBM Ponemon found that 74% of construction-related organizations have no security in place to deal with a ransomware attack, and they do not have an incident response plan.
The second reason that construction is such a ripe target is attributed to the amount of data flowing through a construction company. Whether they’re locking financial data, worksite data, or even blueprints and schematics, ransomware can cripple a contractor.
Lastly, the third reason for the cyber weakness is the fact that construction is beginning to adopt a lot of new technology, but it’s still very new and most construction companies don’t have the technology infrastructure, such as a Chief Technology Officer and cybersecurity team. While it might seem great to introduce the new tech, like BIM or VR, adopting first-generation technologies is especially susceptible to attack.
Implementing cyber security measures is the first line of defense, but generally, a virus protection software simply won’t do. Researchers have found that training is especially needed to help employees identify suspicious communications and requests that may be phishing attacks.
Further, an internal incident response plan needs to be organized before the damage is done, and it should include leadership, IT, legal, and HR. Additionally, an external incident response team should be ready: there are companies that specialize in handling ransomware and employ legal counsel, forensic investigators, and public relations.
Most of all, the recommendation is to practice, practice, practice. Drill training into your people so that they won’t fall prey to scams.
Construction is vulnerable. Contractors need to be proactive.