com bat ing cy b er s ec u r i t y r i sk
THE RISE OF CYBERSECURITY RISK IN THE CONSTRUCTION INDUSTRY BY: DAVID FRIEDENBERG, MANAGER IN IT ADVISORY SERVICES, WEAVER
Reprinted from Construction Executive, Saturday, September 26, 2020, a publication of Associated Builders and Contractors. Copyright 2020. All rights reserved.
Cybersecurity attacks are making headlines these days, and the construction industry is not immune. For some construction companies, recent ransomware attacks have led to the loss of confidential data or a systems shutdown. Cyberattacks can take many forms, and as they adopt more technological solutions, construction companies need to prepare to defend themselves. From project, team and customer relationship software to drones and autonomous construction machinery, the construction industry technology has replaced paper documents such as project drawings, purchase orders, field directives and time cards. A company’s major assets are no longer just materials and equipment, but also technology devices that provide critical services and often represent significant investments. WITH THE ADOPTION OF TECHNOLOGY COMES THE RISK OF CYBERATTACK Recent news examples of cyberattacks in the construction industry include ransomware attacks on Bird Construction in December 2019 and Bouygues Construction in January 2020. Ransomware works by encrypting the data within the breached system, preventing companies from accessing the data and critical systems without the encryption key, which is held by the attacker. The attackers then demand a sum of money to provide the key to decrypt the data; usually, requiring the ransom be remitted in cryptocurrency, such as bitcoin. Refusing to pay may result in not being able to access company data or systems in the near term, if at all. Paying the ransom creates a bigger market for this type of attack. Ransomware is not the only threat. And ransoms are not the only damages. Here are a few of other threats
to a business from cyberattacks: • Down time. The construction industry is heavily reliant on the ability to deliver projects per a timeline. An attack on company software or equipment can put this in jeopardy. Few project timelines can absorb 12.1 days of reduced productivity. • Breach of intellectual property. If the company has highly sensitive blue prints or schematics, a breach of these could mean major reputational damage and potentially lawsuits. • Breach of bid data. Having bid strategies accessed inappropriately can lead to loss of competitive advantage or job loss. • Workforce injuries. If autonomous equipment is overtaken, or physical access restrictions are ineffective, the result can be bodily injury to the workforce. • Property damage. Compromised equipment could cause or allow damage to additional equipment or facilities. WHAT CAN CONSTRUCTION COMPANIES DO TO PROTECT THEIR ASSETS FROM CYBERSECURITY RISKS? According to the 2020 Verizon Data Breach Investigations Report, 67% of all 2019 confirmed data breaches were due to leaked user credentials, misconfigured cloud assets and web applications, and social media attacks, such as phishing. This means implementing good, common sense controls and processes can prevent a large majority of attacks. Start with an asset inventory to clearly CONTINUED ON PAGE 10
9
www.abcpelican.org/newsletter
