Cybersecurity in Construction: Everything You Need to Know—From Phishing to Ransomware

July 7, 2020 Cory McCutchin

A laptop computer in a darkened room displays computer code indicative of a cyber attack

Cybersecurity has been important since the advent of the internet. Bad-actors have digitized their approach to committing fraud and other criminal activities through the internet.  

These crimes leave countless victims in their wake. Personally identifiable information (PII), leaked in recent data breaches, is a hot commodity on the dark web for other criminals looking to further the cycle of harm inflicted on unsuspecting consumers. 

Meanwhile, businesses that experience a breach can expect a litany of challenges: hefty fines, litigation, a loss of customer trust. A survey reported that 81% of consumers would stop engaging with a brand online after a data breach, while more than half of small businesses that experienced a data breach expect to go out of business within six months of said breach. 

The sense of security and safe browsing seem more and more alien as the digital world we’ve become so tethered to constantly gets plagued with data breaches. What’s more, as we face global crises that threaten our lives and livelihoods, cybercriminals have targeted hospitals with ransomware, taking advantage of a worried populous with opportunistic coronavirus scams in emails, text messages, and voicemails that leave remote workers, and company networks, vulnerable to breach through phishing lures. One recent successful exploit left the University of California with no choice but to pay millions to salvage life-saving medical research.

And while machine learning and AI tactics are finding their ways into the playbooks of companies like Google and thwarting phishing attempts before they reach your inbox, experts say they alone are not enough.  

It’s easy to feel a sense of defeat with so many negative headlines. According to the FBI’s Internet Crime Complaint Center, cyber-enabled crimes have dramatically risen, represented by a staggering $2.7 billion in financial losses in the U.S. in 2018, and $3.5 billion in 2019, while globally cybercrime damages are expected to reach $6 trillion by 2021.  

Meanwhile, justice for victims is seldom seen and involves lengthy investigations.  

But the purpose of this article is not to merely spread doom and gloom. It’s to educate. Considering that 60% of IT managers think cyberattacks are inevitablethe key to a strong cybersecurity defense, then, is to take a proactive approach—thinking, not “if” but when.” 

Thus, in this article, I’d like to discuss: 

  • why cybersecurity is important for the construction industry, too 

  • some proactive steps you can take to protect your company against cyber intrusions as well as how to plan for the unfortunate day when a cyberattack might transpire 

Construction Cybercrime is on the Rise 

When it comes to massive, national headlines about data breaches, technology companies like Facebook and industries like healthcare and even ecommerce seem to be reported on most frequently. And this makes sense, considering these types of companies store massive amounts of sensitive user (personally identifiable, financial, or medical) data that can be valuable to those seeking to extort and blackmail victims. 

Futuristic computer hardware demonstrating advanced technology

But in fact, recent years have proven there is a rise in cybercrime in the construction industry. A startling ransomware attack at an Ontario-based construction firm helps to illustrate how the construction industry is not immune to the data breaches and cybercrime that have seemingly become so culturally commonplace.  

So why are cybercriminals turning to construction companies? There are a number of cybersecurity weaknesses that could leave construction companies vulnerable to cybercrimes: 

  • Mobility: Contractors are on the move and demand constant connectivity—to connect the dots and improve communication between teams working in the office, at the tool crib, in the field, and on the road. Connectivity isn’t an inherently bad thing. However, it creates more points of entry where attackers could attempt to infiltrate weak (or nonexistent) security protocols. For instance, when you’re on the go, accessing the internet through a public wi-fi hotspot—like those you’d find at a coffeeshop, at a hotel, or at the airport—might seem convenient, but these unsecured connections through which you access the internet leave you open to interception. When it comes to mobile work, if you have to get a time-sensitive email out or issue payment to a vendor, it’s important to exercise caution, whether that’s holding off until you can get to a secure, protected network, or opting for a VPN.  

  • Bring Your Own Devices (BYOD): Oftentimes, contractors employ trades and subcontractors, and don’t hand out company-issued devices. While it might not be feasible to provide devices to your team members, relying on personal devices can open risks. Thus, it’s important that your team members are aware of cyberthreats and that you educate them (we’ll talk about this more later) and encourage them to practice good digital hygiene. 

  • Cloud-Based Threats: It perfect sense to move away from traditional methods of storing data on physical servers alone and back them up to the cloud—this gets everyone on the same page, helps with collaboration, and ensures your data is retrievable should something unexpected, like a crashed network, render your physical server irretrievable. But just as a traditional computer network can be attacked and held hostage, cloud-based data storage has its weaknesses. A misconfiguration could leave you open to a breach. Thus, it shouldn’t be understated that your cloud provider is vetted. You don’t want your data migration to be their first rodeo!  

  • IoT: IoT is rapidly evolving, with new, innovate technological advances that are changing how work gets done—from drones flying over your workers’ heads and visualizing the jobsite, to wearable cameras for safety walk-throughs, to remote-control cranes. But with such advanced technology that’s always improving and becoming more complicated, more vulnerabilities are bound to surface and be taken advantage of by attackers, and these security issues could leave devices and equipment susceptible to hijacking. Legitimate vendors know this and will be constantly searching for vulnerabilities and patching them with firmware updates—thus, it goes without saying, you’re not going to want to hold off on those updates as they become available. You should also consider using a VPN to protect your data and minimize the network exposure of all control devices. 

Cyberthreats to the Construction Industry 

Some of the most common cybercrime complaints include non-payment/non-delivery scams, extortion, and personal data breaches, among others.  

A laptop computer displays red background with black and red pirate flag symbolic of a cyber attack

While it might not seem like it, construction companies are the perfect targets for these kinds of crimes, as they often work with many different vendors, where data transfer, streamlined communications, and mobility are necessary. This opens the door to interception of all kinds. 

  • Social Engineering/Wire Fraud: This could consist of mining your team’s social media and professional profiles to learn more about your company and the people you do business with, in order to craft a more believable ruse (spear phishing; we’ll talk more about this later), masquerading as a vendor that didn’t receive payment. Wire fraud is especially dangerous because it’s hard to trace once payment is issued, so it goes without saying you should never send a wire transfer without authenticating first. 

  • Phishing refers to mass fraudulent email campaigns, or campaigns sent through other means (such as SMS text messages, also known as SMishing, or voice conversations over-the-phone known as Vishing), that intend to trick you to do something that will put you or your company at a security risk. This could be carried out by trying to convince you to download a corrupted PDF file or Excel file that actually contains malicious code that, when opened, forces your computer to download malware or spyware. Or it could include a malicious link, disguised as a legitimate website, which harvests login credentials and other sensitive information.  

  • Hacking: Hackers might use a vulnerability in order to gain access to an unsecured database or website and install malware or web skimmers that harvest user data, login credentials, financial transactions, and more.  

  • Malware/Ransomware: Ransomware, as the title suggests, is motivated monetarily. These attacks target vulnerabilities in computer networks in order to lock companies out of their own servers and hold their files hostage until the ransom is paid. Oftentimes, hackers perpetuate their blackmail schemes even after ransoms are paid.  

  • Credential Stuffing: Oftentimes, attackers will reuse credentials leaked in a data breach in other online websites, banking on the possibility that users have used their credentials across various web destinations they may frequent. Hence, if their gamble paid off and a user’s leaked social media credentials have been used on other online accounts (email, even online banking), the attacker would be successful in gaining access to more accounts and doing more harm. 

  • Distributed Denial of Service (DoS) Attacks: This happens when an attacker server floods/overloads your server with excessive requests, hoping to crash it.   

Combating Cybercrime in the Construction Industry 

We now know that there are a number of cybersecurity weaknesses and cyberthreats that leave the construction industry vulnerable to attackers.  

Computer server hardware is caged behind locked doors

So how do you combat these potential attack surfaces and fight back against would-be attackers?  

Educate Workers  

Your workers are your first line of defense. 

An IT team discussing computer protocols and cybersecurity best practices

With that in mind, it’s critical that you stress the importance of practicing good digital hygiene, especially if you have a bring your own device (BYOD) policy in place.  

  • Make sure to update software frequently. Apple is vigilantly looking for vulnerabilities in iOS and issuing security updates. While Android OS is more fragmented across more devices, they too offer security bulletins for major device manufacturers like Google and Samsung. Running the most up-to-date software could help keep your device safe from a software vulnerability that a hacker could exploit against you in an attempt to compromise your device. 

  • Choose a good, strong password: Passwords are the weakest cybersecurity link. But you can improve your passwords’ strength by following a few steps: 

  • Make it at least 12 characters

  • Use Numbers, Symbols, Capital Letters, and Lower-Case Letters. Using a mix of different characters makes your password harder to guess. If it’s hard for you to remember, that’s a good start. 

  • Avoid Dictionary Words or Combinations of Dictionary Words: Any word on its own is a bad idea, and so is any combination of a few words, especially obvious combinations (or contextually obvious combinations), like “white van” or “tool crib.” Stay away from those! 

  • Doesn’t Rely on Obvious Substitutions: Obvious, transparent substitution of letters with numbers, like “h0me,” can be easily guessed and should be avoided. 

  • Consider using a password manager. Password managers like LastPass can save your passwords for you and offer password generators to help you come up with strong passwords that are not easily guessed/cracked. 

  • DO NOT reuse passwords. If one account is hacked into, all are hacked into. 

  • Be wary of unsolicited emails. Phishing attachments and links in emails and even text messages will try to convince you to complete an action, to either download an attachment or click a link, which could contain malware or take you to a spoofed site (like an email or website sign in page) that is nothing more than an elaborate ploy to steal your website credentials.  

  • Be wary of emails requesting payment. Emails requesting payment should be scrutinized extra carefully, especially considering that “spear-phishing” campaigns are on the rise and harder to detect. This is when a scammer does extensive research to build a profile to use to make their scam seem more believable. It’s important to always verify the source of an email is legitimate. For instance, an email address can be easily spoofed to look like it’s coming from someone else. For instance, a scammer might spoof your company’s CEO with a fake outstanding bill he wants you to pay. If you receive such an email, it’s always a good idea to give the supposed sender a call to verify the request is legitimate.  

  • Enable Two-Factor-Authentication (2FA)/Multi-Factor Authentication (MFA). Using multi-factor authentication or an authenticator app adds a step before gaining access to an account that is sent to your device by a prompt or text message. This can help ensure that, if a password is leaked or cracked, that an attacker won’t be able to access your account unless they also have physical access to the device linked to your account, making hacking into your account much more difficult. 

  • Use a VPN. Remote access leaves networks vulnerable and a VPN can anonymize your web traffic and prevent snoopers from, well, snooping. 

A smartphone displays a VPN login screen

Data Management: Beef Up Your Construction Cybersecurity  

Experts suggest taking a proactive approach to cybersecurity—think not what you’ll do “if” a cyberattack occurs (reactive) but “when” (proactive).  

A computer server room featuring floor-to-ceiling shelves of computer hardware

Aside from making sure your network is protected by a firewall that is regularly updated, it’s also important to: 

  • Conduct a threat analysis to see where you stand in terms of cybersecurity. Consider doing this annually or more often. 

  • Secure endpoints. If you do have a bring your own device (BYOD) policy, then also make it part of your policy that your team members use a VPN. Stipulate that your team has installed anti-virus software on their laptop computers. Ensure devices are running the most up-to-date software. 

  • Consider investing in advanced threat detection software  

  • Invest in cyber insurance  

Cybercrime in the construction industry is only likely to increase. 

As technology advances, cybersecurity also advances—but so do cybercriminals’ attack sophistication, as well as their attack vectors which increase as 5G wireless technology makes network security more complicated. 

Construction cybercrime is on the rise. 

But that doesn’t mean call it a day and let hackers win. Assessing your company’s cyber practices, and adopting a proactive approach to cybersecurity, is a good place to start your cyber defense in 2021 and beyond. 

Further, with changing privacy laws both in the US and abroad, it's crucial for construction companies to familiarize themselves with those laws to the benefit of users and to protect themselves from liability. 

TL;DR 

Cybersecurity issues in construction include

  • Accessing unsecured networks when mobile  

  • Bring Your Own Devices (BYOD) policies that could expose your company to risks if your workers’ digital hygiene is lacking 

  • Cloud-based threats, such as server misconfigurations, necessitate vetting your cloud-based software provider  

  • IoT vulnerabilities necessitate staying up to date with device firmware  

Cybersecurity threats in the construction industry

  • Social engineering/wire fraud 

  • Phishing 

  • Hacking 

  • Malware/ransomware  

  • Credential stuffing 

  • Distributed denial of service (DoS) attacks 

To combat cyberthreats in the construction industry, it’s important to: 

Educate workers 

  • Use strong passwords. Don’t reuse passwords for multiple services. Consider a password manager.  
  • Use two factor authentication (2FA) 

  • Be wary of attachments or links in emails or text messages sent from unknown recipients. Verify source of email (could be spoofed) 

  • Be wary of emails requesting payment  

  • Use a VPN 

Data management 

  • Take a proactive approach 

  • Conduct regular threat analyses 

  • Secure endpoints   

  • Consider investing in advanced threat detection software  

  • Consider investing in advanced threat detection software 

  • Invest in cybersecurity insurance 

About the Author

Cory McCutchin

Cory McCutchin is a senior software architect at Milwaukee Tool with over 12 years of technology experience. Joining the One-Key architecture team in 2016, Cory plays a vital role in innovating and leveraging technology to enable users and grow the One-Key platform. Prior to Milwaukee, Cory spent several years working with e-commerce technology and is a proud Air Force veteran.

More Content by Cory McCutchin
Previous Article
Delve into Data Management (Infographic): 5 Ways Contractors Can Use Data Technology to Improve Their Processes
Delve into Data Management (Infographic): 5 Ways Contractors Can Use Data Technology to Improve Their Processes

From cloud database building to AI and machine learning. Leverage data to eliminate jobsite inefficiencies.

Next Article
Effective Construction Inventory Management in the Time of COVID-19
Effective Construction Inventory Management in the Time of COVID-19

In his guest post, Handle’s CEO Patrick Hogan unpacks why effective inventory management is so critical in ...