Construction contractors must remain vigilant to minimize cybersecurity risks
The classic example of a cyber attack is one that exposes the personal information of customers (e.g., credit card and bank information). However, any business with systems connected to the internet is a potential victim, not just businesses that maintain large databases of customer information. The introduction of multi-user platforms accessed by different individuals both within and outside of a construction company poses an additional threat as access points and credentials are more difficult to control.
Construction companies maintain many types of information that would be attractive to cyber-criminals, including:
- Employee information. Company systems often house massive amounts of employee personal data (e.g., Social Security numbers, payroll information, financial accounts, benefit elections and information).
- Construction data. This includes project plans and specifications, as well as other confidential or proprietary data of owners, designers, or suppliers. Security information may be included within the construction plans, which, if stolen, could be used later for a more traditional type of attack on the project owner’s physical assets.
- Owner or other party data. If a contractor’s computer system is not secure, then all of the parties involved in the project become more vulnerable. A primary example is the Target breach in December 2013. In the Target breach, a cyber attack on a third party HVAC contractor resulted in the theft over 40 million credit cards and private data from approximately 70 million customers. The breach was traced back to an email containing malware that was sent to one of the HVAC contractor’s employees.
- Valuable company data. Company computer systems likely contain various types of intellectual property, trade secrets, company financial information, and other confidential company data.
Information is constantly being exchanged on the jobsite and a single ransomware attack can shut down a project for several days. A ransomware attack on a construction project can have severe financial implications and can have a tremendous impact on the contractor’s ability to timely achieve substantial completion. Bottom line, a ransomware attack puts a contractor’s anticipated profit at serious risk.
How contractors can defend against cyber attacksThere are some useful steps that contractors should take to help defend against cyber attacks, as well as appropriate measures that should be taken if and when an attack occurs. These include:
- Secure your systems. Construction companies should remain vigilant about updating their software, systems, and network security. This includes maintaining updated antivirus software on all computers. The updates continually released by most software providers often include updated security features that help defend against attacks. The Target data breach mentioned above could have likely been prevented had the HVAC contractor used an up-to-date anti-malware program. At the time of the Target breach, all major versions of anti-malware software detected the particular malware used to initiate the breach, but the HVAC contractor used a free version of anti-malware software that offered inferior protection.
- Educate your personnel. Company employees must know and understand the company’s security practices and be aware of potential threats, including ransomware. Cyber criminals use many different tools to trick their targets, including phishing emails.
- Create a plan. Every construction company should have a security incident response plan in the event of an attack. The plan should include the creation of protocols to be taken once an attack has been identified, including addressing technology that has been affected, guidelines regarding internal communications, client relations, and legal reporting obligations, among other things. How the situation is handled in the immediate aftermath of an attack can be crucial in limiting the company’s legal and financial exposure.
Construction companies must take the threat of cyber attacks seriously. An attack could create project delays and also cause contractors to incur massive costs for investigation, remediation, legal defense, or recovery of files held hostage. Being aware of the potential risk is the first step toward preventing or effectively responding to an attack. The risks posed by ransomware and other cyber attacks can be minimized by focusing on prevention and advanced planning.
For questions or information on data privacy and cybersecurity in the construction industry, please contact one of the attorneys below.