A future ‘hot target’ for attackers: How construction companies can improve cybersecurity

by Kim Slowey, Construction DIVE, August 11, 2016

Construction companies are infamous for their reluctance to adopt the latest technologies. Most of the largest companies have made the leap, but for small and mid-sized firms, the process continues inch by inch.

However, as contractors join the digital age and begin to reap the benefits of becoming more connected with fellow employees and the outside world via computers, laptops, tablets and smartphones, they also risk opening their systems up to cyber attacks.

“It’s a tradeoff for connectivity,” said attorney Michelle Schaap of Chiesa Shahinian & Giantomasi in New Jersey. It’s the good and the bad sides, she said, of the belief that people need to be connected on demand.

These assaults on a company’s computer systems and network happen for a variety of reasons — industrial espionage, access to client or employee information or just plain theft. So why are so many construction companies behind the curve when it comes to implementation of policies and procedures that would eliminate, or at least greatly reduce, the chances of a security breach? And what can they do to reduce their chances of suffering an attack in the future?

Why cyber attacker focus on construction will ‘increase significantly’

As it turns out, contractors aren’t the only ones lacking in this arena. “It is endemic to a number of industries,” Schaap said. With the exception of the financial and healthcare sectors, “many industries still have their heads in the sand,” she said.

Those orchestrating attacks know this fact as well. They’re also aware that construction can be a lucrative, high-cash-flow business, which makes them it the more appealing to criminals, according to Percipient Networks CTO Todd O’Boyle. The small and mid-sized businesses tend to be prime targets “because many don’t believe it will happen to them,” he said.

Also, according to Jonathan Gossels, president and CEO of SystemExperts construction companies aren’t typically focused on cybersecurity. They tend to be more focused on the task at hand, which is completing their construction projects within budget and on schedule, he said. Even the smallest companies are a target, though, according to CyberArk CMO John Worrall. “Everybody is a target for attacks because everyone has something of value,” he said.

Why a focus on employees is the key to stronger security

The key to all of this, of course, is getting the message to employees that they have to follow the rules regarding personal use of connected company devices. Even though many people are familiar with how to avoid potentially dangerous emails, there are still those who don’t realize the damage they can cause by clicking on just one link. Education is incredibly effective at reducing the chances of a successful cyber attack. “Make it part of standard safety training,” O’Boyle said.

Of course, Gossels said, contractors should have a clear policy about acceptable employee use, which would include a prohibition on visiting “shady sites.” Nothing good ever comes from visiting gambling or pornography sites, particularly on a company device, he said. Even the best laid plans, however, aren’t completely foolproof.

To read the full article on how construction companies can improve cybersecurity, click here.