Is cyber security a major concern for your construction business? Maybe you don’t think your company is a potential target for a cyberattack. You’d be right too if your company doesn’t use computers to store any information about your business and if you never connect to the internet.
As the construction industry becomes more connected through internet-connected solutions and remotely accessible systems such as Building Information Modeling (BIM), telematics and project management software it creates more opportunities for hackers to launch a cyberattack.
Construction firms have access to a wealth of information that might be desirable to hackers. Intellectual property, proprietary assets, architectural drawings and specifications as well as corporate banking and financial accounts are all prime targets. Access to employee information such as full names, Social Security numbers and bank account data used for payroll are frequently targeted in spear phishing scams. Hackers often go after general contractors and subcontractors as a means to gain access to clients’ networks.
Here are a few examples of how companies in the AEC industry have become victims of cybercrime:
Turner Construction was the victim of a spear phishing scam in March when an employee sent tax information on current and former employees to a fraudulent email account. Spear phishing is an email scam targeted at a specific individual, business or organization. Hackers spoof the “From:” field in an email to make it appear to come from a trustworthy source, say from your CEO or CFO. Typical spear phishing scams include messages requesting personal information on employees such as names and Social Security number, corporate banking account information, or login credentials.
In the case of Turner Construction, the information provided to the fraudulent email account included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015. All employees who worked for the company in 2015 were affected by the data breach. Turner, which is headquartered in New York, is one of the largest construction management firms in the U.S. with offices in 24 states.
Baltimore-based Whiting-Turner Contracting, another of the nation’s top construction management and general contracting companies, may have also been the victim of a data breach. In March, the company was notified by an outside vendor that prepared W-2 and 1095 tax forms for the company’s employees about suspicious activity on that vendor’s systems. Around the same time, employees of Whiting-Turner were reporting fraudulent tax filings being made in their names. In addition to employee information, it is also possible that personal information on children and beneficiaries of employees who received healthcare insurance coverage through Whiting-Turner was compromised. Whiting-Turner has 31 offices in 18 states and Washington, D.C.
The construction industry is clearly not immune to cyberattacks. Central Concrete Supply Company out of California, Century Fence out of Wisconsin, Trinity Solar and Foss Manufacturing which makes nonwoven textile products for a number of industries, including construction, were also recent victims of spear phishing scams this year involving employee W-2 tax information.
Close to 100 companies have reported data breaches where employee information was compromised. There are probably many more attacks that either have not been reported yet or have so far gone unnoticed. Targeted companies span a wide range of industries including healthcare, hospitality, financial and retail. Municipalities, school districts and universities have also reported being victims of phishing scams and data breaches this year. Some of the companies you might be familiar that have suffered data breaches this year include Advance Auto Parts, Medieval Times, Sprouts Farmers Market and Mansueto Ventures, publishers of Inc. and Fast Company.
Remember the Target data breach from a couple of years ago? The attackers got access to login credentials for Target’s computer network from one of their vendors, Fazio Mechanical. An employee fell victim to a phishing scam that allowed malware to be installed on the company’s computers. Fazio had access for electronic billing, project management and contract submission and not because they were remotely monitoring and controlling any of the HVAC and refrigeration systems at any of their stores.
A spear phishing attack also led to physical damage at a steel mill in Germany. Malware was downloaded onto a company computer that had access to the plant’s business network. From there, the hackers were able to gain access the production network where they compromised the control systems resulting in a blast furnace not being able to be properly shut down.
Here are a few tips to prevent data breaches and avoid being the victim of a cyberattack:
- Install security software on you company’s servers and computers that can provide real-time protection and automatically receives the most up-to-date malware definitions.
- Make sure your firewalls are enabled and updated regularly with security patches.
- Train employees on security policies and practices. Employees should be required to change their passwords every three months.
- If employees are using mobile devices to access your company’s network they should be equipped with hardware and software data encryption and passwords or PIN locks should be used.
- Secure your company’s Wi-Fi network, both at the office and at the jobsite, by encrypting your wireless signal, securing your router with a password and filter MAC addresses of devices so only employees and authorized personnel can access your network.
- Regularly backup data offsite or with a trusted cloud storage provider.
Most security experts agree that it’s a matter of when, not if, your company is targeted by hackers. Even the most sophisticated networks can be breached so it is also important to have a response plan in place in the event of a cyber incident. Your company should also invest in cyber insurance since traditional insurance coverage such as commercial general liability (CGL) policy might not cover cyber and technology liability.