Building a Secure Foundation: Cybersecurity in the Construction Industry
BY STEPHEN PAULIN, CIC, CYBER RISK STRATEGIST, ORION RISK MANAGEMENT, AN ALERA GROUP COMPANY
AN AGC OF TEXAS HIGHWAY, HEAVY, UTILITIES & INDUSTRIAL BRANCH MEMBER
Digital transformation in the construction industry is taking hold. The use of project automation software, communications tools, Internet of Things (IoT) devices and other technologies is rising. According to Alera Group’s 2023 Property and Casualty Market Outlook (Market Outlook), the construction industry is increasingly using technology like Building Information Modeling (BIM) to enable all team members to visualize how project components, such as building materials, heating, ventilation and air conditioning (HVAC) systems will fit together. This reduces overall risk and increases transparency.
However, the rise in ConTech has left the construction industry exposed to a significant number of cyber dangers ⇁ a threat that may have dire repercussions. Construction firms frequently work across multiple jobsites and several offices, and a large number of people have access to their systems, including remote employees, vendors and subcontractors. The complex structure and dispersed nature of construction operations’ online components further increase their susceptibility to cyberattacks.
According to Gartner, “Attacks on organizations in critical infrastructure sectors have increased dramatically, from less than 10 in 2013 to almost 400 in 2020 — a 3,900% increase.” Therefore, those in the construction industry should actively work to mitigate and prevent cyberattacks on their operation.
INCREASING CYBER RISK VULNERABILITIES
One of the biggest cybersecurity risks in the construction industry is the use of Internet of Things (IoT) devices. These devices have become extremely prevalent in construction projects, with sensors and cameras used to monitor everything from safety practices to productivity. However, these devices are often insecure and can be easily hacked, providing attackers with an easy way into the project's network.
Another significant cybersecurity risk is the common use of cloud-based software. Many construction companies use this technology to manage their projects, allowing for accessible storage and communication opportunities. However, these systems are especially vulnerable to cyberattacks. Cloud-based software can be accessed from anywhere in the world, making it a prime target for attackers and once someone is in, a wealth of information is available for them to access. Understand that cloud computing organizations are not liable for your data breach.
Additionally, the highly fragmented nature of the construction industry presents a unique challenge for cybersecurity. Unlike other industries where cybersecurity can be centralized, in the construction industry, each stakeholder is responsible for their own online security. Many people have access to project management software, from employees working remotely to vendors and subcontractors. This increases vulnerability to cyberattacks and firms often rely on consumer-grade antivirus protection and lack the IT security needed to protect their data.
SECURING SENSITIVE INFORMATION
From financial information and project plans to employee records and intellectual property, construction companies handle extensive amounts of sensitive data and the digital transmission and storage of this information puts contractors at high risk of ransomware, phishing and data breaches.
To address these risks, construction companies should invest in cybersecurity training for employees, implementing best practices for network security and regularly reviewing and updating security protocols. One of the best ways to protect against cyberattacks is by using a layered approach to cybersecurity. This approach would allow companies to implement multiple layers of security, such as firewalls, antivirus software and intrusion detection systems, which can create a more secure network that is harder to breach.
The need for clear communication between all team members is significant as well. All parties involved in a construction project should be aware of the cybersecurity risks and take steps to mitigate them, which includes sharing information about potential vulnerabilities and ensuring that everyone is following best practices for cybersecurity. To proactively identify vulnerabilities and cybersecurity risks, companies should conduct regular risk assessments and audits to identify weak spots and take steps to address them before they can be exploited by cyber criminals.
To ensure adequate protection, it is highly recommended that businesses assess their existing insurance policies and engage in meaningful discussions with experienced cyber risk brokers to identify potential gaps and additional coverage requirements. Based on these assessments, businesses can obtain customized Cyber Liability coverage that fits their specific needs and provides adequate protection.
FINDING THE RIGHT CYBER LIABILITY COVERAGE
Cyber Liability is currently perceived as the most difficult line of business to write and often results in higher rates. The insurance underwriting process will take longer and the capacity may be offered selectively at lower limits. Alera Group’s Market Outlook stated: “In 2023, (Cyber Liability) rates will increase as much as 50% before leveling off to 15% for less complicated risks as the market gains experience, introduces more limited coverages, adds exclusions and offers lower limits.”
With increasing rates and limited coverage, it is crucial for each business to conduct a thorough assessment of its unique risk exposure and tolerance levels before devising a cybersecurity program and purchasing a policy. Overlooking this step can put business continuity and reputation at risk in the event of a breach. Fortunately, assessment tools are readily available to help establish coverage limits, including loss of income, as a benchmark for effective cybersecurity measures.
Insurers have identified specific insurability factors that must be in place to qualify for coverage (new & renewal).
Multi-Factor Authentication (MFA/2FA) for remote email and network access
Endpoint Detection & Response
Weekly Segregated Backups
Dual authorization for any wire transfers over $25,000
Employee Security Awareness Training & Testing (particularly phishing training for finance/accounting)
Encryption of data at rest and in transit
Insurers will conduct network External Vulnerability Scanning to detect weaknesses external threat actors could exploit.
There is no one-size-fits all approach to cybersecurity, but the following steps can guide construction companies in obtaining cyber liability coverage that aligns with their unique needs and objectives:
Establish data governance: Good data governance is a critical component of a strong cybersecurity policy. However, many organizations struggle to identify their vulnerabilities due to a lack of understanding about the origins, storage and classification and sharing of their data. This is especially true for construction companies as their reliance on digital technologies is still emerging. By conducting a data inventory, classifying data, establishing access controls, implementing data retention and disposal policies, providing training and awareness, and establishing compliance and monitoring programs, construction companies can develop a comprehensive data governance framework that protects their sensitive information from cyberattacks.
Conduct a risk assessment: A critical early step in identifying and managing cybersecurity issues is to conduct a risk assessment. A risk assessment aids in identifying weaknesses in a business's systems, procedures, and infrastructure and in formulating mitigation plans for such risks. To help develop a comprehensive cybersecurity plan later, companies should identify their assets, evaluate threats and vulnerabilities, assess the potential impact of a security breach and regularly review and update the risk assessment.
Determine risk tolerance: After identifying their cybersecurity risks, companies must assess their overall vulnerability landscape and determine their tolerance for risk. Since complete protection from cyber threats is impossible, organizations should prioritize investments in areas that would have the most significant impact on business continuity.
Develop a cybersecurity risk management plan: A cybersecurity risk management plan in the construction industry requires a comprehensive approach. After the risk assessment, companies can develop a customized cybersecurity plan that includes policies and procedures to protect critical assets and data, employee training programs and risk mitigation strategies. Working with experienced cybersecurity professionals can also provide valuable guidance and support in developing and implementing an effective cybersecurity risk management plan in the construction industry.
Adopt a zero-trust security model: Assessing vulnerabilities of third-party vendors and suppliers is equally important as assessing internal vulnerabilities. It is crucial to thoroughly evaluate the cyber preparedness of each third-party entity or subcontractor and not rely solely on their claims. Employing a zero-trust model can effectively safeguard businesses from potential external threats.
Monitor results for improvement: Cybersecurity is an ongoing process that requires constant adaptation to emerging threats. Businesses must remain vigilant to changes in their operations and ensure that any upgrades, such as sales software, are secure and do not introduce new vulnerabilities.
In our modern, digitally driven world, prioritizing cybersecurity is not just a choice, but a necessity for businesses. It's not solely an IT concern, but a critical aspect of overall business strategy, as it involves safeguarding mission-critical systems. Partnering with an experienced insurance broker can help businesses obtain the appropriate level of coverage. Experienced brokers can offer valuable guidance on risk management and mitigation and keep businesses informed about any relevant changes in regulatory requirements.