Construction companies are not historically an obvious target for cyber-attacks, however, recently this has changed. The construction industry is somewhat nuanced from your typical organisation and with over 25 years combined experience in defending construction companies within our team, we wanted to share some insights. Organisations operating in this industry don’t only have to worry about the normal every day attacks such as ransomware, compromised credentials and phishing attacks, but the large value of invoices (to both client and from vendors) tends to mean they are more likely to be specifically targeted for Business Email Compromise than regular organisations. In this article we’ll explore some of these specific threats, look at some breaches in the industry and talk about how construction companies can protect themselves into the future.
Industry Analysis
In 2019 there were 1,473 reported cyber attacks in the construction industry according to forconstructionpros.com. This is just what is reported publicly, so we must assume the actual quantity of attacks is a multiple of this number.
According to data breach statistics from BigCommerce, the average cost of a data breach for a construction company in 2020 was $150 million (approx. €128 million). A staggering number, but construction companies tend to deal in big numbers.
According to Rival Security, some other statistics of data breaches in the construction industry include:
The chance of a data breach is roughly 27%
84% of companies lack IT security
Every 39 seconds, there is a another attack
Targeting
There are hacking groups that specifically target construction companies. The now defunct Maze ransomware group had a history of targeting and breaching large companies and have had high profile victims such as French giant Buyogues and American home builders Moseley Construction.
In June of this year (2021) the FBI warned of specific targeting campaigns where construction companies were being impersonated in order to launch Business email compromise attacks.
As construction companies typically use a lot of sub-contractors this means that they can be more subjected to email fraud as they are more likely to send email communications between multiple vendors, these emails can also contain key information for example bidding information to customers and invoices.
BEC (Business Email Compromise) scam is one of the biggest threats to construction companies. BEC scams are when cyber criminals send a malicious email posing as a legitimate company in order to deceive the recipient into changing bank details for future invoice payments – typically one invoice could cost €1 million.
Notable Incidents In a recent publicly known high profile case Royal Bam were attacked by a hacking group who attempted to deploy malware (specifically modified to target Bam) to gain access to the company’s files and demanded payment for the firm to regain access to their own data. Thankfully Bam had been in the process of implementing new defence systems for the company and they were able to flag this suspicious activity and in turn were able to contain the threat within 24hours. Major reputational damage can be faced by a company if they do not react accordingly to an attack or have sufficient security features in place. Other notable companies hit by breaches include:
Bird Construction (Canada)
Turner Construction (USA)
Also, some notable suppliers to the construction industry who incurred breaches include:
Central concrete supply company (USA)
Century Fence (USA)
Trinity Solar (USA)
Foss Manufacturing (USA)
Henning Harders (Logistics, Australia)
These large enterprises make the news - there are many smaller companies breached which don’t make the news. Location and size are somewhat irrelevant to attackers and nobody is safe as a result.
3 Ways Construction companies can improve their Cyber Security:
Risk Management - It may be daunting knowing where to start, but understanding how well your control sets match against best practice can identify the areas which need to be improved first. You then need to look at your systems in place and also if you have any key suppliers, and what risks they pose to the business. Lastly - understand what external threats are there and what you need to prioritise. Utilising a risk management framework pulls all of this together into a prioritised format.
Be ready to react - There is a well known saying that there are two type of companies. Those that have been breached and those that don’t know it yet. One must expect that you’re going to have a breach at some point, and knowing how to act is important to remaining calm and restoring normality as soon as possible. Build a security incident policy and run book that can be instigated in the case of an incident and build awareness within the organisation. Don’t forget to test it regularly also to make sure people understand their roles.
Build a continuous improvement cyber program - There is so much to do when you start to look at cyber security, especially with the ever changing threat landscape. It is impossible to do everything straight away without massive impact to the business. However, by building a plan to address your risks in a prioritised fashion you can start to decrease the likelihood of a breach over time and make sure you have a method for identifying new risks also. This is known as an Information Security Management System (ISMS) and the best known example of an ISMS is ISO27001 which is considered best practice. By aligning with an ISMS you can demonstrate to your key stakeholders that you take cyber security seriously.
Contact us for more information on how we can help your company implement any of the above and improve your cyber security posture.
References:
https://www.bigcommerce.com/articles/ecommerce/ecommerce-data-breaches/#the-costs-of-a-data-breach
https://www.infosecurity-magazine.com/news/maze-ransomware-law-firms-french/
https://www.bleepingcomputer.com/news/security/fbi-warns-of-bec-scammers-impersonating-construction-companies/
Kommentare