Written by: John Iannarelli, FBI Special Agent (Ret.), The JI Consulting Group, LLC
Why should the construction industry be concerned about a cyber-attack? At first glance, construction is about hammers, nails, rebar, and concrete; not software, bandwidth or gigabytes. However, in today’s world, construction companies also rely on computer networks and servers, proprietary information, and their employees. This means that a construction company can be hacked, its employee information can be stolen, and company information such as confidential bids, client lists, and new business development opportunities can be hijacked – all of which puts the construction company, its vendor partners, and the industry at risk for a cyber-attack.
Cell phones, web access, data storage, 3D printers and the use of drones have all made the construction business vulnerable to cybercriminals, who target the industry for both money and proprietary information. If it can be stolen -- whether it is your employees’ social security number, your plans to submit for a future bid, or contact information for all your clients and customers -- it can be sold. Additionally, the construction industry is increasingly dependent on the Internet to facilitate the integration of building projects and information, which is regularly accessed online by numerous collaborators. Any of these authorized users can unintentionally introduce a computer virus into a shared system affecting. As vendors and subcontractors also have connectivity to these shared networks, the risk increases of a cyber incident involving one company which will become a vulnerability that impacts all of the other business associates and partners.
Furthermore, cybersecurity is not necessarily a construction company’s primary concern, making the industry an even more attractive target to cybercriminals. This is especially true for small and medium-size businesses who often believe they are under the radar of those whom commit cybercrimes. While all companies have a certain level of risk, cybercriminals know smaller-scale companies dedicate less time and money on cybersecurity, which makes them more likely to be targeted than a larger competitor with greater resources to address the threats. For example, in 2018, a 15-person Oregon construction company was the victim of a cyber-attack by a hostile foreign government that hacked into the company’s email system, gaining access to clients and bids, and causing a disruption to the company’s work projects.
Cyber threats can expose a construction company’s digital assets, to include electronic business plans and acquisition strategies, proprietary designs, customer and supplier lists, construction pricing otherwise not known by competitors, and all the personally identifiable information of employees and contractors. The same attack that can jeopardize all this information can also simultaneously shut down a construction company’s network or destroy essential information, further delaying operations and causing a loss of productivity.
Cyber attackers can also take control of security cameras and control systems, creating the potential for property damage and endangering safety of workers. Employees and vendors are likewise victimized, as malware placed on the network can shut down payroll and payments. In response to a cyber-attack, there is the added cost of hiring cyber professionals to fix the problem, along with attorney fees for the forthcoming lawsuits, and regulatory fines for what might have otherwise been avoidable compliance failures. Finally, there is the reputational damage as the breach is announced in the press, which will impact the construction company’s branding and ability to conduct future business.
The first step in protecting the construction industry from a cyber-attack is to understand the threats. All employees of a construction firm should be educated as to cyber threats, such as how to recognize a suspicious email that requests an otherwise unauthorized payment, demands a password change, or insists upon an immediate software update.
Phishing is a common cybercrime, whereby the cybercriminal sends an email with an attachment that, when clicked on, will download malware onto the company’s computer system. In doing so, the malware enables cybercriminals access to steal sensitive information from the company’s network, such as bank account information, credit cards numbers, and private email messages. However, an employee trained to first think before they click can be the best defense against a malware attack.
Another common cyber scam is the Business Email Compromise, where the cybercriminal hacks into the company’s network and reviews the email traffic. Upon determining who handles the company’s financial transactions, the cybercriminal will pretend to be a vendor awaiting payment and provide false wiring instructions. In some cases, the cybercriminal will impersonate a company executive and demand that money be transferred immediately to the provided wiring instructions. Awareness of this cybercrime, and having protocols in place that govern how money is transferred out of the business, can keep a construction company from becoming a Business Email Compromise victim.
The development of cybersecurity policies is another solid step for construction companies seeking to protect themselves from a cyber-attack. These policies should identify not only the proper actions to prevent cyber breaches, but also outline the protocols to be followed if a breach has occurred, to include who will lead the recovery. These policies should be disseminated and discussed at least annually so that every employee is trained to recognize the latest cyber threats and undertake the associated precautions.
Furthermore, regardless of the company’s size, every construction business should have basic technological cyber defenses in place, to include setting up secure firewalls and web filtering software to prevent employees from accessing nefarious websites that can contain malware. Although these steps cannot eliminate every cyber risk, these efforts can greatly reduce the likelihood of an incident and make the construction business a less attractive target, perhaps causing the cybercriminal to look elsewhere for another victim.
In business, construction companies are dependent on their ability to meet project deadlines. This dependency ha
s always included the need to be resilient and prepared to address external disruptions. In the age of the Internet, cybercrime has become another of the potential disruptions. However, by undertaking cybersecurity best practices, the construction industry can continue to maintain the same level resiliency and focus their best efforts on the business of building.
John Iannarelli retired from the FBI after more than 20 years of service, during which time he was a member of the FBI SWAT Team and participated in the investigations of the Oklahoma City Bombing, the 9/11 attack, and Congresswoman Gabrielle Giffords’ shooting. John can be contacted for consulting or training for your cyber issue needs by phone 855-910-0411, email John@FBIJohn.com, or on Twitter @FBIJohn. His website is at www.FBIJohn.com.