Colin Donnellon of Clear warns construction firms that it’s time they woke up to the real threats posed by cyber attacks, as they are more vulnerable than ever due to growing reliance on digital tools and electronic transfers; and wonders why only 21% of board members oversee cybersecurity issues.
Despite the growing number of cyber attacks, UK-based construction companies still aren’t getting the message: They are just as vulnerable to attacks as any other sector, and cybercriminals see them as lucrative,
soft targets.
High-profile incidents, such as the cyber attacks on Bam Construct and Interserve, have highlighted the sector’s susceptibility. Yet, many construction firms continue to underestimate the threat they face. A Government study has revealed that construction companies are among the most likely to fall victim to cyber fraud.
It’s time therefore that the construction industry woke up to the reality of cyber threats. The stakes are high, and the consequences of just carrying on as normal could be devastating.
Falling behind
The 2023 survey commissioned by the Government on cyber security breaches has revealed a concerning trend: construction businesses are falling behind in online protection, resulting in higher rates of fraud. Defined in the study as “fraud involving deception for financial gain,” these attacks often employ methods such as ransomware, viruses, spyware, malware, hacking, or phishing.
The survey found that 5% of building firms reported falling victim to cyber fraud in the past year. Alarmingly, only 21% of construction companies have board members responsible for cybersecurity, which is lower than almost every other sector. The report goes on to reveal that 26% of construction companies do not have adequate software security update policies or ‘patch management,’ representing a higher proportion than most other industries.
Other protective measures recommended by the Government include the use of VPNs, firewalls, up-to-date malware protection, separate guest and staff Wi-Fi networks, and data backups.
For construction firms, the risks associated with cyber attacks are manifold – operational, reputational, and legal. Construction companies rely heavily on their supply chains, and any disruption, including those caused by cyber-attacks, can significantly impact project delivery, leading to lengthy delays and increased costs.
From a reputational standpoint, a cyber-attack can have far-reaching consequences too. If malware spreads beyond the company or if confidential data is leaked, it can impact suppliers and clients, further damaging the company’s reputation.
A data breach can also put a firm in hot water with the General Data Protection Regulation (GDPR), which requires businesses to keep data secure and confidential. This includes sensitive information about other businesses, employees, and clients.
If a data breach happens, the firm responsible could face fines and penalties for violating GDPR, even if the breach was due to a cyber attack. Additionally, the firm may have to notify individuals whose data has been compromised, a process that can be both costly and time-consuming, especially in large-scale breaches.
Threat of fraudulent EFTs
Electronic fund transfers (EFTs) are a lifeline for construction firms. They offer a fast and secure way to move large sums of money, which is crucial for paying suppliers, subcontractors, and other stakeholders. They also simplify international transactions, enabling construction companies to source materials and services from around the world. While the speed and reliability of EFTs help maintain cash flow and keep construction projects on schedule – they are also digital, making them highly susceptible to cyber-attack.
Typically, cybercriminals will use social engineering techniques to trick employees into authorising fraudulent EFTs. This can involve impersonating a trusted contact or creating fake email addresses that appear legitimate.
As soon as a fraudulent EFT is completed, the funds are quickly moved to offshore accounts, making it difficult to recover them. This can result in substantial financial losses for construction firms and disrupt their financial operations, by delaying payments to suppliers and subcontractors, which can, in turn, delay project timelines.
The fallout from transacting fraudulent EFTs can be highly detrimental, leading to reputational damage among clients and partners. Furthermore, construction firms may face legal and compliance challenges if they fail to protect sensitive financial information, potentially resulting in fines and regulatory scrutiny.
Rebuilding after a cyber attack
Preventing a cyber event isn’t always possible, but being prepared can make all the difference. For construction companies, specialised cyber insurance policies are invaluable. They cover various cyber risks such as data breaches, ransomware attacks, and fraudulent EFTs.
A cyber insurance policy can also cover financial losses from cyber incidents, including investigation costs, legal fees, and potential fines for violating data protection regulations like GDPR, as well as the costs of notifying affected individuals and providing credit monitoring services. These policies can also provide access to specialised incident response teams that can manage and mitigate the effects of a cyber attack by identifying the breach source, containing the damage, and restoring systems.
Moreover, cyber insurance helps protect a firm’s reputation by covering public relations efforts to manage the repercussions of a cyber incident, such as communicating with clients, suppliers, and other stakeholders to reassure them that the firm is taking appropriate measures.
It’s time to heed the warnings
It’s no secret that the UK’s construction industry is facing a multitude of challenges. Labour shortages, rising costs, economic uncertainty, and the push for sustainability – including the ambitious goal of net-zero carbon emissions by 2050 – are all headwinds the sector must weather. So, tackling the threat of cybercriminals who view the industry as an easy mark might not be a top priority.
However, cybercriminals are opportunists who, frankly, don’t care about the industry’s woes. They are simply on the lookout for vulnerabilities like outdated software, lack of employee training, and insufficient data protection that they can exploit. Construction firms, therefore, really need to take these threats seriously and beef up their cyber defences. This includes getting comprehensive cyber insurance and treating the current digital environment with the urgency it deserves. Otherwise, one day a ransomware attack could cripple their operations, leaving them struggling to recover and rebuild, without support.
Colin Donnellon is development director at Clear