The Importance of Cyber Security in the Construction Industry
The time when cyber risk was mostly a data breach-related issue is over. With the explosion in ransomware attacks, business email compromises, fraud and stolen credentials, cyber is now everyone’s risk. And as it continues to increase, construction companies have become a target.
Ransomware: The No. 1 Cyber Threat
In construction, cyber risks may not seem like a relevant issue. The construction industry may not seem like an obvious target of cyber criminals compared to industries like healthcare, retail or technology – but that’s changing.
Earlier this year, Canadian contractor Bird Construction and French contractor Bouygues Construction were both hit by ransomware attacks. Ransomware attacks often focus on companies that will be immediately impacted by the disruption caused by the attack. Construction companies are likely being targeted because of their limited awareness of cyber risks and their lack of cybersecurity.
In addition, ransomware can cause a substantial interruption to the complex supply chain of construction projects. And as attacks become more sophisticated, ransom demands have gone up dramatically. In fact, it’s not uncommon to have ransom demands in the range of several millions of dollars – that’s on top of the interruption loss incurred even when the ransom is paid.
Construction Companies Are Prone to Business Email Compromise Fraud
A unique feature of the construction industry is the extensive use of sub-contractors and suppliers, which involves a high degree of payments flowing to and from construction companies. Additionally, construction projects are often part of a public bidding process. The details in this process include information about the project and the winners. This makes construction companies an attractive target for business email compromise fraud. This is a deception scam where cyber criminals send fraudulent email messages disguised as legitimate invoices or wire transfer requests. The money is then transferred to the criminal’s account instead of the actual payee. In 2019, almost 24,000 of these incidents were reported to the FBI for a total of $1.8 billion in stolen funds.
Contractors Are Vulnerable to Having Their Credentials Stolen
Many times, contractors have open data connections with their customers for things like electronic bill paying and project management. When these connections are linked to their customers’ other important systems, it creates an environment for cyber attackers who’d like nothing more than to steal as much information as they can. And once they have the contractor’s credentials, those cybercriminals can take valuable information from the contractor’s customers.
What Can Construction Companies Do To Protect Themselves From Cyber Threats?
Everything has to start with cyber risk awareness and understanding what the financial impact can be to the business in the event of a successful attack. Social engineering continues to be an integral part of many attacks simply because it’s the path of least resistance. As it relates to business email compromise fraud, it’s the main attack method.
When it comes to ransomware attacks, criminals exploit a number of critical vulnerabilities in systems and applications that are used by most businesses, such as Microsoft’s operating system and VPN applications for remote access.
Outside of standard technical cybersecurity protections, the following measures can greatly reduce construction companies’ exposure to cyber threats:
- Employee cyber risk awareness training, including anti-phishing exercises.
- Requiring strong passwords and using multi-factor authentication for users with access to critical data and applications or involved with wire transfer changes or approvals.
- Having a procedure in place to authenticate the legitimacy of requests for payment and changes to wire transfer instructions.
- Maintaining good open port hygiene and only running those operating system services that are absolutely required for the network operation. Remote desktop protocol is an example of a commonly exploited service in ransomware attacks that is rarely critical to operations and should be shut off.
- Ensuring that critical vulnerabilities are patched within 30 days of release by the vendor.
- Maintaining frequent back-ups and encrypting or storing back-ups off-line to prevent cyber criminals from encrypting or destroying the back-up as part of the attack.
- Using VPN for remote access. For organizations with remote users, the VPN provides a secure channel through the Internet to the organization’s private network.
- Preparing for the worst with an incident response plan (IRP). This prescribes the way a business will respond to and manage the effects of a security attack.
The Hartford’s Cyber Insurance Offering
Even with strong security in place, businesses can still fall victim to costly cyberattacks. That’s why cyber risk coverage is important to help protect a business.
As a policyholder of The Hartford, CyberChoice customers can receive complimentary ransomware prevention services. These services can help protect businesses against phishing attacks and open-port vulnerabilities, which are the root causes of nearly 90% of ransomware attacks.
CyberChoice customers can access:
Bitsight reporting, which can help businesses identify and address open-port vulnerabilities. The report can provide a measurement of a company’s cybersecurity performance. Customers can get a complementary consultation with Bitsight to help them understand and respond to the results. Be sure to check the box to request a complementary ePlus consultation.
After receiving your report, an ePlus expert will contact you to initiate your complimentary ePlus Cybersecurity Improvement Consultation, available to The Hartford’s Cyber Risk and Technology policyholders. This consultation interprets the BitSight report and assists your organization by defining which improvements will be most effective in the defense against most common cyberattacks.
For more information, contact an agent or broker or visit our CyberChoice product page.
The information provided in these materials is intended to be general and advisory in nature. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of January 2021.
