Cybersecurity has taken center stage in the news recently, following several devastating attacks on local and foreign entities.
However, while the risks may seem to be at an all-time high for companies looking to protect critical data, some industries are reluctant to adapt, rendering them vulnerable for future breaches.
Over the past decade, increased adoption of IT systems within the construction industry coupled with insufficient security protocols have created a perfect storm for cybercriminals looking for their next target. In fact, a recent Forrester survey revealed that more than 75% of respondents in the construction, engineering and infrastructure industries had experienced a cyberincident within the last 12 months.
Given this growing trend, it's imperative for industry leaders to take preemptive measures to safeguard their digital assets, including creating a cybersecurity framework that is widely used by every member of their team.
Many industry outsiders assume that because construction companies deal primarily with tangible items (rather than information), they are less likely to fall victim to cyberattacks. However, it is exactly this line of thinking that provides a window for hackers to strike where it is least expected.
Historically, the construction industry has made its debut into the digital world primarily out of necessity, or to maintain a certain level of market competitiveness. There was no real investment in data protection because there wasn't much data to protect. Any data of this sort was typically in hard copy form, and most of it was turned over to the project owner following construction.
Today, most construction companies have successfully integrated the latest technology tools into virtually every aspect of their operations, from design work to project management and even customer tracking. Yet unlike highly regulated industries such as finance or health care, many construction firms do not have a cybersecurity protocol in place, thus making them more susceptible to cybercrimes.
The construction business can also be quite lucrative — particularly for large general contractors — making it even more attractive to hackers. In fact, construction is perennially ranked as one of the most profitable trade-based industries.
Additionally, construction firms often have valuable information stored on their servers that could be of interest to internet lurkers. Confidential employee data (Social Security numbers, bank documents, etc.), blueprints for highly regulated buildings (hospitals, banks, schools, government entities) and eventual access to the company's computer software are a few examples of data that must be kept safe.
Aside from the potential damages a construction company could face in the event of a breach, another factor to consider is the liability that comes with not having a robust cybersecurity framework in place. If you're operating without such a policy, and your company's information is hacked, you could be held liable for negligence. Moreover, if a building's IT system is broken into once it's fully operational, and evidence suggests the break-in was caused by a lack of attention to security during the design and building phase, the resulting liabilities could be extremely costly to the design and/or construction professionals responsible for the security breach.
Take, for instance, Turner Construction in Seattle. In 2016, the company fell victim to a major phishing scheme that exposed the Social Security numbers of 566 current and past employees across the state. According to the Washington State Office of the Attorney General's website, an employee mistakenly forwarded private information to a fraudulent email address, which led to a companywide breach.
In addition to the potential legal ramifications, there are other costs that are often overlooked. For example, a company's insurance premiums could go up significantly after a cyberattack. Companies may also experience a drop in new business or the loss of existing business due to poor public perception. Further, the damage to a company's reputation and trustworthiness may have unforeseen consequences.
One of the inherent vulnerabilities that exists within the construction industry is the number of people that interact with critical project information on a daily basis. (Photo: Shutterstock)
How to prevent cyberattacks
One of the inherent vulnerabilities that exists within the construction industry is the number of people that interact with critical project information on a daily basis. Everyone from the original architect, to the project management team and contractors have access to various data streams, allowing for potential human error and information leaks.
To ensure all proper protections are being executed regularly, consider the following tips:
• Conduct a cybersecurity audit: In general, many companies assume that all cybersecurity support should fall within the IT team's range of duties. In reality, there are several areas that must be considered in order to adequately protect a company's data assets. Consider hiring an outside entity (such as a law firm or an insurance agency) to conduct a cybersecurity audit with the goal of protecting the company from unnecessary harm during a breach. This may include taking inventory of all data assets and ranking by importance. Audits may also involve training of employees, particularly the human resources team to track current and past employee access to critical data and information systems.
• Consider potential threats when designing the project contract: Assessing the cybersecurity risks during the contract drafting phase is becoming a major consideration for business owners and their respective legal teams. Most construction contracts have a provision outlining ownership of intellectual property (blueprints, diagrams, schematics, etc.). However, as cyberthreats continue to plague the workplace, the parties must consider who is responsible for ensuring the security of various forms of data. If one party is required to have security protocols in place, it may require the other party to implement similar security controls. Having an understanding of the cybersecurity risks and the obligations imposed by a contract is critical.
• Limit access to information throughout the duration of a project: Typically, construction companies will have secure servers and repositories available to house proprietary information. Larger contractors have a stand-alone server with a log-in and password that has a record-keeping function to track who is downloading information. To ensure this information is kept secure, consider limiting access to information whenever possible. For instance, perhaps site blueprints are only accessible by project managers, architects and owners, while the general project guidelines are available to everyone.
• Assess each job individually: Even with the proper planning, unforeseeable circumstances can occur on any project. At the very beginning of a new engagement, assess the possible areas for concern based on the task at hand. Are there more team members involved with this project that need to be trained on your protocol? How much access will the team be given to the project plans, timeline, budget, etc.? What about the structure itself? Is there any information about the building or complex that requires additional protections? If it's a highly regulated industry, are there any existing rules or regulations in place that need to be followed?
• Invest in cybersecurity insurance: Once a plan is in place, company leaders should discuss purchasing cybersecurity insurance to add an additional level of protection. Though often expensive, investing in the proper insurance is often the only way to avoid damage in the long run. Some industries are already making strides. For instance, in the financial world, nearly 30% of financial advising firms have some sort of cyber coverage, according to InvestmentNews. It's only a matter of time until the construction industry follows suit.
• In the event of a breach, have an action plan in place: If a breach does occur, a full forensic analysis of the affected computer system is advisable. Company leaders and legal and insurance teams need to understand exactly what was stolen, why it was stolen and potentially by whom to successfully mitigate company losses. In construction especially, time is of the essence — any setback could mean hundreds of thousands of dollars in lost production time. Having a game plan in place helps to minimize the damage to operations, ensuring companies get back online faster.
Joshua Lorenz is an attorney at Pittsburgh-based law firm Meyer, Unkovic & Scott. He focuses his practice on construction law and litigation. Joshua can be reached at firstname.lastname@example.org. Michael Monyok is a partner at the firm. He focuses his practice on intellectual property matters including procurement, management, licensing and litigation. He can be reached at email@example.com.
Originally published on The Legal Intelligencer. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.