Our lives are interconnected via technology more now than ever. Along with constant innovation comes increased risks and added concern for businesses as they look to protect their data privacy assets. The construction industry is particularly vulnerable to cyber-attacks and generally unprepared to combat them. The structure of construction projects, which often involve several entities working together toward the completion of a singular goal requires constant and in-depth sharing of sensitive information making it an attractive target for a hacker seeking to run a ransomware scheme and make a quick profit. Construction professionals don't have to remain sitting ducks, however, they can take steps to protect their assets and ward off cybersecurity criminals seeking to derail their operations.
Why is the construction industry particularly vulnerable to cyber-attacks?
The construction industry is an attractive target to cyber criminals for a variety of reasons. First, the construction industry is not as regulated as other industries on this front and as a result, is often behind in instituting cyber and data privacy protections. Many in the construction industry have not prioritized implementing cybersecurity measures into their business models. In fact, a study conducted by IBM Ponemom found that 74% of construction-related organizations are not prepared for cyberattacks and have not formed or implemented a cybersecurity response plan. www.construction.digital.com/technology-and-ai/why-cybersecurity-important-construction-industry
Contractors regularly rely on electronic communications and data to manage projects and monitor supply chain deliveries. Interactions between the varied players in a construction project often involves the exchange of confidential information such as financials and bank account numbers. In addition, construction projects involve a myriad of vendors, which increases the number of victims readily available to the hackers in a single heist. Finally, the construction industry's increased usage of artificial intelligence and robotics, which alone require added security controls and privacy risk assessments, are vulnerable to attack.
Primary Types of Cybersecurity Attacks Likely to Befall the Construction Industry
Ransomware is a type of malware in which the hackers threaten to release personal data or block access to the company's electronic information until a specified ransom amount is paid. This can limit access to critical systems necessary to complete a construction project and has the potential to cause significant and expensive delays. Many state and local entities are now prohibiting businesses from paying the ransom in an effort to deter the wrongdoers in the future. The problem with this solution is that it does not solve the immediate issue for the business and this practice has resulted in revenge attacks on the government entities themselves or other businesses.
Fraudulent Wire Transfers
Fraudulent wire transfers involve any bank fraud that concern electronic communication as well as obtaining bank account information or access to others' bank accounts through fraudulent means. This type of cyber-crime presents a particularly high risk to the construction industry as large sums are often being transferred between parties involved in the project. Companies can avert the danger of fraudulent wire transfers by employing multiple-party-verification steps and approvals as well as written policies on the proper transfer of funds. Maintaining a documented procedure will assist the insurer as well as legal counsel in resolving issues related to this type of cyber-crime.
Cybersecurity breaches may cause significant interruptions in the ability to conduct normal business. Companies in the construction arena are particularly vulnerable as delays in meeting deadlines and completion dates can result in added costs as well as lawsuits associated with breach of contract and other damages. Most cybersecurity insurance policies account for this type of loss.
Theft of Intellectual Property
Construction projects often involve blueprints or other plans that parties may not want divulged to the outside world. A cyber-attack and theft of these materials can potentially cause both financial as well as reputational harm.
"Why the Construction Industry is Being Impacted by Cyberattacks and What to Do About It"
How Can the Construction Industry Protect Itself?
A study completed by Safety Detectives recently found that the construction industry was the 3rd most likely industry to experience a cyber-attack. www.safetydetectives.com/blog/ransomware-statistics Construction professionals are not helpless in the fight against these crimes, however, and have the ability to significantly reduce their risk by developing and implementing a plan to combat cybersecurity interference with their businesses. An incident response plan should:
- Identify and assign the members of both an internal and external defense plan. Ensure that everyone knows their role and duties.
- Determine contingency plans to maintain critical site work and create safety protocols to protect systems that may be endangered due to a cybersecurity breach.
- Obtain cybersecurity insurance and require vendors and others working on the project to purchase similar protection.
- Protect your assets by securing server rooms, requiring employees to change passwords regularly, implementing multiple-factor-verification and educating employees.
- Consult with the legal counsel and insurers to discuss legal and contractual obligations, as well as coverage considerations in determining next steps.
- Create a plan to notify impacted parties should a data breach occur. Vendors, subcontractors and all involved in the construction project must be notified in a timely manner should a breach occur.
- Work with federal, state and local regulatory authorities to ensure compliance with all regulatory requirements.
Also important in preventing cyber-attacks is creating awareness and understanding throughout your organization. The first line of defense is your workforce. It is important to provide employees with education on how to recognize and avoid ransomware attacks as well as data privacy breaches. Should they erroneously click on a link in an email, for example, instruct them on immediate steps to take to minimize the impact of a potential breach. Being prepared and aware is critical in combatting cyber criminals.
Government Regulations and the Increasing Threat of Legal Liability
Comprehensive data statutes, which establish the requirements for handling and processing personal information as well as providing for the regulatory enforcement of data breaches, are popping up throughout the United States and internationally. These laws have resulted in more exposure to potential third party cyber claims. Cyber response teams must continually monitor developments in their jurisdictions to ensure compliance and mandated reporting in the event of a cyber breach.
Cybersecurity insurance policies are increasingly offering pre-breach services such as regulatory compliance advice and training on cyber risks. Along with legal counsel, they can also assist construction companies in formulating a cyber incident response plan. Employing these preventive measures can significantly reduce an organization's cyber risk.
Tips for Construction Professionals on Cybersecurity
- Develop a cyber breach response plan with both internal and external response teams.
- Obtain cybersecurity and business interruption insurance.
- Retain a legal team experienced in handling all aspects of data privacy breaches including insurance coverage, regulatory and notice requirements, minimizing breach damage and public relations strategy.
- Keep up to date with trends in data privacy regulation as well as evolving cyber threats.
- Educate employees on cybersecurity and teach them how to work together as the first line of defense.
- Practice data breaches like you would any other emergency situation.
- Employ multi-factor-verifications and approvals for the transfer of funds and transfer of sensitive information.
- In the event of a breach respond as quickly as possible.
The Cybersecurity and Data Privacy team at Wood, Smith, Henning and Berman consists of seasoned attorneys ready to protect your interests against cybersecurity threats. With backgrounds in technology as well as unparalleled legal prowess, our cybersecurity team is ready to take on challenges of all magnitudes. We offer expert counsel in cybersecurity risk management, incident response, data privacy and cybersecurity-related litigation, and cyber insurance coverage with tactful defense and unmatched litigation strategy. We monitor recent cyber trends and implement proven and cost effective solutions to meet your needs and anticipate those you may not have even contemplated. Please do not hesitate to reach out to a member of our team should you have any questions or concerns.