Anita Molitor, Cyber Specialist at GrECo Specialty identifies why the industry is increasingly vulnerable to cyber threats and what construction businesses can do to protect themsleves.
The construction industry witnessed a whopping 40% increase in cyber threats and attacks between 2022 and 2023, topping the list of industries in ReliaQuest’s Annual Cyber Report 2023. What’s more, predictions show that this figure will continue to rise. Anita Molitor, Cyber Specialist at GrECo Specialty identifies why the industry is increasingly vulnerable to cyber threats and what construction businesses can do to protect themsleves.
1. New technologies
The construction industry, heavily reliant on technology and third-party vendors, has seen rapid digitalisation transform systems, devices, and its very way of working. As more and more companies adopt innovative tools like Building Information Modelling (BIM), robotics, drones, smartphone apps, construction management software, and Internet of Things (IoT) devices, the attack surface for cybercriminals expands significantly. While threat actors have noticed this vulnerability, many others have not.
Take for example a Building Management System (BMS) – a central hub which oversees building operations, and integrates various systems like HVAC, energy, security, and water into one smart, centralised platform. This tool optimises energy efficiency and improves building comfort and security, and when combined with smart buildings, almost everything can be controlled remotely. However, the risk with these new technologies is their connection to other networks. If not secured, they become vulnerable to cyber-attacks, potentially allowing hackers to control critical systems. While these technologies can help projects stay within budget, they offer no protection when a cyber-attack disrupts operations.
2. Underdeveloped cyber security
The pace of digitalisation in the construction industry has outstripped investment in cybersecurity. Companies are implementing new technologies but skimping on the necessary cyber architecture and security experts. Additionally, outdated devices and software without updates are common on construction sites, creating perfect backdoors for cyber-attacks. A single unprotected device can compromise an entire system.
3. Lack of awareness and training
A lack of awareness and training further exacerbates the vulnerability of companies. Employees may not recognise phishing attempts, malware or cyber threats which can lead to unintentional actions such as clicking on malicious links or downloading harful attachments. The results of which can be catastrophic. Furthermore, employees inadequately trained in cybersecurity protocols or unaware of cybersecurit best practices may not know how to respond effectively to security breaches. The longer the delay in responding to an incident, the more time a cyber criminal has to exploit vulnerabilities and cause greater damage.
4. Lack of regulations
The NIS2 directive aims to ensure high-level cybersecurity across 15 industries, but the construction industry is not among them. This lack of regulatory pressure means there is little incentive to develop robust cyber hygiene. Nevertheless, it is strongly recommended to follow NIS2 requirements to safeguard the company’s clients and vendors.
5. Supply chain vulnerabilities
The construction industry relies heavily on suppliers, subcontractors, and vendors. Third-party cyber risks include potential data breaches due to vulnerabilities within a vendor’s IT environment, leading to financial, reputational, and regulatory consequences.
6. Common misconceptions
Many companies believe their data is not valuable or that they are too small to be targeted. However, information about employees and blueprints is highly valuable. Small companies are easy targets, and through them, cybercriminals can access larger suppliers. Some companies think they can handle cyber-attacks on their own, but without the right experts and knowledge, this is a risky assumption.
How can the industry mitigate against cyber threats?
The primary cyber risks for construction companies include ransomware, data breaches, supply chain attacks, and fraudulent wire transfers. Ransomware can shut down a company for weeks, while data breaches can lead to legal and reputational damage. Supply chain attacks exploit vulnerabilities in third-party vendors, and fraudulent wire transfers divert payments to cybercriminals. To mitigate these risks, companies should implement multi-factor authentication, employee training, strict dual controls for payment modifications, effective data breach prevention strategies, endpoint detection and response (EDR), tested backups, and an incident response plan.
The benefit of cyber insurance
Cyber insurance covers financial losses resulting from cyber-attacks, including business interruption, crisis management, and legal obligations. Standard insurance products typically do not cover cyber events, so companies must bear the costs themselves. While security teams can mitigate cyber risks, there is no 100% protection. Understanding the company’s risk allows for tailored solutions to mitigate and transfer the risk through cyber insurance.
The need for robust cybersecurity measures in the construction industry cannot be overstated. Implementing comprehensive cybersecurity strategies, including cyber insurance, will not only protect your construction business from financial losses but also enhance your reputation and trust with clients and partners.
Anita Molitor
Cyber Specialist
T +43 664 962 40 08
