15 ways to protect your construction company from a cyber attack

Historically, construction was fairly immune to security breaches, cyber security is not something traditionally associated with the industry.  But in recent years with the introduction of new technology and increasing digital requirements for connectivity on-site means companies are more vulnerable to cyber-attacks.  It is no longer just a case of making sure offices and building sites are secure from thieves.

The digitisation of the construction industry now means vast amounts of highly sensitive data including building models, documents, drawings and personal data are being processed, stored and shared.  Industry processes are increasingly built on software systems and rely on the availability of those systems to ensure fast communication.  Downtime and data breaches can have severe consequences.  Among them: are business interruptions and loss of revenue, operational stability and brand reputation.

The increase in highly sensitive data has required more attention and action.  The construction industry has seen an increase in spending of 188% in the past 12 months, whilst this is promising, the ultimate goal is for the construction industry to minimise their exposure via a well thought out risk mitigation and cyber strategy.

So why should your business consider a cyber security strategy?

1. Reputation Loss:  When a company faces a data breach, the fact that all the customers’ private information ends up in the hands of the attackers isn’t even the worst part. This is data that was under the care and custody of the company.  When a breach occurs, the perception of the affected clients (and prospective clients) is not one of sympathy. Rather, the viewpoint is that sensitive data isn’t safe with you. This can cause irreparable reputational damage to a business, driving customers to a competitor.
2. Downtime:  Another damaging aspect of a data breach is unplanned business downtime. A significant risk to a construction company is business disruptions. Downtime is one of the most significant operational risks in construction, especially for companies that rely on their digital assets to run an efficient construction site. Long-term project delays can destroy a company through lost profits.
3. Loss of IP and Assets:  In the event of a breach, the loss of such intellectual assets could easily be viewed as irresponsible behaviour, especially if it is shown that adequate cybersecurity measures were not deployed.
4. Staff Awareness:  As always, it is vital to address the human element regarding risks that have appeared since cybersecurity challenges in the construction industry started to intensify. If your staff are inadequately trained to handle cybersecurity attacks, your business is vulnerable to risks.

Cyber security is no different to any approach in business, there isn’t a gold standard way of doing things that will work across all companies and industries. Your cyber strategy should be relevant to the size of your organisation and the potential risks you may encounter. This is where the ACSC Essential Eight and its Maturity Models are an appropriate baseline for Australian businesses.  Aimed at preventing malware delivery, mitigating cyber security incidents and serving as a baseline for organisations to address different cybersecurity risks and defend their systems online.

The construction industry was, at one time, fairly immune to security breaches. But in recent years, there’s been an influx of new technologies and new connections on job sites that can make companies vulnerable to cyberattacks.  All businesses must consider moving forward in relation to their cyber security strategy.

1. Align with the ACSC Essential Eight: Understand where your vulnerabilities are and the mitigation strategies required to ensure you align with the appropriate Essential Eight maturity levels.
2. Empowering emergency patch management for new vendor patches:  have a automated and proactive patch management system in place.  To ensure you do not have any vulnerabilities through your apps and tools, cross-check your vendor patches.
3. Retain cyber legal experts: before a threat is identified, one of the best decisions a construction or any business can make is to have a cyber attorney appointed to handle any regulatory or compliance issues, or in the event of a cyber instance.
4. Select a quality managed cyber security provider:  when selecting a provider, you want to be sure they can help in a variety of areas as cyberattacks can’t be predicted and are ever-evolving.   It is recommended to future proof your investment and look for an MSSP with more skill sets than you require.  Technology is great but how it is managed makes a world of difference in an organisation’s security posture. It is generally better to deal with one provider with varied skillsets rather than multiple providers that each have a specialist skill because time is of the essence when dealing with an incident.
5. Practice response to breaches like a fire drill with an active Incident Response Plan:  It is recommended that this is tested and executed monthly or quarterly to ensure that it works.  Things such as team communication channels, impact and severity level of the attack, customer communications, escalation points, delegation of tasks, and resolution of the incident should be established, tested and adjusted so if a cyber incident occurs the business can react in a meaningful way and ensure the business responds fast.
6. Embedding a cyber first culture is critical to an effective cyber security program.  This includes but extends past the traditional method of cyber awareness training.   A successful cultural transformation will result in a cyber risk-aware culture with tools that leverage social science techniques to influence cybersecurity behaviour.
7. Understand where data lives and what requires protection:  Before a breach occurs, the cyber security team should deeply understand where the businesses data lives and assess if there are any vulnerabilities to reduce the attack surface and arrange daily backup practices to ensure data can easily be restored to reduce business impact in the case of an attack.
8. Ensure C-Level executives & staff are accountable:  Build cyber security into employment contracts of all staff.  HR teams and other business units must constantly reiterate the cyber first culture.  Incentivise executives to regard cyber security as a strategic business goal by ensuring the board is reviewing and outcome-driven cyber security performance reports and cyber security performance goals are embedded in the business employment agreements.
9. Ensure technology is current and not aged:  A good Managed IT Service provider will document your IT infrastructure and all endpoints and monitor for ageing hardware, they should also have deep relationships with hardware vendors and be able to pass on bulk discounts and better quality machines.  If this is not the case, you should review your IT supplier and look for a proactive MSP to manage this for you.
10. Ensure password best practice: including adding an additional layer of protection with MFA or Multifactor Authentication practices.  You would be surprised how many users use the same password for their banking and work files, or basic passwords like Admin123!
11. Regular Dark Web Monitoring: to see if any of your teams or company credentials have been stolen and sold on the Dark Web.  Dark Web Monitoring services are available as a standalone service or part of many managed cyber security solutions.
12. Secure the remote nature of the construction industry ecosystem:  rarely are construction teams based in the one location.  Remote working is common in the construction industry and the use of cloud services and modern workplace solutions are increasingly popular as construction companies digitally transform.  Making sure these are secure solutions is key.
13. Supply Chain & third party suppliers have made cyber considerations: Cyber leaders must consider the internal ramifications of 3rd party cyber risk exposure, as well as the continuous demand for transparency and cyber due diligence from their own customers.  Cyber leaders must consider engaging all stakeholders to set cyber security standards and expectations of 3rd parties for various risk scenarios.  This might be the critical IT vendors, or extend to the entire ecosystem to include customers or subsidiaries.
14. Consider cyber risk quantification to prioritise cyber risks with care.  CRQ adopters believe that expressing risk in financial and business-relevant units will help justify security investments, drive urgency around risk mitigation and help business leaders make trade-off decisions.  however results are mixed and currently, there are inefficiencies.  The lack of data is the largest challenge and connecting business decisions and outcomes is an obstacle.
15. Increased requirement for companies to be more transparent about their cyber security risks.  Businesses now agree that cyber security is a societal risk, not solely a risk to businesses.  In fact, there is increasing public demand for greater transparency around environmental, social and governance goals (ESG).   Businesses will be required to proactively monitor the potential data sources to inform external stakeholders of an organisation’s cyber security posture.  Moreover, not only assess the social impact of a cyber incident but also demonstrates commitment and progress to reducing the impact of a cyber incident.

Construction companies must take cyber security seriously as it is a matter of if they will receive an attack not when.

The ACSC Essential Eight is made up of eight mitigation strategies divided across three primary objectives:

1. Prevent Cyberattacks

Protecting internal systems from malicious software attacks such as ransomware, malware and other cyber attacks.

• Application control
• Patch applications
• Configure Microsoft Office macro settings
• User application hardening

2. Limit the extent of Cyber Attacks

Limit the penetration or expansion of a cyber attack by remediating all security vulnerabilities so hackers cannot exploit them.

• Restrict administrative privileges
• Patch operating systems
• MFA Multifactor Authentication 

3. Data recovery & system availability

To support the business if in the event of a cyber incident recover and restore the business quickly.

• Daily Backups.

There is no one silver bullet for business leaders of construction firms, however important factors in reducing cyber risk include, meeting the requirements of the ACSC Essential Eight Maturity Model, achieving management support and fostering a cybersecurity culture.

A risk assessment should be performed to identify the cyber security vulnerabilities. Risks should be quantified and explained in simple language to top level management to ensure business cases can be understood, reviewed and approved.

A comprehensive cyber security strategy and implementation plan helps ensure that the firm has the most appropriate people, processes and technology in place to help mitigate cyber risks.

Firms should also have an incident response plan that is regularly tested to ensure the impact of a successful cyber-attack is minimised.