Cybersecurity for construction companies
October is Cybersecurity Awareness Month, an opportunity to think about cybersecurity at your construction company. We sat down with Cybersecurity Consultant and Google Security Hall of Fame inductee, Chris Hanlon, to give us insight into this topic.
What is cybersecurity?
Put simply, cybersecurity means keeping all your electronic data secure. But, Hanlon says, it’s more helpful to think of cybersecurity in terms of a balance between confidentiality, integrity, and availability. “It won’t meet your company’s needs if your data is super-secure, but it isn’t available to the right people when necessary,” Hanlon says. “In addition, it needs to be available only to the right people. The wrong people doesn’t just mean external hackers, though. It also means keeping employees’ private information confidential from other employees.” Hanlon provided the following examples.
Examples of data confidentiality (internal and external):
- Your contact list is safe from competitors
- Staff can’t see private information about other staff (e.g. salaries, discipline reports, social security numbers)
- Information about planned mergers and acquisitions is kept secret
Examples of data integrity (data can’t be damaged or changed without authorization):
- Attackers can’t alter important financial records
- Ensuring software doesn’t accidentally deposit $50,000/month instead of $5,000/month
Examples of data availability:
- If necessary, data is remotely accessible
- Data is available quickly (If a hard drive fails, will your system be offline for hours or days — or can it be restored in minutes?)
- If an attacker launches ransomware, you can get your data back
How big is the cyberattack problem?
Hanlon says that in the US, business email compromise alone causes roughly $1.8 billion in corporate losses per year. And email compromise is only one kind of attack — the most common. “Once you start adding the second, third, fourth, most common attacks, you can see that cyberattacks are a massive problem. In fact, it’s a leading cause of unexpected bankruptcies,” Hanlon says. “If you lose critical information, or funds get transferred to the wrong people, this can mean millions of dollars in unexpected losses.”
Email-based cyberattacks are the most common kind, but it isn’t because email is inherently insecure or untrustworthy. “The problem is that people trust email more than it really should be trusted,” Hanlon explains. “Email accounts are a favorite target for attackers because they can use compromised email accounts to launch phishing attacks, distribute malware, and arrange wire transfers to the attacker’s bank account.”
How cyber attackers get email addresses and passwords
A hacker might get your employees’ email addresses and passwords by hacking into a third-party website. Hanlon explains, “Suppose one of your employees signs up for an account on LinkedIn or Adobe using their work email address and the same password they use for that work email account. Someone who hacks into LinkedIn or Adobe can then steal that employee’s work email address and password.”
If your employee’s work email and password gives them access to your company’s electronic files, the scammer can now access your network and steal your data, such as bank account details and passwords. Of course, once they access your bank account, they can steal from it.
Phishing and ransomware
Another common type of cyberattack is phishing. Phishing is when a scammer poses as a legitimate institution — such as a bank, a charity, a company, or a government agency — and contacts an individual (by phone, text, social media message, email etc.), and tricks them into giving information such as bank or credit card details, social security numbers, passwords, and so on. Scams like this can result in financial loss and/or identity theft. Here’s an example of phishing in the construction industry:
Construction firm data breach affects employees nationwide
If your employee is a scammer’s target, that employee might be tricked into sharing email passwords, cloud account passwords, remote access credentials, or corporate bank account details. The scammer could then use those credentials to launch ransomware attacks and initiate fraudulent wire transfers.
In a ransomware attack, scammers send an email with software that, without your permission, installs itself on your system. The software blocks your access to your data, or encrypts your files, until you pay a ransom to the scammer to remove the software. Many ransomware attacks aren’t reported, but here are a couple of major examples in the construction industry:
Ransomware attack on construction company
Construction company falls victim to ransomware
Vendor breaches and fake payments
Another tactic scammers use is to pose as a vendor and trick an employee into making a payment to them.
“Suppose one of your vendors gets compromised,” Hanlon says. “The hacker can see in the vendor’s system that you’ve been sent an invoice. So they follow up with new payment information and say, ‘For the upcoming progress installment, send the payment to such-and-such account.’ I’ve seen six figure losses like this. Your staff trust the hacker because they appear just like your real vendor.”
An example like this was a construction project for MacEwan University in Alberta, Canada. The scammer made a fake website using the name and logo of the company that had a multi-million dollar construction contract with the university. Because it was a publicly-funded project, the exact amount the university owed the contractor was available under Freedom of Information. “The scammer then emailed invoices for the correct amounts to the university and had millions of dollars of public funds transferred to them.”
In total, over $11 million was sent to the scammers and the university discovered the fraud only after the legitimate vendor, a real construction company, contacted the university to ask why it hadn’t been paid.
Hanlon says this incident highlights the following:
- Staff need to be reminded how serious the problem is. A strict process will seem like overkill the vast majority of the time. However, when a single payment going to the wrong account can cost thousands or even millions of dollars, sending even one in 10,000 payments to the wrong account is too many.
- When you receive payment details by email, you can’t trust any account numbers, phone numbers, email addresses, web pages, or domains listed in recent emails.
- When you receive payment details by phone, you can’t trust anything that was said on the call.
- In either case, you need to look to a different information source to verify the company’s details (e.g. searching online for the business or checking the phone number on their original quote).
The biggest cybersecurity risk
“One of the biggest cybersecurity risks for construction companies is third-party risk,” Hanlon says. “Your risk increases as your value as a target increases, and your value as a target is tied to both your vendors and your customers.”
A few years ago, hackers accessed one of Home Depot’s vendor’s IT systems, stole information, and used that information to hack into Home Depot.
USA Today reported: “Hackers used a vendor’s stolen log-on credentials to penetrate Home Depot’s computer network and install custom-built malware that stole customer payment-card data and e-mail addresses… The malware, which had not been seen in other data thefts, was installed on self-checkout registers that were hacked.”
Because of this breach, Home Depot was unknowingly leaking data to hackers for months before they detected the problem.
Your construction company could be attacked via data stolen from your vendors or customers. Or your company could be attacked and then the data stolen from you could be used to attack your vendors or customers. No company is an island.
So it’s not just big companies like Home Depot that are at risk. Your firm is part of a network that increases your firm’s value as a target, even if your firm itself isn’t large.
“Big companies tend to have big security budgets. Mid-size companies are probably at the highest risk,” Hanlon says. “They typically don’t invest as much in cybersecurity, but they’re big enough to attract scammers’ attention and make financial transfers that matter.”
How can construction companies improve their cybersecurity?
“Interactive staff training should happen at least quarterly,” Hanlon says. “If employees are just given a document, you don’t know who reads it and understands it. Training checks in with how staff are dealing with payments and passwords, and staff can ask questions.” These periodic reminders keep cybersecurity top of mind.
“The Center for Internet Security lists 18 controls companies should implement to improve their cybersecurity. Many companies might do only the first five or eight, but that’s better than nothing.”
Hanlon also notes that many software products that companies use, like Microsoft Office 365, come with optional security features built in — but you have to manually turn them on. In addition to staff training and optional security measures, he says it’s important to book third-party risk assessments as a way to measure the effectiveness of your security controls.“Cybersecurity requires continuous improvement. You can’t think ‘we passed an audit last year, so we’re good’. You should be improving your security posture every quarter and continuously monitoring for new vulnerabilities.”
Every company is in an arms race with hackers and scammers; their methods continuously evolve, and you need to evolve to keep up.
*You can check here to see if your email or phone number has been leaked in a data breach: https://haveibeenpwned.com/
Further reading:Cyber Threats: Why the Construction Industry Could be the Next Big TargetWhy Cybersecurity Matters in ConstructionThe Rise of Cybersecurity Risk in the Construction Industry*If you know someone in the construction industry who might find this information about cybersecurity helpful, please feel free to share it with them.If you’d like to learn more about our warranty management services, please contact Matt at (316) 706-0368 or firstname.lastname@example.org today.