September/October 2019

Communities: Construction
Construction Firms Face Risk of Cyberattacks

“FIRST, CONSTRUCTION TRAILERS AREN’T EXACTLY FORT KNOX,” SAYS BRIAN HUNT. “FIRMS NEED TO BE MORE MINDFUL ABOUT THE VALUABLE TECHNOLOGY STORED ON JOBSITES.”

As the construction industry evolves through internet-connected solutions and remotely accessible systems such as building information modeling, telematics, and project management software, the number of opportunities for hackers to launch cyberattacks increases.

However, many construction companies do not consider data security a top concern—partly due to many owners, contractors, and engineers believing that online criminals wouldn’t find their information worth stealing. But that perception is quickly changing.

A recent survey by market research firm Forrester shows that more than 75% of respondents in the construction, engineering, and infrastructure industries had experienced a cyberincident within the last 12 months. And in 2016, almost half of all cyberattacks targeted small businesses with fewer than 1,000 employees.

In 2018 phishing attacks increased by more than 250% and the former head of the Department of Homeland Security, Kirstjen Nielsen, called cybersecurity the number-one threat to US businesses.

Brian Hunt, a managing principal of the Hunt Law Group and a trial lawyer based in Centreville, Virginia, believes that many business owners and contractors do not understand the kinds of information that hackers might find valuable.

“Construction firms have access to a wealth of information, including intellectual property, proprietary assets, architectural specifications and schematics—not to mention details about clients and employees’ personal information and corporate banking and financial records,” Hunt says.

In May, a church in Brunswick, Ohio, was hacked following a $5.5 million renovation with a local construction company. Hackers were able to change routing numbers via the church’s email system and redirect a $1.7 million payment.

Upon deeper investigation, the FBI found that the hackers were able to access two employee email accounts to watch the conversations between the church officials and the construction company. They were able to track due dates, amounts due, and even the tone of the emails between the two parties. While the church has filed a claim with its insurers, there are many similar cases where insurers deny the claim because an employee haphazardly authorized the transactions.

One of the problems with fighting cybercrime is that construction firms often fail to take preventive steps until after the first attack occurs. Hunt has worked with Aon Risk Services Inc. to present his experiences with cybercrime to construction and engineering firms and to spread awareness of its dangers. Making people aware of the issue and educating firms, he says, is one of the most important ways to effectively combat attacks.

“So many times, companies will only recognize what went wrong after the fact,” Hunt says. “Construction companies should, at a minimum, utilize updated firewall and antivirus software. They can also continuously update company and employee passwords, encrypt vital data, set different permission levels so that, for example, construction site worker can’t access financial and accounting information. But most importantly, companies need to educate themselves and their employees about IT rules and safe internet practices, like avoiding junk websites and phishing emails.”

Hunt also cautions firms about the use of on-site construction trailers and storing valuable information and technology inside.

“First, construction trailers aren’t exactly Fort Knox,” Hunt says. “Firms need to be more mindful about the valuable technology stored on jobsites. Number two, in 2019, stakeholders, contractors, and jobsite workers all use mobile devices, which offers increased access points to their network. While it might seem obvious, not only should your network and data be secured but physical buildings and jobsite trailers too.”