Cyber hygiene climbs the construction sector’s agenda

As the construction sector speeds up automation and digitisation of processes, contractors are increasingly required to show strong cyber hygiene protocols as the industry and more importantly, the customers fear the financial and reputational fallout from a cyber-incident.

Construction sector goes digital   

In the past decade, the construction sector has seen a wave of digitisation as it introduced and expanded the utilisation of project, team and customer relationship software, drones and autonomous construction machinery. Construction industry technology has replaced paper documents for project drawings and purchase orders. 

Technology is playing an increasing role in the construction sector, both in project modelling and day-to-day operations. While boosting efficiency and transparency, the technological innovation requires appropriate cyber hygiene policies and procedures to reduce the risk for all companies involved in a project. Main contractors are therefore increasingly asking their sub-contractor partners to demonstrate sound cybersecurity practices in their tenders. All other things being equal, construction firms are likely to opt to entrust their data to supply chain partners who can demonstrate strong, documented cybersecurity practices. 

Construction firms have access to a wealth of information such as intellectual property, proprietary assets, architectural drawings and specifications as well as corporate banking and financial accounts. This is, of course, interesting data for hackers. In addition, they may want to access employee information such as full names, social security numbers and bank account data used for payroll. 

Hackers may also be able to access clients’ network through contractors and subcontractors’ systems. While cyber risk is difficult to control in the office environment this is even harder on a construction site where hundreds of temporary and permanent staff from several companies may be performing work at the same time, increasing the number of potential vulnerabilities. Pressure to deliver the project adds to the difficulty to manage the cyber risk. Main contractors need to consider this threat as part of the management plan. The owner of any system carrying confidential information should keep the number of people accessing it to a minimum and create strict security rules and procedures. Decision makers at leading construction firms are set to place an even higher priority on this topic following a recent rise in ransomware attacks. 

Attacks against construction firms

Joint ventures are particularly vulnerable to cyber threats because they involve the sharing of data and documents among firms. This may explain why a wave of cyber-attacks has recently hit the construction sector in the past year. Among the victims is major contractor in the UK, which suffered an attack on its construction computer network (opens a new window) in January 2020 that impaired its operations. Later in May, a ransomware attack on a construction-services business group’s construction system encrypted the firm’s files and stopped the company from accessing them (opens a new window). In the same month, an outsourcing firm that offers support services to construction companies was hit by a cyber-attack. Hackers reportedly broke into an HR database (opens a new window) and stole details of up to 100,000 people, including current and former employees. An engineering services provider reported a security breach (opens a new window) to the National Cyber Security Centre and Information Commissioner's Office at the end of 2020. In mid-December 2020, a UK infrastructure management company was hit by a cyber cyber-attack (opens a new window) from the Mount Locker ransomware group. The ransomware group leaked parts of the company’s data including contracts, financial documents, confidential partnership agreements, non-disclosure agreements (NDAs), and correspondence between the company and UK government departments and councils, according to reports (opens a new window).  

How hackers/fraudsters target construction companies

There are various types of methods that hackers use to target and execute fraud upon your company, including:

  • Distributed denial of service (DDoS) attacks can disrupt operations and crash the server or network. Such attacks could also reveal vulnerabilities hackers can use to install malware or ransomware and take control of a company’s technology.

  • Third-party vulnerabilities offer scammers entry through a backdoor such as weak passwords, unsecured hardware, apps, or connected cloud services.

  • Phishing campaigns cause most data breaches and occur when fraudsters send legitimate-looking emails to a company's employees, tricking them into installing malicious software on their device or giving out personal information like logins.

  • Malware or ransomware software can do everything from copying or locking data, changing security settings, adding a company to a malicious network, consume resources, and even remote control company systems.

  • Spoofed email or websites are fake websites and email addresses also enable scammers to get into a company’s network.

  • Social engineering enables cybercriminals to extract valuable personal data or logins either through fake ads or building trust another way.

Data that scammers may target:

  • Employee information, including social security numbers or bank details for direct deposit

  • Big data

  • Material pricing

  • Company financials (profit/loss)

  • Designs or blueprints

  • Bank records and other financial reports

  • Sensitive or confidential information for private contracts (government installations, etc.)

  • Intellectual property such as blueprints or schematics, bid data and strategy

Risks to the business include: 

  • Business interruption stemming from technology disruptions

  • Theft, loss, or unauthorized disclosure of corporate personal information

  • Theft of proprietary corporate assets

  • Theft of customer information

  • Access to personal information on other organizations’ servers 

  • Theft or other damage by disgruntled employees, subcontractors, vendors, or competitors

Pressure on contractors 

Vetting third-party vendors and contractors has become easier with the standardization of third-party cyber risk assessments. Construction companies that either lack appropriate internal controls or are unable to effectively communicate them are less likely to be successful in request for proposal (RFP) processes or may even be ineligible to participate or prequalify for a project owner. 

To avoid being side-lined, contractors in the construction sector should conduct a risk assessment to understand its vulnerabilities and business risks. Once contractors have a baseline understanding of their cybersecurity needs, they can shore up their policies.

Technology companies will be particularly strict in relation to cyber risk requirements for construction firms to protect their data and expect a clear strategy as to where data is stored, how it is protected and perhaps even if there is insurance in place.  

Recommendations:

  • Perform an asset inventory to identify what needs to be protected.

  • Perform a risk assessment to evaluate the risks posed to core assets.

  • Identify vulnerable areas where attention is needed to address the most critical risks.

  • Implement good, common sense security controls and build them into existing systems and processes.

  • Learn about the risks, and keep learning.

  • Install specialist software monitoring systems and data for suspicious activity.

  • Outline particular hardware and software policies and guidelines. Banning external devices without monitoring software installed from the Wi-Fi network may be necessary.

  • Set rules upon your firewall to block access to malicious websites.

  • Enforce strict password management.

  • Educate your staff about cybersecurity using specialized training, real-life examples, and tests.

  • Stay on top of emerging threats and provide regular updates to your entire team.

  • Create a disaster relief plan and perform mock drills to see how well your team responds.

  • Hire an outside IT firm to perform penetration testing and a security audit.

  • Update software and firmware to ensure the utmost protection.

  • Plan for the worst.

  • Outsource cyber protection/forensic capabilities.

The human factor

The weakest link in any cybersecurity defence system is always people. All employees should be able to verify fraudulent emails through the sender's address, check on the information before responding and know the dangers of clicking links in unsolicited emails as they often lead to malicious websites and software downloads. Staff should be trained to spot frauds and to introduce secure settings on devices.

Educating staff about cybersecurity reduces a company’s risk exposure and the likelihood of successful attacks. In addition to permanent staff, contractors need to be aware of the risk posed by vendors, agency staff and temporary staff. Everyone with access to a data network needs to take responsibility for keeping it safe. 

To protect their assets, construction companies should provide regular cybersecurity training and information for employees and ensure that the company has the right security protocols in place if a data breach occurs.

Key points for employee training:

  • How to spot and what to do about phishing emails

  • What social engineering is and how it works

  • Never click links in email or text before verifying where they came from

  • Never download software from untrusted sources

  • Use strong passwords and never reuse them elsewhere

  • How to craft strong passwords using a combination of symbols, numbers, and lower and uppercase letters ― use examples to "show" employees

  • Explain how and why to use two-factor and multi-factor authentication

  • Keep software and hardware updated with the latest firmware and security patches

  • Use antivirus software to protect against malware and other intrusions

  • Never give out personal information to anyone who requests it without verifying who they are and why they need it

Information sharing

Companies should also regularly exchange experiences with peers to establish and further develop best practices in the sector. Some of the UK’s biggest construction contractors are meeting regularly to develop guidance around combating the threat of online hackers in joint ventures, according to Construction News (opens a new window). The group includes representatives of Royal Bam, Balfour Beatty, Kier and Morgan Sindall. 

Companies that can evidence good corporate cyber hygiene are also likely to benefit from better terms and conditions when buying cyber insurance to cover the remaining risk. 

For further information, please contact: 
David Hayhow, Partner Global Construction Practice 
T: +44 (0)20 7933 2624  
E: david.hayhow@uk.lockton.com (opens a new window)

Peter Erceg
Peter Erceg, Senior Vice President Global Cyber and Technology
T: + 44 (0)20 7933 2608
E: Peter.erceg@uk.lockton.com (opens a new window)