As the construction industry digitises rapidly, organisations need to be aware of the growing cybersecurity threats they’re facing. In the past, the industry was largely run with pen and paper. Nowadays, with the introduction of IoT and digital construction management software, technology is beginning to play an increasingly bigger role in how construction companies operate. Despite the efficiencies created by the adoption of new technologies, this change brings in new threats and, therefore, new requirements to avoid falling victim to cyberattacks.
Jobsite spoke to Douglas Zuzic, Information Systems Manager at Richard Crookes Constructions, to find out the biggest threats the industry is facing and how to combat them.
What is the biggest cybersecurity threat you’re seeing in the industry today?
We’ve seen a big rise in fraudulent head contract claims and subcontract claims. The industry has low volume but high value transactions when it comes to invoices and claims. So what’s happening is that, because of their high value, they’re on the radar of scammers and cybercriminals. They’re collecting all the names of construction companies’ CFOs and executives, as well as details and emails of the accounting teams. What they do is they submit a claim saying that their bank account details have changed, and they are providing new – fake – details.
The industry has low volume but high value transactions when it comes to invoices and claims.
There are a number of ways to mitigate the risk of this happening, such as security awareness training for staff to ensure they what to look out for. It’s also important to look at how you manage your financial controls. Implementing additional sign off processes, not accepting payment requests over email, or requiring additional steps when changing bank account details are all things that can help prevent falling victim to such scams.
What are some of the impacts of technology you have seen on cybersecurity in the construction industry?
The rise of IoT has presented new challenges for cybersecurity in the industry. If a connected device is compromised whilst assessing something that is critical to the delivery or safety of a project, it can cause major issues.
Data theft protection can be challenging since the nature of the industry is so highly collaborative. With hundreds of people sharing documents between subcontractors, clients, and architects, it can get difficult to protect your intellectual property. There is, also, the matter of the employees who move on to work with competitors.
Managing data security can be difficult but there are a few things you can do. Password protections, project level permissions, and user access control within your construction management software can help protect data internally. Externally, firewalls and antivirus are important to protect data from those outside of your company.
A lot of construction processes that used to be manual are becoming digital. Along with digitisation, new requirements to manage data security emerge. Examples such as Defect management and site-based forms have all gone digital, for instance, which has resulted in a greater need for digital storage with project archives.
Storing this volume of data means there needs to be protection in place, in case of technical failures or cyber-attacks. At Richard Crookes, we have a disaster recovery facility. We also do nightly backups, and our security vendor provides internal and external penetration testing to look for vulnerabilities and weaknesses on the network.
What are your top 5 hard and fast rules for cybersecurity in the construction industry?
- Implement staff awareness training for all staff so they are aware of the threats
- Review your financial controls and procedures
- Review your technology controls to make sure that you are mitigating any potential risk
- Always have backups and a recovery environment
- Be prepared for the worst. These things will happen, it’s just a matter of time