Cybersecurity in construction is a growing issue

Construction is a significant part of the U.S. and Canadian economies, accounting for more than 9.5 million employees combined. With $2.26 trillion in construction work collectively in the U.S. and Canada, there are many safety risks to data gathered and held by construction companies, including ransomware and other nefarious tactics. Recently, many construction companies have been hit by hackers, but creating a backup plan, installing harder controls, and training employees on threats are simple solutions to mitigate risk and damage.

Ransomware resulting in huge losses

Hackers are specifically targeting construction companies with ransomware, which holds a company’s data hostage until a ransom is paid. It’s just one method used to steal from the construction sector, which is highly vulnerable due to its data and use of tech tools. 

The growing number of tools and data that many construction companies use to conduct operations—whether in 3D models, project management software, AI, Internet of Things devices, supply chain management, email, and other means—makes them more vulnerable to thieves. 

According to HKA, a global consultancy organization serving the construction industry, several major cyber-attacks in construction have recently caused delays, business disruption, financial losses, and brand damage. Cyberthieves now view construction as an easier target than other industries because its defenses against these attacks aren’t as strong as those of other companies. 

“Financial rewards for the attacker are becoming more lucrative as many construction firms embark on digitization programs and introduce new technology… These initiatives are rapidly increasing the firm’s digital footprint and, consequently, their attack surface, giving the attacker more opportunity to launch cyber-attacks,” HKA said in a website article.

These attacks hurt a company’s bottom line and reputation. If targeted by a hacker, a contractor whose data isn’t secure could unwittingly expose the proprietary information of other contractors with whom it works on projects. 

In a sector where company information is tightly held due to heavy competition, working with a contractor whose data isn’t secure or who has already been hacked might not seem like a great partnership opportunity for some contractors.

Cyber-attacks on construction companies

Recently, there has been a sharp increase in successful cyberattacks in construction, resulting in substantial losses. These companies include Bird Construction, Solid Bridge Construction, and Royal Bam Group:

Bird Construction 

Canadian construction company Bird Construction was bilked through a ransomware attack, where attackers demanded a cryptocurrency payment of $9 million CAD to prevent them from releasing stolen personal information.

Solid Bridge Construction 

Hackers used Huntsville, TX-based contractor Solid Bridge Construction’s relationship with another construction company to bilk Solid Bridge of more than $200,000. Solid Bridge partner, TX-based Chance Contracting LLC, was used in a cyber-attack email ostensibly from Brett Chance, the owner of Chance Contracting.

Claiming Chance Contracting wasn’t getting check payments, the email requested that a $210,312.00 payment be sent to a different address than Chance’s regular address. Solid Bridge sent the check, thinking it was paying a true invoice from Chance Contracting, but the payment was sent to an email very similar to the one used by Brett Chance of Chance Contracting.

Royal Bam Group

Finding a vulnerability in the Royal Bam Group website helped hackers sneak into the firm’s corporate network, encrypt its files, and block the company from accessing them. Hackers then demanded payment to allow the company to regain access to its files.

The construction sector is one of the hardest hit by ransomware

Research by Ontinue, a cybersecurity firm specializing in Managed Extended Detection and Response services, indicates that IT and construction accounted for about half of all ransomware attacks the company assessed in 2023. A new report by Ontinue’s Advanced Threat Operations (ATO) team said the increasing sophistication of ransomware tactics, security concerns surrounding Internet of Things (IoT) security, and the misuse of connected devices for malicious purposes are all growing concerns for the construction sector.

Ontinue’s research pointed to four areas of concern of which construction companies should be aware:

Ransomware

Hackers using more sophisticated techniques and double-extortion tactics have made ransomware attacks even more dangerous and prevalent. Double extortion occurs when hackers demand a ransom be paid by a deadline after encrypting data and threaten to permanently restrict access to it, publish it on the dark web, or sell it to a third party.

“Organizations can often recover lost information from previous backups, but it’s much more difficult to stop sensitive data from being leaked after this attack,” said the Global Cybersecurity Alliance. “Organizations with highly sensitive or valuable information should be even more vigilant. Since cybercriminals threaten to publish this data to the highest bidder or destroy it, susceptible businesses often suffer far-reaching implications. “

Social engineering 

Social engineering attacks take advantage of human vulnerabilities (like trust in partners) to gain unauthorized access to information and systems, such as in the case of Solid Bridge Construction. 

Internet of Things

Hackers are more frequently capitalizing on poorly secured connected devices to gain unauthorized access to data and make companies pay to retrieve it.

Artificial Intelligence and machine learning 

Hackers are using AI and ML technologies to create deepfakes to do an end-run around security measures. 

Contractors must be much savvier and more guarded about their proprietary data to avoid financial losses and grave risks to their reputation that could impact their bottom line. 

By firming up their systems, practices, knowledge of threats, employee awareness, and software, construction companies can create a more ironclad system that is less vulnerable to cyber-attacks.

Here are some tips to do so:

1. Perform software updates promptly

By keeping operating systems, applications, and security tools up to date, contractors can avoid hacker-induced losses. Regularly installing patches and updates released by vendors can help contractors pinpoint and fix vulnerabilities and defend themselves from known cyber threats.

2. Train employees to have threat awareness 

Teach employees about threats like phishing, social engineering, and malware. Avail yourself of cybersecurity training and awareness programs. Engender a corporate culture that is mindful of the possibility of security threats. Give employees frequent updates on cyber threats and provide them with best practices to avoid them. 

3. Create a data backup plan 

Creating a data and systems backup strategy can help ensure backups are stored securely and can be easily regained if needed. Building a plan for disaster recovery can also decrease data loss.

4. Install hardier access controls 

Ensure only authorized users have access to sensitive data and systems. A multifactor authentication system, in addition to passwords, adds an extra layer of security. By ensuring that users only have access to information needed for their work, the most sensitive data should be kept the least accessible to employees.

5. Segment and monitor your network 

Limit the impact of security failures by putting in place network monitoring tools to locate and react to potentially malevolent activity. Keep a vigilant eye on signs of unlawful access to systems or malicious activity regarding data. Create controls to monitor user behavior and network traffic.

Vigilance is key to avoiding losses

Computers and technologies that use them have made work simpler in some ways. However, the ease of use of these tools in handling tasks has made us more dependent on them and expect more from them, without considering the ever-constant possibility that we are always potentially a couple of wrong keystrokes away from creating a company disaster.

That’s why constant vigilance, continuing awareness, and education about cyber threats are crucial for construction companies. Nobody wants their company to be the next headline.

Share Your Thoughts

Skanska awarded $435M Lee Health hospital project in Fort Myers, Florida

December 2, 2024

Skanska wins $435M contract to build Lee Health hospital in Fort Myers, FL, enhancing healthcare services in the area.

Read more

Top construction expos and conferences for early 2025

December 2, 2024

World of Concrete and Buildex are some of the top construction events of 2025, offering networking, insights, and the latest industry trends.

Read more

This developer makes community health a priority—starting with air quality

December 2, 2024

Specialized Real Estate Group is a multifamily developer that promotes community wellness, starting with improved air quality.

Read more

The 7 most common fall protection mistakes on the job (and how to fix them)

December 2, 2024

Fall protection mistakes, such as using worn-out equipment, not conducting a risk assessment, or improperly using your SRL, could cause injury or fatalities.

Read more