December 1, 2021

Mitigating cybersecurity risks in the construction industry

A growing threat is quietly emerging across the construction sector. As threat varieties evolve in sophistication, and become even more malicious and numbered online, the roles of prevention and protection against cybercrime cannot be understated. Cyber vulnerability is an issue that many construction firms might overlook, but a robust strategy can be the difference between costly disruption and business-as-usual.

Construction is gaining additional momentum through its digitisation – including everything from accelerating construction supply chains to performance, progress, and logistics monitoring. As construction firms onboard digitally, there is a balance of risk and opportunity, where businesses must creatively mitigate threats through new opportunities to reinforce their layers of protection and resilience.

Cyber-risks range from casual to more urgent ones. Since the pandemic, the role of cybersecurity has become amplified in the construction industry and the prevalence, and variety, of threats is causing greater urgency. Although nothing new, the construction sector has scaled its use of IT systems, but lacklustre security protocols remain the norm.

Many industries debuting in the digital world are largely transforming out of an urgent necessity to evolve and remain competitive on the market. Today, construction has integrated with leading technology across most of its operations, from project management to customer relations. But as digital transformations enrich the outcomes of construction projects, the potential liability remains essentially human. In fact, 95% of cybersecurity breaches are caused by human errors. Cybersecurity procedures can help shrink risks of this kind, and the likes of business data is more likely to remain safeguarded.

Cybersecurity matters more now

As increasingly more businesses become digital ones, the role of cybersecurity can often be overlooked. It’s a common misperception that cyber-risks are limited to high-profile firms, when it’s more accurate to assume that crime is a threat shared to all sizes of business.

In firms where there is a lack of attention to security, operations can become puzzled by risk varieties. A data breach can, for example, create a large (and costly) vulnerability, especially if policies are not in place to defend against negligence. Without a proportional response, a firm that struggles to act on data breaches can be left with a damaged reputation, penalties, and even lack of customer confidence.

Employee data, sensitive financial documents, and blueprints for regulated buildings (such as banks, or government properties) are a few examples of data that must be safeguarded. Firms may even become a target just for associations to other high-profile businesses, such as those who partner or work with government entities.

Critically construction has already become a high-profile industry for cybercrime. As building projects with affiliate firms are often sensitive, and as construction becomes a profitable trade-based industry, the risks will likely follow. There’s no single reason to heighten the urgency for greater resilience; rather, construction firms should be aware about the potential threats as they become more reliant on integrated technology.

Implications of cybersecurity threats

The potential damage of a threat cannot be underestimated; this can mean costly penalties, leaked data and information, and reputational harm. It’s difficult to measure accurately the exact damage of cybercrime, which is estimated to cost all industries globally $10.5trn by 2025. Many official reports, including one authored by the UK government, have calculated the associated annual costs of cybercrime. Where speculations about total loss can be recorded inconsistently, these reports all share one common anxiety: the growing costs associated with cybercrime means that firms should be focussed on security.

Aside from the costly ramifications, firms that are left vulnerable from an attack are often perceived unfavourably by their existing customers. Trust and confidence are quickly lost after an attack, and many will suffer from a damaged reputation in the long term.

Hygiene goes cyber

Capturing the changing best practice for security measures, ‘cyber hygiene’ is equal to a kind of resilience to online risks, including ransomware. Cyber hygiene isn’t about updating the existing vocabulary, but rather captures a kind of anxiety that even the most common security controls are being neglected by firms. This expression is a playful analogy that reminds firms to focus on the health of their data, and the layers of security that safeguards it.

The kinds of security firms can take will range from application whitelisting to greater restrictions on data permissions. Resilience, on the other, is a more direct expression for the kinds of security that help detect threat varieties. For example, if a construction firm uses software to share and store project data in a cloud, then ensuring that regular patching is part of your action plan is important.

Cyber resilience is a priority

Resilience is a growing focus for many, and this describes a set of actions firms can take to help prevent and deter risks. Start with a security audits, making this a routine habit, and create recommendations for deterrents from these learnings. Audits should test the effectiveness of security layers, which will expose any existing vulnerabilities, such as outdated versions of a software.

Resilience is state of mind as much as it can describe the preparedness of a firm when defending itself against threat varieties. Construction firms should use audits as a learning process to understand their existing vulnerabilities. These identified areas will need to be reinforced, time and again.

Mitigating cybersecurity threats

Prevention is another way of describing the various deterrents that firms can deploy to mitigate cybersecurity threats. Investing in a strong antivirus product, for example, is one means of limiting risk exposure. The presence of a firewall will immediately reduce the likelihood of an attack. Installing patches and updates is another critical area that can grow into a weakness. Even spam filters (coupled with a robust firewall) can create a kind of perimeter around a digital business. Spam filters, specifically, will limit intrusions that break through security defences by disguising emails as legitimate when they are malicious. These various actions should become the basis of your cybersecurity solutions strategy.

Beyond this, there are a few more lesser-known steps that at least reduce the damage from cyber invasions. For example, firms need to try and limit human error as a vulnerability, by reinforcing cybersecurity awareness. This can be developed through regular training and company-wide announcements regarding new developments in cybercrime, such as email spoofing and phishing. Ransomware, a malicious threat, is often disguised and plays and represents a risk for businesses by deceiving its employees to reveal sensitive data through the likes of their mailboxes or old passwords. Data backup and tighter regulation can mitigate more simple teething pains like this, and firms can get creative with security measures by empowering their staff. But alarming trends in this area are now forcing firms to react differently. If, for example, offsite backup data is targeted first by cybercriminals, firms will have to disconnect areas of their IT system to contain the threat from developing and infecting their whole service.

As prevention can be outsmarted by criminals, and where deterrents fail to reduce risks, more of the industry is changing its perception of cyber insurance and how it can help firms survive a breach. Insurance is openly embraced by certain firms, especially those looking to financially secure their business against costly breaches. But this praise is balanced against scepticism, which argues that insurance can spur cybercrime.

To avoid these costly pitfalls, and reputational damage, construction firms should anticipate risks before a breach exposes a vulnerability and turns it something far worse. For SME’s and larger corporates this threat is shared. This does not mean, however, that firms should operate anxiously in digital spaces, but should be vigilant about opportunists and the threat varieties that can hinder their growth.