Building Back Safer: Why Construction Firms Need to Tackle Mounting Cyber Threats

As digital investment transforms the construction sector, threat actors are paying attention, finds Phil Muncaster

In a sector focused on building physical things, digital threats have often played second fiddle to physical risks on-site. But that’s changing as IT modernisation expands the cyber attack surface, and threat actors cast their net wider for potential victims and points of weakness. In fact, a report from last year reveals the construction sector was the most targeted by cyber criminals in 2022-23.

Against this backdrop, IT and security leaders in the sector may need to reevaluate the role that cyber plays in their business and the tools they should use to manage mounting cyber risk effectively.

Construction goes digital

For a long time, construction businesses have been supported by legacy technology, with cybersecurity historically treated as little more than an IT risk. Many organisations in the sector now see IT as a potential competitive differentiator. They may use computer-aided design (CAD), 3D modelling tools and simulation software at the design stage, collaboration platforms for sharing project information, and drones and GPS equipment once construction starts. That’s not to mention the mobile devices, back-end cloud, and on-premises systems used to store and manage critical data. All of which present an attractive target for would-be hackers.

Increasingly, firms in the sector are also tasked with constructing smart buildings that may feature building management systems (BMS), building automation and control systems (BACS) or building energy management systems (BEMS). These must be engineered in a secure and compliant manner.

No such thing as too small

The default setting for many IT leaders in the sector has historically been “We’re too small and unimportant for threat actors to bother with”. That is a dangerous assumption to make today, at a time when as many as a third of corporate ransomware victims have less than 100 employees. And then there’s the nation-state threat.

There were over 200 ransomware victims worldwide in the construction sector from October 2021 – May 2023

“Even if you don’t think you’re large enough to be of interest to foreign governments, you should understand the value you might represent. Perhaps you work with larger organisations (or on government projects) who are their main target,” warns the National Cyber Security Centre (NCSC) in guidance for the construction sector.

There’s plenty of interest for threat actors – whether they’re financially motivated opportunists or have more targeted motives in mind. They could be after information on bids or building design, contracts and financial information, or personally identifiable information (PII) and employee financial details. The NCSC also warns that the “extensive use of sub-contractors and suppliers involving large numbers of high-value payments” makes the industry an attractive target for business email compromise (BEC) scams.

Various reports suggest that such threats are far from theoretical. Akamai claims in a 2023 study that there were over 200 ransomware victims worldwide in the construction sector from October 1, 2021 – May 31, 2023, making it the fourth worst-hit vertical. In EMEA, it also placed fourth. Separately, ReliaQuest reveals in its 2023 annual threat report that construction was the most breached sector last year, with any one business in the vertical suffering an average of 226 separate incidents. A third study, from Ontinue, analyses data collected from 600,000 endpoints to reveal that 23% of ransomware breaches happened in the construction sector last year, second only in volume to the IT industry.

Exposed on all sides

Everything from PCs and mobile devices to software assets, sophisticated site equipment, and digital systems installed within buildings could be a target. As are the men and women who operate this technology. Targeted systems may offer a pathway to sought-after data or a means to extort money. But not all attacks are digital. The NCSC also warns that expensive equipment may be stolen from on-site offices and vehicles for resale, as well as the data they contain.

This cyber-related risk comes with a mounting cost attached. Data breaches and the prolonged service outages that can stem from ransomware often result in significant financial and reputational damage. UK construction company Interserve was fined £4.4m by the Information Commissioner’s Office (ICO) after a ransomware breach, which the data protection regulator said could have been prevented.

The same financial and reputational impact can come from successful BEC attacks. British multinational Arup recently made for all the wrong reasons after an employee mistakenly wired £20m to scammers following a deepfake attack. Reputational damage can have a lasting impact if it prevents companies from winning new tenders.

Building resilience

Andy Black, CISO at construction giant Sir Robert McAlpine, tells Assured Intelligence that hybrid working exposes organisations to an elevated risk of phishing and breaches.

“Common threats are phishing attacks targeting employees for credential theft, which can lead to data breaches or financial fraud. Or more sophisticated attacks such as ransomware to disrupt operations. However, the traditional corporate perimeter no longer exists as our wider ecosystem of third-party supply chain partners adds complexity to the digital landscape,” he explains.

“Cybersecurity is a shared responsibility, so employee training and awareness programmes play a pivotal role in fostering a cybersecurity-conscious culture, while secure supply chain practices and due diligence on third-party vendors bolster resilience. Developing and regularly updating an incident response plan, alongside conducting simulations to test its effectiveness, ensures swift and effective responses to cyber incidents.”

Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, warns that M&A activity can often lead to unmanaged assets or parts of the network, which threat actors exploit.

“Common threats are phishing attacks targeting employees for credential theft, which can lead to data breaches or financial fraud” Andy Black

“The best measure CISOs can take is to remediate the low-hanging fruit often exploited in the early stages of an attacker’s kill chain,” he tells Assured Intelligence. “Ensure that secure email gateways are configured to minimise phishing emails from arriving in employees’ inboxes, close off any unnecessarily exposed instances of remote services such as RDP, and ensure multi-factor authentication is used across any externally facing systems. Remediate high-risk vulnerabilities promptly.”

For Akamai advisory CISO, Steve Winterfeld, a zero-trust approach is a no-brainer.

“By placing a clear focus on controlling access to and segmenting their network, not only do CISOs reduce the likelihood of malware entering their network, but they also ensure there is a robust plan in place to limit the blast radius of any successful attacks,” he tells Assured Intelligence.

“Organisations can also implement the principle of assumed breach. This means treating every inbound request as hostile and ensuring no request is granted without full authentication and authorisation. This approach also empowers organisations to identify and secure their most valuable and sensitive data, mitigating the damage a future attack could cause.”

Safeguarding reputation through insurance

Amid this volatility, cyber insurance is becoming an increasingly popular way to proactively “help safeguard our reputation and preserve client confidence”, according to Sir Robert McAlpine’s Black.

“The premium for cyber insurance can be quite high, especially for SMEs. Yet its merits far outweigh the costs,” he argues. “We are also now seeing policies incorporating additional value-added services such as risk management, cybersecurity and employee training, simulation exercises and incident response planning, which improve our overall security posture and reduce potential risk.”

The mere acquisition of cyber insurance also mandates a higher cybersecurity posture, states Akamai’s Winterfeld.

“We are also now seeing policies incorporating additional value which improve our overall security posture and reduce potential risk” Andy Black

“It’s worth noting that insureds will need to prove to their insurance carrier that they are doing their part to prevent such attacks or risk a substantial increase in their cyber insurance premium,” he adds.

Ed Ventham is head of cyber broking at Assured. “We’ve seen an uptick in the number of construction firms who are required to have cyber insurance to meet a contractual requirement,” he says. “We’ve also noted an uptick in claims specifically within the construction sector, so all evidence points to construction being a targeted sector. Insurers will be monitoring this, and we expect scrutiny on controls because of this.”

Ventham doubles down on Sir Robert McAlpine’s Black’s views on the power of a good insurance product. “The value isn’t just in the risk transfer though; the incident response capability and additional services provided (for example, tabletop exercises, cyber risk consultation, domain scanning tools) have been landing well with construction firms who have been looking for a holistic approach to their cyber risk management. Aligning security with insurance is the best way to improve cyber resilience and there are an increasing number of insurers who can offer that.”

According to historic claims data, construction firms have been seen as ‘easy targets’, Ventham adds. “Recently we have seen a real shift in this attitude at the insureds level. Investment into security has been much better, and the skillset of the people managing the IT and security of the construction firms has greatly improved. This has helped with construction companies getting access to the better insurance providers.”

The bottom line is that construction sector contributes 9% of the entire UK workforce and 7% of UK GDP, according to the Royal Institute of Chartered Surveyors (RICS). It’s time to recognise the sector as a major target for threat actors and start taking steps to ensure it’s not also a soft target.