United States

Why the construction industry needs cybersecurity


It’s no secret that cybercrime is costly. According to a study by McAfee and the Center for Strategic and International Studies, the cost of cybercrime to the global community reached record levels in 2017, totaling between $445 and $608 billion.1 By 2019, the global cost of data breaches is expected to increase to $2.1 trillion.2

The risk of unauthorized access for middle market companies is growing. According to the RSM US Middle Market Business Index, significantly more middle market companies (13 percent versus 5 percent) contend they experienced data breaches than they did only three years ago.

One significant reason for this increase is the growth of ransomware. In fact, the FBI stated that ransomware victims paid approximately $209 million to recover stolen files just in the first quarter of 2016—a profound increase from the $24 million in ransom payments made in 2015.3

Middle market companies are the most vulnerable

Cybercrime isn’t slowing down, and all businesses are at serious risk of data hacking. But perhaps more than any other industry, the construction industry is known for its sluggish adoption of new technologies—including technologies that could help prevent (or at least deter) hackers. That makes contractors extremely vulnerable to cybercrime threats, especially smaller and midsize companies that don’t have the resources of larger companies. According to the NetDilligence 2017 Cyber Claims Study, 88 percent of claims that year were from organizations with under $2 billion in revenue.4 Furthermore, companies with less than $50 million in revenue were the most affected, accounting for 47 percent of claims. In 2018, these middle market companies are seeing an increase in data breaches, with 13 percent reporting incidents in just the first quarter of the year5 —that’s compared to just 5 percent in the same period three years ago.

Contractors are at risk

High-profile breaches at companies such as Cambridge Analytica, Equifax, Yahoo and Uber demonstrate that just one breach is all it takes to cause serious financial havoc and potentially irreparable reputation damage. That’s why construction companies must take the risk seriously. These companies have what hackers want: bank account information, payroll and accounting systems, financial reports, intellectual property, and customer data.

In addition, construction companies often have points of entry that can be easy to hack. There are a number of significant and common risks for a breach:

  • Phishing is an approach whereby an unsuspecting employee opens an email attachment or clicks on a link that he or she believes is safe and yet actually downloads malware.
  • Fake websites, where victims share their credentials, allow thieves to access private company information.
  • Ransomware can evade security software and require a company to pay ransoms to regain access to their own information.

Balancing technology and risk

There are ways that construction companies can take advantage of the benefits of technology and still mitigate their cyber risk.

  • Understand the potential threat: Before a company can put a plan into place, it must first understand the risk. Contractors must educate themselves about the potential risks and acknowledge that putting together a comprehensive safety plan is vital to protecting their company.
  • Conduct a risk assessment: How can a network be protected if a company does not have a full scope of what that network includes? To put a plan in place, a company must first take inventory of its systems, hardware, software and data, then conduct a full risk assessment to pinpoint any areas of vulnerability. As part of the risk assessment, companies also need to consider any third parties that have access to the company’s network.
  • Implement layers of security: While small and midsize contractors often do have budget limitations, there are many cost-effective ways they can defend against cyberattacks. For example, encypting laptops and external storage drives is a relatively inexpensive way to reduce the chance of exposure in the event a laptop or other device is lost or stolen. Another inexpensive safeguard is properly disposing paper records and controlling how they are accessed. Yet another is making sure employees use strong passwords for their devices. Companies should regularly update their firewall and antiviral software. Siloing (or dividing) information can help minimize the access a hacker can get to company data. Investing in cyber liability insurance is also recommended.
  • Educate employees: The difference between a breach and safety can literally come down to the click of one employee. It’s important for contractors to train employees regarding the threat of cyberattacks and how to safely defend against such threats. Employees with access to company information should be properly trained regarding the rules of device usage and what to do in the event of breach.

The time to prepare is here

The frequency of cyberattacks is increasing, and every business around the globe is vulnerable to this serious threat. Contractors are no different. They must act now to put the proper cyber security in place to protect against becoming the next big breach.

D. Bisson, “Global Cost of Cybercrime Exceeds $600 Billion in 2017, Report Estimates” (Feb. 23, 2018) Security Intelligence.
2R. Simpson, “How to Improve IT Security in the Construction Industry” (July 5, 2016) Gray.
3D. Bisson, “Global Cost of Cybercrime Exceeds $600 Billion in 2017, Report Estimates” (Feb. 23, 2018) Security Intelligence.
4S. Renshaw, “Combatting cyberattacks: 5 steps to managing cyberrisks” (Nov. 10, 2017) RSM US LLP.
5“Hackers increasingly target upper middle market companies” (March 20, 2018) RSM US LLP.


Subscribe to Construction Insights

Get in touch with our construction professionals