The construction industry is in the midst of a digital revolution. Firms across the UK are now embracing automation, data analytics and cutting-edge technology to push them ahead of their competition whilst ensuring they remain compliant with ever-changing building and data regulations.
However, where technological innovation emerges, so do evolving cyber threats. In 2022 alone, approximately 39% of construction firms across the UK said they’d experienced some form of cyber-attack. Sadly, around one in five also declared they’d been victims of more sophisticated attacks, such as malware, ransomware and denial of service. Unfortunately, with the underreporting of attacks, as well as the lack of understanding, this figure is likely to be much higher.
As an industry that is worth around £381.74 billion, it’s a prime target for financially motivated cyber-criminals who might use ransomware attacks to make a profit from unsuspecting firms. However, the major winner for many cyber-criminals is the data available within the industry. Using phishing scams, spyware and ransomware, criminals can harvest vital data, often without firms knowing. Sadly, this can be catastrophic for construction businesses.
What is Cybersecurity in Construction?
Cybersecurity in construction involves the safeguarding of digital assets, information, data and systems from malicious intent and cyber criminals. It’s not just about having good anti-virus software in place, it’s also about applying cybersecurity best practices across your organisation.
When it comes to cybersecurity for construction firms, there are more variables at risk other than financial data and private client information. Businesses must also consider safeguarding their project and development plans, existing employee information and even on-site equipment that could be affected. From the C-suite to the accounts department and the project managers to on-site contractors, it’s everyone’s responsibility to ensure company, project, employee, client and contractor data can’t be compromised.
Why is Cybersecurity Important for Construction Businesses?
As digital assets and software are more commonplace within construction businesses, firms have a greater onus to protect their data. According to guidance published by the NCSC (National Cyber Security Centre) and the CIOB (Chartered Institute of Building), cybersecurity must encompass every aspect of a construction project, starting in the drawing and design stages to completion and final document sign-off. Even whilst projects are in their preparation stages, greater emphasis should be placed on preserving and protecting both client and contractor data too.
As a data-rich industry that’s worth over £300 billion, the consequences of a cyber-attack could be beyond catastrophic. It’s estimated that for every record compromised, it costs businesses at least £15,300 in damages. Even for firms with only 10 clients on their books, this could be a huge price to pay. That’s why cybersecurity for construction has never been more important.
Alongside significant costs and penalties, construction firms could experience reputational damage if they’re caught out by a cyber-attack. As well as loss of faith amongst customers, it could also impact prospective tenders, tarnishing a firm’s opportunity to win a big contract.
In a recent study, it was determined that a cyber-attack took an average of 204 days to detect with a further 73 days to contain. It’s worth noting that this is reflective of all businesses, not just construction. With attacks often lasting well over half a year, they can severely impact project delivery and factors within the supply chain. There’s also an increased risk of subcontractor and contractor data being compromised too, leaving a trail of destruction for firms to clear.
What Cybersecurity Risks Does the Construction Industry Face?
● Phishing Scams
Around 83% of construction businesses have experienced a phishing attempt. Whilst many haven’t fallen for its deceptive nature, others have. Phishing scams, such as emails or texts, often express a level of urgency, encouraging recipients to act without thought of the consequences. Within construction businesses, these often appear as managing directors or key individuals within the C-suite making transactional requests such as to process an invoice, applying a level of authority to the message.
● Data Breaches
Construction firms are treasure troves of valuable data that cybercriminals can exploit if they are given the chance. From banking and account details to subcontractor information, everything is at risk if construction firms don’t prioritise cybersecurity. Unfortunately, data breaches can be the most tricky situation for businesses to get themselves out of, often requiring expert help to contain and remove the threat.
● Computer Viruses
In 2022, around 5% of construction businesses were victims of fraud, making building firms the most likely target for cybercriminals. Often caused by computer viruses, around 79% of the industry still doesn’t prioritise cybersecurity, have the right deterrents in place or the controls to protect their data. With 26% of businesses not employing the right updates or patches to protect their devices, it makes the industry easy pickings for criminals.
Ransomware is one of the biggest cyber threats the construction industry is currently facing and it’s an issue many firms are actively worrying about. Unfortunately, with a growing need to adapt to digitisation, due to pressures faced by the government and competition, around 21% of construction firms experienced a ransomware attack within the UK.
What’s more, many have fallen victim to RaaS, or Ransomware as a Service, which has seen a major spike in attacks across the industry. These types of attacks can cripple construction operations, holding critical data for ransom with the promise to return it once a ransom is paid. Of course, a promise to cybercriminals is a very loose term, with many paying the ransom and remaining locked out of data.
Spyware is another sophisticated form of attack that can infiltrate construction firms and collect sensitive data, often without businesses knowing. Similar to a parasite, it continues to feed off data, draining your resources and leaching critical data. Sadly, it’s often found attached to emails, designed for you to harmlessly click on.
● Denial of Service
Sophisticated attacks, including denial of service, have affected around 21% of construction firms. This form of attack essentially shuts down devices making them unusable and prohibiting individuals from completing their work. It can also shut down networks or websites by flooding them with traffic, causing them to crash.
How Can Construction Businesses Safeguard Against the Risks?
The key to safeguarding your construction business’s data is remembering that cybersecurity always matters throughout every stage of a project. As outlined by the NCSC and CIOB, this should cover from the design to the handover stage, as well as across your supply chain.
When using any platform, it’s important to know how it safeguards your business’s data and deters cybercriminals. Whilst software platform providers, like RedSky, take responsibility for releasing patches and ensuring the systems are up to date, construction firms must determine what their cybersecurity strategy looks like. This might include hiring IT professionals as a precaution to manage an attack, as well as producing a contingency plan in the event of a breach.
You’ll also want to establish deterrents for criminals, such as complex passwords or biometric scanners. Passwordless entry or two-factor authentication are also suitable means that allow the right person access to databases and platforms. When using an ERP System, like ours, it’s normally hosted on a secure server as a first precaution. Employing either a complex password structure, one-time password generator, biometric scanner and two-factor authentication, are all deterrents for cybercriminals. If construction businesses are now looking into a suitable software solution for them, they should only invest in reputable products.
Software aside, a cybersecurity strategy for construction firms should highlight industry best practices for all workers, including contractors, to follow. These range from simple measures, such as ensuring devices are locked away when they’re not being used to being suspicious of potential phishing emails. Approaching a cybersecurity strategy in the same way you would a risk assessment, ensures you are looking holistically at the potential threats to both your industry and your business. Data protection, including GDPR and protecting subcontractor information under CIS, should be at the heart of your strategy, and you’ll need to demonstrate ways to safeguard it.
RedSky’s ERP System Offers Compliance and Support
At RedSky, we take cybersecurity seriously regarding our software products. As well as being a reputable business with almost fifty years of experience, we’re a safe pair of hands for your business.
Our solutions are hosted on Microsoft Azure, a trusted cloud network and storage product. Thanks to this, we can manage any backups, upgrades and patches as part of our service. Moreover, Azure also prevents denial of service attacks and has a strong firewall and monitoring services.
As part of its service, Azure features a built-in protection threat function that detects suspicious activity. Depending on the industry’s needs, this can be tailored to meet individual security requirements, ensuring potential vulnerabilities are protected from the start. This enables security features, such as conditional access or multi-factor authentication and risk detection.
If you’re looking for a secure ERP system to house your data, try RedSky today. We’re also happy to answer any additional cybersecurity questions about our product suite.