Sector-wide, there’s an urgent call for construction businesses to implement robust measures that will prevent and protect them against cybersecurity risks, says Simon Hughes, SVP of Global Distribution at Cowbell
Construction is often seen first and foremost as a manual operation: building, assembling, and installing various components and structures.
While the manual aspect remains crucial to the industry, those who work in modern construction will know how much it also relies on project management, engineering practices, and, of course, advanced technologies.
The construction industry has become more digitised over the years
RICS’ Digitalisation in Construction Report 2023 shows that more construction firms (a 43% rise compared to RICS’ survey from the previous year) are consistently using digital processes.
With the adoption of technologies such as Building Information Modelling (BIM), project management software, cloud-based collaboration tools, and IoT devices, digitalisation is helping in areas including cost estimation, prediction, planning, and control, as well as enhancing progress monitoring and health, safety, and well-being.
However, while these same technologies offer numerous benefits, they also introduce new cybersecurity vulnerabilities that cybercriminals can exploit.
Cybersecurity risks in the construction industry
IoT devices in construction, for example, such as sensors, drones, wearables, and smart machinery, often lack robust security controls, making them attractive targets for attackers seeking to infiltrate construction company networks or disrupt operations.
We’ve also seen remote work trends – triggered by COVID-19 – lead to increased reliance on remote collaboration tools and cloud services. This shift has widened the scope for cyber threats, as remote workers may use unsecured networks or devices, making them more vulnerable to phishing attacks, malware infections, and unauthorised access.
The interconnected nature of the construction industry’s supply chain has also amplified cybersecurity risks. The numerous vendors, subcontractors, and suppliers that construction firms rely on each represent a potential weak link in the cybersecurity chain.
Any supply chain attacks targeting these entities can then have a cascading effect, impacting multiple stakeholders involved in construction projects.
Combined, these trends have all contributed to an increase in cyberattacks, both small and large. An example of one of the most memorable high-profile cases was UK-based Bam Construct. They experienced a significant cyberattack that disrupted its IT systems and affected ongoing projects, including the construction of NHS COVID-19 hospitals.
The unauthorised access meant they had to shut down certain systems to contain the breach and mitigate further damage.
Breaches like these that really highlight the construction sector’s vulnerabilities and the critical importance of cybersecurity. In fact, the disruption of operations from an incident can be catastrophic for construction businesses, causing downtime, delays in project timelines and loss of both bids and productivity – all of which can have heavy hitting financial implications and damage the company’s reputation, leading to loss of trust and further business.
How to proactively fortify operations and minimise disruption to operations
So, with all this in mind, where do businesses in this sector need to fortify most at the moment – and what can they do to mitigate risk?
Implement cybersecurity awareness training
Employee training and awareness about potential cyber threats is a good start, particularly when it comes to increased digitisation.
Whether it be phishing attempts, malware, or another threat, if staff know how to recognise and respond to them effectively, the likelihood of successful attacks will be greatly reduced.
While it’s harder to enforce strict IT security protocols with temps, and office-based workers are likely to be better trained and aware of cyber risks, all employees, whether manual or office-based, temporary or permanent, are likely to need access to sensitive information and, therefore, need cybersecurity training.
Enforcing strict privileged access controls might also help alleviate issues.
Implement Multi-Factor Authentication (MFA)
By requiring users to provide multiple forms of identification to access systems or data, MFA adds an extra layer of security, reducing the risk of unauthorised access in case passwords are compromised.
Back up data
Regularly backing up critical data ensures that even if systems are compromised or data is lost due to cyberattacks, businesses can recover their information and continue operations with minimal disruption.
Consciousness of the supply chain
There needs to be a real consciousness of the supply chain.
This involves conducting regular security audits of your supply chain to identify and mitigate vulnerabilities, and ensuring that all partners adhere to the same stringent cybersecurity standards as you.
Create an Incident Response Plan (IRP)
An IRP outlines procedures and protocols to be followed in the event of a cyber incident, ensuring that construction businesses can respond effectively and resume operations quickly after an attack.
Developing coordinated IRPs that include supply chain partners will ensure a swift and unified response to any breach.
Cyber insurance
Cyber insurance can provide an additional layer of protection and financial support in the event of a cyber incident.
Many cyber insurers will also be familiar with construction challenges and opportunities, and provide additional resources and guidance, such as:
- Understanding and acknowledging uncertainty to build resilience and excellence in underwriting practices
- Harnessing the power of data analytics, AI and other technologies to gain insights into risk patterns, identify emerging trends, and enhance decision-making processes
- Developing a culture of continuous learning and adaptation
- Segmenting risks based on their unique characteristics, which allows insurers to tailor coverage and pricing strategies effectively. In terms of construction, this might include delays in manufacturing operations, which can create a significant disruption in supply chains, or losing bids to competitors due to a cyber incident.
Unfortunately, outdated infrastructure, restrictive budgets and a lack of employee training continue to leave construction businesses woefully unprepared and vulnerable.
But by taking these steps, construction companies can protect their operations, ensure project continuity, and maintain their reputation in an increasingly digital world.
