Cybersecurity In Construction: What You Need To Know

Cybersecurity continues to grow in importance during the technological era. You may have heard about the most recent Twitter attack on high profile world leaders. These are becoming more common and no industry is safe from them including the construction industry.

As more companies collect and store customer data and information digitally, the importance of keeping information confidential could not be overstated. For many businesses now, the commitment to keeping personal information safe and secure is part of their business values. It’s pretty common to see it, especially for any website that takes payment information. Company-wide IoT devices and algorithms also need to be secured to keep business data secure, too. 

But what is cybersecurity? In construction, what kind of information could possibly be in need of protection? Why does it matter? And how many cyber attacks actually happen? All of your questions about cybersecurity in the construction industry will be answered here!

What Is Cybersecurity?

Cybersecurity is defined as “the body of technologies, processes and practices designed to protect networks, devices, programs and data from attack, damage or unauthorized access.”

In simplified terms, it’s the protection of information and technology. 

Why Does Cybersecurity Matter?

The world we live in is digital – there’s no denying it and there’s no escaping it. From banking and health information to video surveillance and texts to your best friend, the amount of personal information stored online is incredible. It gets even more mind-boggling when you think about cybersecurity from a business perspective. 

Intellectual property, business ideas, customer lists and financial statements are just a few of the thousands of information bubbles that are now stored online, or on some kind of computer system. Every kind of business from your local contractor to the military stores information digitally. When you think of the scale of information and data that is out there the importance of keeping it secure becomes clear. 

What Is a Cyber Attack?

There is no single way for a cyber attack to happen. Cyber attacks can look very different and can have very different outcomes.

Types of Cyber Attacks

While there are dozens of different types of cyber attacks, here are just a few examples of the more popular types.

Malware

Malware is a contraction of “Malicious software”. It is a computer program or software that is often disguised as a harmless file to trick users to allow it access to their computer or to download. Malware is often created to steal data, damage devices and in some cases even completely shut down a computer or device. 

Computer viruses, trojans, spyware and ransomware are a few different kinds of malware. 

Keyloggers

Keyloggers are often installed on the backend of a device after a user clicks on an insecure link or download. They sit silent, collecting passwords, credit card numbers and other personal information as they are typed out.

Password Attacks

Password attacks happen after the collection or “cracking” of a personal password. These attacks are when an unauthorized user or software gets access to a personal account and all the information within that account. 

There are many different kinds of password attacks, too. A brute force attack uses a program to try a number of passwords until it cracks the code. Another example is a dictionary attack that goes through the most common words used for passwords, such as “Password”. According to one study, “iloveyou” and “sunshine” are two of the most used words in passwords. 

Phishing 

Phishing is when emails or phone calls collect personal data under the guise of a professional institution. This happens a lot with government or tax agencies. These tactics often use fear of governmental or legal action to trick a person into providing personal information.

These attacks often work on new immigrants or the elderly who are not as aware of the abilities of people to create mock-governmental websites and forms. Education and critical thinking are the best ways to protect yourself from these scams. In many cases, governmental agencies now have hotlines where you can report a phishing scam.

Social Engineering

Social engineering attacks commonly prey upon the reactionary emotions of people through some sort of psychological manipulation. It commonly uses email, social media or another form of communication that can invoke urgency or fear in unsuspecting users or employees. The idea of social engineering attacks is to get someone to feel like they need to act quickly, click on a malicious link, reveal information, or open a file containing malware. What makes social engineering attacks so tricky is that they completely prey upon our human nature. 

Social engineering was the kind of attack that happened on Twitter with world leaders. By using the social media accounts of well-known individuals and companies, people believed them, trusted what they were saying and acted quickly to do exactly what the hackers wanted them to do.

What do Cyber Attackers Do With Information?

For personal scams such as phishing or password attacks, the outcomes are pretty basic: stealing credit card information to make purchases on your behalf or looking for personal information for identity theft. 

For individuals, the hardest part can be finding out that you’ve been the victim of some kind of security attack. Canceling your credit or debit card, getting a new card, changing passwords, and updating personal information with your online accounts or bank are often basic steps that can be taken after. For identity theft, filing a police report and contacting creditors to put a warning on your social security number can help to protect you. 

This is why it’s so important to keep an eye on your personal accounts.

Cyber Attacks for Large Corporations

It’s often the same motivation as to why attackers go after companies vs individuals: money. 

Sometimes, their goal is to simply steal credit card or personal information in a single large data breach instead of attacking individual people. Sometimes, the data collected is held for ransom until the company pays the attacker to return the data.

Corporate Espionage

One of the most common attacks that happen in corporations is through corporate espionage. Whether it’s an employee insider trading or revealing company information to a third party, or another company or individual seeking to pull information, the whole point is that information and data move where it shouldn’t. This can happen with high profile companies and was even seen between an ex-Google employee when they moved to Uber. 

Either way, the outcome of being the victim of a cyber attack is huge for companies. It affects the trust people have in the company and brand, the reputation of the business and potentially the relationship between them and other businesses.

Crime on Construction Sites

The construction industry is very familiar with vandalism and crime. Petty theft, people breaking into construction sites and vandalism of both machinery and the site itself have been commonplace for centuries. Why people find it so much fun to break into a construction site, we may never know. 

Video surveillance, robot security guards, drone surveillance and even secured entrances have helped to mitigate these crimes.  Dealing with higher levels of physical threats than other industries doesn’t make construction resistant to cybercrimes. 

Cybersecurity in Construction

According to a study from Dixon Hughes Goodman, construction has been slow to address cybersecurity. Being a physical industry, many companies do not think of themselves as being a risk to this kind of attack.  However, construction companies often have plenty of information about investors, clients, site plans and subcontractors, and even equipment itself. 

All new construction equipment built by OEMs now come pre-fitted with telematics devices and IoT devices on construction sites is becoming more and more common. With these changes rapidly occurring, securing IoT devices on construction equipment and sites should be vital within the cybersecurity strategies of construction companies.

Most times when construction companies are victims of cyber attacks, it is this information that is held for ransom. The company must payout to gain control of their information again. The cost of these ransoms are subject to the company size and whatever kind of data is compromised. 

A Cyber Attack in Construction: An Example

Bird Construction is a Canadian construction company that was founded in 1920. They have worked on projects in commercial, institutional, retail, residential, industrial, mining, water, energy, nuclear, civil sectors and more. They pride themselves on being a premiere Canadian company that is driven by a passionate team of construction professionals. In February 2020 Bird Construction was a victim of a cyber attack.

A ransomware attack used malware to encrypt their company files, holding them ransom until they received a cash payment from the company. The attacking group – known as Maze – claimed to have stolen up to 60 GBs of data. 

What is particularly interesting about this cyber attack is that Bird Construction has close ties to the Canadian Government. The company has completed projects on behalf of the military and the federal government worth millions of dollars over the years. There was no indication at the time that any government files were compromised. That being said, it does bring to light the dangers of not securing confidential information of all clients, including high profile ones. 

Cyber Attacks are More Common Than You’d Think

In the first half of 2019, over 4 billion records were exposed by data breaches. 62% of businesses experienced some kind of social engineering or phishing attacks in 2018. On average, there are 2,244 attacks daily, or some kind of hacker attack every 39 seconds. 

These attacks happen in companies of all sizes. In 2017, Uber had data from 57 million users stolen from hackers. Trying to keep it under wraps, they paid over $100,000 to the attackers. The information included names, email addresses and personal phone numbers. 

The Good News

As cyber-attacks advance, so does the battle against them. Not only are people more educated about the signs of internet scams and phishing, but tech advancements are also helping to keep information more secure in the very beginning. 

AI and machine learning technologies are a major contributor to this. Machine learning can be used to identify malicious behaviour by learning network behaviour to identify a threat. 

IoT or Internet of Things continues to act as both a beacon for hackers and protection against them. The ability to get access to all kinds of information through a single device is tempting. However, it also means that there are multiple ways for the owners of data to block attacks and maintain control of their information. 

Two-step authorization, phone notifications on accounts activity, and digital firewalls and alert systems all help to protect against and warn about unauthorized access. 

Protect Your Business

The construction industry is becoming more and more digital. Even small companies are moving their invoices, payment information, bookings, fleet tracking, payroll, employee information and more online. It’s important to take steps early on to protect your data. 

Identifying valuable information and where it is located in your network is the first step. Once you do this, you can establish cybersecurity protocols, password standards and procedures for checking your digital security. The biggest piece of protection is setting up an action plan if your business does come under attack. 

While anti-virus software and digital technology are great tools to protect your business, human error can be a leading factor in any kind of information breach. Having clear protocols in place and communicating those with your people are a great way to protect your business.

You may think it will never happen to you, but it’s important to take these threats seriously before you become a victim of a cyber attack.