Why Construction Companies Need To Worry About Cyber Risks

Building a Stronger Cyber Security System in the Construction Industry

Ransomware and business email compromise incidents are increasing and more frequently targeting the construction industry. Get the insight into how you can help protect your business.
Contributors
Matthew Magner, Head of Specialty Cyber Underwriting, The Hartford
Matthew Magner, Head of Specialty Cyber Underwriting, The Hartford
David DeSilva
David DeSilva, Head of Construction, The Hartford

The Importance of Cyber Security in the Construction Industry

The time when cyber risk was mostly a data breach-related issue is over. With the explosion in ransomware attacks, business email compromises, fraud and stolen credentials, cyber is now everyone’s risk. And as it continues to increase, construction companies have become a target.
 

Ransomware: The No. 1 Cyber Threat

In construction, cyber risks may not seem like a relevant issue. The construction industry may not seem like an obvious target of cyber criminals compared to industries like health care, retail or technology – but that’s changing.
 
In 2021, Canadian contractor Bird Construction and French contractor Bouygues Construction were both hit by ransomware attacks. Ransomware attacks often focus on companies that will be immediately impacted by the disruption caused by the attack. “Construction companies are likely being targeted because of their limited awareness of cyber risks and their lack of cybersecurity,” said David DeSilva, head of construction at The Hartford. “While technology is an integral part of daily business, many companies may not have adequate firewalls and protection to ward off sophisticated hackers as cybersecurity had not been top of mind.”
 
In addition, ransomware can cause a substantial interruption to the complex supply chain upon which construction projects rely. The downtime an organization experiences following a ransomware attack is 20 days.As attacks become more sophisticated, ransom demands have gone up dramatically. Additionally, the average ransom demand amounts increased quickly beginning in Q4 2021 and spiked in Q4 2022, at over $400k.2
 

Construction Companies Are Prone to Business Email Compromise Fraud

A unique feature of the construction industry is the extensive use of sub-contractors and suppliers, which involves a high degree of payments flowing to and from construction companies. Additionally, construction projects are often part of a public bidding process. The details in this process include information about the project and the winners. This makes construction companies an attractive target for business email compromise fraud. This is a deception scam where cyber criminals send fraudulent email messages disguised as legitimate invoices or wire transfer requests. The money is then transferred to the criminal’s account instead of the actual payee. Business email compromise (BEC) is one of the most financially damaging online crimes. In 2022, there were nearly 22,000 related complaints, and businesses lost more than $2.7 billion to these scams.3
 

Contractors Are Vulnerable to Having Their Credentials Stolen

Many times, contractors have open data connections with their customers for things like electronic bill paying and project management. When these connections are linked to their customers’ other important systems, it creates an environment for cyber attackers who’d like nothing more than to steal as much information as they can. And once they have the contractor’s credentials, those cybercriminals can take valuable information from the contractor’s customers.
 

What Can Construction Companies Do To Protect Themselves From Cyber Threats?

Everything has to start with cyber risk awareness and understanding what the financial impact can be to the business in the event of a successful attack. Social engineering continues to be an integral part of many attacks simply because it’s the path of least resistance. As it relates to business email compromise fraud, it’s the main attack method.
 
When it comes to ransomware attacks, criminals exploit a number of critical vulnerabilities in systems and applications that are used by most businesses, such as Microsoft’s operating system and VPN applications for remote access. Matthew Magner, head of specialty cyber underwriting at The Hartford, explained the gravity cyber-attacks can have on the business. “The impact of ransomware is not limited to ransom payments and clean-up costs but may also include reputational damage.”
 
Outside of standard technical cybersecurity protections, the following measures can greatly reduce construction companies’ exposure to cyber threats:
 
  • Employee cyber risk awareness training, including anti-phishing exercises.
  • Requiring strong passwords and using multi-factor authentication for users with access to critical data and applications or involved with wire transfer changes or approvals.
  • Having a procedure in place to authenticate the legitimacy of requests for payment and changes to wire transfer instructions.
  • Maintaining good open port hygiene and only running those operating system services that are absolutely required for the network operation. Remote desktop protocol is an example of a commonly exploited service in ransomware attacks that is rarely critical to operations and should be shut off.
  • Ensuring that critical vulnerabilities are patched within 30 days of release by the vendor.
  • Maintaining frequent back-ups and encrypting or storing back-ups off-line to prevent cyber criminals from encrypting or destroying the back-up as part of the attack.
  • Using VPN for remote access. For organizations with remote users, the VPN provides a secure channel through the Internet to the organization’s private network.
  • Preparing for the worst with an incident response plan (IRP). This prescribes the way a business will respond to and manage the effects of a security attack.
  • Properly configured SPF domains and DKIM records.

The Hartford’s Cyber Insurance Offering

“A comprehensive cybersecurity strategy and incident response plan helps ensure the appropriate processes and technology are in place to help mitigate risk,” said Magner. Even with strong security in place, businesses can still fall victim to costly cyberattacks. That’s why cyber risk coverage is important to help protect a business.
 
As a policyholder of The Hartford, CyberChoice customers can receive complimentary ransomware prevention services. These services can help protect businesses against phishing attacks and open-port vulnerabilities, which are the root causes of nearly 90% of ransomware attacks.
 
CyberChoice customers can access:
 
Bitsight reporting, which can help businesses identify and address open-port vulnerabilities. The report can provide a measurement of a company’s cybersecurity performance. Customers can get a complementary consultation with Bitsight to help them understand and respond to the results. Be sure to check the box to request a complementary Abacode consultation.
 
After receiving your report, an Abacode expert will contact you to initiate your complimentary Abacode Cybersecurity Improvement Consultation, available to The Hartford’s Cyber Risk and Technology policyholders. This consultation interprets the BitSight report and assists your organization by defining which improvements will be most effective in the defense against most common cyberattacks.
 
For more information, visit our CyberChoice product page.
 
1,2 “Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments,” Coveware, July 2023
3 “Internet Crime Complain Center Releases 2022 Statistics,” Federal Bureau of Investigation,” March 2023
 
The information provided in these materials is intended to be general and advisory in nature. It shall not be considered legal advice. The Hartford does not warrant that the implementation of any view or recommendation contained herein will: (i) result in the elimination of any unsafe conditions at your business locations or with respect to your business operations; or (ii) be an appropriate legal or business practice. The Hartford assumes no responsibility for the control or correction of hazards or legal compliance with respect to your business practices, and the views and recommendations contained herein shall not constitute our undertaking, on your behalf or for the benefit of others, to determine or warrant that your business premises, locations or operations are safe or healthful, or are in compliance with any law, rule or regulation. Readers seeking to resolve specific safety, legal or business issues or concerns related to the information provided in these materials should consult their safety consultant, attorney or business advisors. All information and representations contained herein are as of January 2021.
Links from this site to an external site, unaffiliated with The Hartford, may be provided for users' convenience only. The Hartford does not control or review these sites nor does the provision of any link imply an endorsement or association of such non-Hartford sites. The Hartford is not responsible for and makes no representation or warranty regarding the contents, completeness or accuracy or security of any materials on such sites. If you decide to access such non-Hartford sites, you do so at your own risk.
 
The Hartford Financial Services Group, Inc., (NYSE: HIG) operates through its subsidiaries, including the underwriting company Hartford Fire insurance Company, under the brand name, The Hartford,® and is headquartered in Hartford, CT. For additional details, please read The Hartford’s legal notice at https://www.thehartford.com.
The Hartford Staff
The Hartford Staff
Our editorial team spans writers, researchers, product specialists and subject matter experts. We cover the intersection where best practices and business insights meet.