In recent years, there has been a considerable uptick in cyber risk in the construction industry and an increase in targeted attacks, so much so that the sector ranked as the third most targeted sector in 2021. Brogan Welborn completed a complex assignment covering this issue as part of her Certified Cyber Insurance Specialist (CCIS) training.
Underlying causes of cyber risk in the construction industry
The construction industry’s operational model, with high employee turnover and frequent subcontracting, makes it susceptible to internal threats. Many firms, including those working with prominent clients, underestimate their vulnerability and lack adequate cybersecurity measures. The diverse workforce from different firms, both domestic and overseas, adds to the risk, as they may lack the loyalty of long-term employees.
Large industrial firms working on sensitive projects like government buildings, power plants and military contracts are prime targets of nation state and state-sponsored threat actors, due to potential disruption and data breaches. Despite the construction industry’s heavy reliance on manual processes, these companies still manage a considerable amount of work behind the scenes in the digital realm. This includes exchanging emails for agreements, sharing copies of contracts between parties, handling information related to site access and security, and much more. Therefore, while construction companies may not have direct involvement with the day-to-day business of government entities, they are often considered by state actors as an additional attack surface.
For example, a threat actor could gain access to the construction company’s digital system and then employ various attack vectors to exploit the relationship between the construction company and a governmental entity. This could involve using phishing techniques, deploying pop-up windows, or engaging in vishing (voice phishing) to deceive and compromise the security of both parties involved.
But even smaller construction companies conducting day-to-day work are at risk depending on the information sought by cyber-criminals. Despite the manual nature of the industry, significant digital activities, such as email communication, contract sharing, site access, and security information, make them vulnerable.
How technology has increased cyber risk in the construction industry
The construction industry has witnessed a notable technological revolution, ushering in a host of advancements that streamline operations and enhance efficiency. However, alongside these benefits come significant cyber risks that cannot be ignored.
One pressing concern lies in the physical attack surface of construction sites, where a multitude of endpoints are utilized. While many large construction firms may secure their office endpoints, such as desktop computers, endpoints taken on-site, like laptops and iPads, are not always given the same level of attention. It is common for site managers and architects to carry these devices, using them to access critical project-related information, drawings, material data, and Gantt charts to ensure smooth project execution. But these devices may also contain sensitive data such as contract details, client information, payment records, and employee data.
Third-party cyber risks also pose a significant threat. As construction companies increasingly depend on external vendors and digital platforms for project planning, management, and execution, they inadvertently widen the scope of potential cyber breaches. Advanced technologies like drone surveying, AI-powered analytics, cloud-based project management tools, Building Information Modelling (BIM), and Internet of Things (IoT) devices present opportunities for cybercriminals to exploit potential vulnerabilities and gain unauthorized access to the broader construction network, putting sensitive project information, intellectual property, and operational technology at risk.
In conclusion, the late adoption of modern technology and underinvestment in security infrastructure have made the construction industry a prime target for cyber attacks. Awareness and risk control measures are on the rise, guided by industry-wide initiatives and client contract requirements that mandate specific cybersecurity procedures. Increasingly, Construction firms are also securing appropriate Cyber Insurance to mitigate losses and minimize business interruption in the event of a cyber attack.
Brogan Welborn is a Broker for Financial, Executive and Professional Solutions at Specialist Risk International, London. Want to read more about our CII-accredited Certified Cyber Insurance Specialist (CCIS) Course? Click here.
Cyber Insurance Academy?
We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.