Austria
Belgium
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Netherland
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
Hong Kong
New Zealand
India
Indonesia
Japan
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
Bahrain
Israel
Morocco
UAE
Oman
Tanzania
Turkey
Cyber Risks in the Construction Industry
Published
Read time
Guest article written by KYND
There’s a belief among construction companies that they aren’t a target for cyber attackers as they typically don’t hold large amounts of sensitive data other than employee data, which only makes the industry easier prey.
Contractors, construction managers, engineers and owners should worry about cybercrime, and with good reason.
Complex projects, with myriad data exchanges among partners and sub-contractors, regulators and suppliers, software and systems – and now the internet of things – are tempting targets for hackers. Construction firms are continually collecting data and using cloud applications as a way to manage projects, for example holding information on their client base and on current, past and future projects, including addresses and payment details.
Construction contributes 7%[1] of the UK’s GDP (more if the whole-life contribution through planning, design, construction, maintenance, decommissioning and reuse, is taken into account), which makes it a more valuable target than you might initially expect.
75% of respondents in the construction, engineering and infrastructure industries experienced a cyber-incident in the 12 months prior to December 2016.[2]
61: the average number of email fraud attacks a company in the construction industry will face every three months![3]
Business exposure and implications
Access to client’s confidential information
Compromised intellectual property such as building specifications and architectural drawings can provide a roadmap for criminals to gain access to valuable personally identifiable information (PII), including financial accounts and employee data.
Business interruption exposure
As in any industry, cyber attacks can result in costly business interruptions for construction companies. A delay in a construction project can mean the difference between a small profit and a devastating loss.
The legal implications
Failing to adequately secure client data could see the company facing a hefty fine under GDPR. Companies may also find themselves on the receiving end of litigation by third parties that have been impacted by a cyber event if they believe that their data had not been suitably safeguarded.
Mobile dependency
Many stakeholders involved in construction projects are highly dependent on mobile devices and laptops, offering multiple access points to networks and creating vulnerability if they are not all adequately trained on cyber security. Adding another layer of exposure, valuation technology (such as laptops) is often stored on job sites in unsecured trailers, making this information an easy target for thieves.
Increased reliance on technology
Wearables and drones provide real-time monitoring and data collection, while virtual reality can create simulations of building designs. These technologies open a world of safety, training and efficiency opportunities, but also give malicious actors potential access to valuable information.
What types of risks exist?
There are a variety of different threats that the construction industry could be impacted by, but the most common include:
Phishing
Malicious emails designed to look like genuine emails which encourage employees to click – infecting their computers or stealing passwords in the process.
This can also lead to fraudulent wire transfers as the attackers have time to monitor your emails once inside the network. The construction industry continues to fall victim to this due to working with a number of suppliers new and old who are regularly paid via electronic transfer, increasing the opportunity for cybercriminals to intercept and divert to fraudulent accounts.
Ransomware
A malicious programme which locks access to company files and data until a ransom payment is made, after which time access may be restored.
Viruses
Code which infects computer systems, corrupting or deleting data.
Hacking
An individual or group attempting to gain access to company systems with the intent to steal or destroy data.
Analysis
KYND’s analysis of key cyber risks of the top* 100 UK construction companies *by turnover
Ransomware risk
47.5% of companies had at least one external internet service exposed which would place them at a higher risk of a ransomware attack.
Email Spoofing
91.5% of companies were vulnerable to having their email addresses spoofed.
Vulnerable Services
85% of companies were running at least one service, such as an email server or web server, with a well-known vulnerability to cyber attack.
Out of Date Software
41.5% of companies had at least one service that was using software which was out of date, no longer supported and vulnerable to cyber attack.
Certificate Issues
31.5% of companies had at least one security certificate which had expired, been removed or distrusted.
Howden Commentary
Threat actors continue to attack all industries of varying sizes. We take on board that the construction Industry may not hold much sensitive personal data, however, it does have its own unique risks which creates cyber exposures, such as the move to more technology and cloud based solutions, the use of BIM, Drones, the potential use of Industrial Control systems and the high volume of suppliers utilised.
We have seen a notable increase in Cyber claims during 2020/21. In particular, we have seen the rise of high profile Ransomware attacks, and the threat intelligence data is showing that the frequency and severity of these attacks are increasing as cyber criminals become more sophisticated.
In the 2021 Global Digital Trust Insights survey[1], 50% of UK respondents advised that ransomware events were most likely to impact their industry over the next 12 months. The costs involved to a business that suffers an attack of this nature isn’t just the cost of restoring backup systems or paying the ransom, but the cost of the disruption to the business and the additional response and recovery costs such as legal and forensic too.
It is important for the Construction industry to now recognise cyber risk and the impact it can have on their financials and reputation. Businesses need to ensure they have their incident response and/or risk transfer solutions in place, to ensure the resilience of the business as a whole.
Kathryn Brown
Associate Director, Cyber & Technology Solutions
Case Study
Type
Data breach and ID theft using a fake email.
Scenario
An employee in a larger construction firm responded to an apparently genuine email request from a trusted source for confidential employee tax records and other information.
Sting
‘Spear phishing’ involves sending a fraudulent email that looks genuine. Hackers spoof the ‘From:’ line of the email so the sender feels real – say from the CEO or a trusted third party. The victim recipient then responds clicking a malicious link in apparent good faith but that response – including any attachments –is re-routed to the hacker’s email account.
Investigation
That single email reply harvested the full names, addresses, employment status and tax records for every employee working for the company during that year.
Conclusion
Never put blind faith in what arrives in the inbox. The sender may be fake and click-through links may be malicious. Human processes are key: always double-check all sensitive requests for information directly with the requester to establish bona fides.
For more information about KYND, visit: https://www.kynd.io/