The philosophy of risk and reward is a balance of opposites that goes back to the days of Heraclitus. Although he didn’t spend much time on construction sites, his idea that everything is constantly changing, and every change brings with it new risks, could accurately describe most construction sites.
Changing schedules, adverse weather conditions, financial constraints, labour and material shortages—the list is almost endless. Add the increasing threat of ransomware, cyber warfare, and hacking sensitive information and you have a pretty toxic cocktail. It’s frightening that 66 percent of companies worldwide were subject to ransom attacks between March 2022 and March 2024, according to Statista.
AEC firms (Architecture, Engineering and Construction) are particularly vulnerable and at risk of financial, legal, and reputational damage because they operate in an industry dominated by remote management. The reality is that a distributed workforce creates a greater risk of a cyberattack than an onsite office-type environment.
The exposed flank of AECs stems from the large proportion of business done remotely. Sending and receiving information online exposes companies to risk, but there are measures that can be taken to mitigate the threats.
Simple Precautions for Peace of Mind
As cyberattacks are no longer distant and remote, it has become critically important for construction companies to measure the resilience of their in-house security functions.
Simple security measures such as changing passwords regularly and making them more challenging to crack are easy and quick to implement. Similarly, keeping your operating system and applications regularly updated will enhance your cyber security.
The digital world does create stress and make increasing demands on our time, but don’t let that tempt you to let down your guard when it comes to emails. Be very careful with emails you don’t recognize, and adopt a zero-trust policy with them.
Get the Green Building Project Checklist
Use this handy checklist on your next project to keep track of all the ways you can make your home more energy-efficient and sustainable.
Your mobile phone is also vulnerable to cyberattacks. Keep your device updated with trustworthy apps, and be mindful of the dangers of using a public wifi, especially if you have no VPN installed.
If you haven’t already, now is a good time to start using VPNs. Their encrypted data provides a more secure data transfer. If localization is important to you, pick a VPN that has lots of servers too choose from. For example, if you live in Calgary and want a VPN IP address from Calgary look for a provider that has lots of Canadian VPN servers to pick from so you can select your specific city. When picking a VPN just make sure to find a trustworthy provider since all your traffic will be routed through them.
Have a comprehensive policy in place that informs and trains staff members not only on the various forms of cyberattacks but also on protocols to introduce should they become aware of a security breach. Staff should be trained and monitored to comply with security principles.
Risks Related to Cybersecurity Threats
Apart from the obvious risk of financial loss due to the ransom payment to return data, several other costs make the threat of cybercrime so serious and financially crippling.
Losing drawings and ancillary intellectual property is probably one of the most time-sensitive threats to the AEC industry. Along with the expense of rework and associated production delays, reputational damage to customers, suppliers and the public presents a significant risk to construction companies.
Additional costs that may result from a cyberattack include those associated with:
- Incident investigation costs and the costs to resolve the incident and prevent further losses arising from the breach.
- Third-party liability for injuries or deaths resulting from the security breach.
- Reputational damage, which may extend to stock market price declines or the reduction in sales.
- Investigation costs and the exposure to claims by third parties for security and privacy breaches.
Some Common Types of Cyberattacks
There is a common misconception among smaller AEC firms that they are immune from cyberattacks because far more valuable entities offer significantly higher potential returns for cybercriminals. Sadly, the potential to become a victim of cybercrime is simply vulnerability.
Phishing is one of the most common cyberattacks, where emails contain a malicious link or attachment that, when opened, allows the criminal to access account holder information or insert malware into the account.
Password attacks are made to capture passwords and usernames with the aid of password-cracking tools.
Man-in-the-middle attacks (MITM) occur when a cybercriminal secretly hijacks a conversation between two parties, relaying their messages between each other without their knowledge and thereby gaining access to data from both parties.
A Structured Query Language (SQL) injection attack occurs when a malicious code is inserted into a website search box, allowing the attacker to edit information on the website.
Protecting Yourself from Cyberattacks
Installing endpoint protection allows companies to secure their IT networks from a range of cyberattacks ranging from ransomware to malware. These tools can also provide additional security by identifying the number of devices on the system and their interaction with each other. This information is vital in establishing the required access levels for each user.
By monitoring endpoint utilization, companies will be able to effectively segment their networks and substantially reduce the risk of exposure to cyberattacks.
These tools can either be installed yourself as software like Avast Business Security or Cisco Secure Endpoint. Alternatively, you could outsource the job to a third-party provider like Crowdstrike.
Installing NGFWs (Next-Generation Firewalls) and IPS (Intrusion Prevention Systems) will extend your security from endpoints to email and the DNS layer.
Taking it a step further, you could opt for Managed Detection and Response (MDR), which provides additional protection that covers multiple layers beyond just endpoints (i.e. network monitoring, cloud security). They also offer more extensive threat analysis and proactive threat hunting. Crowdstrike, Palo Alto Networks and FireEye are examples of a few services that do MDR. For a more detailed look at this topic read our article ‘The Importance of MDR for Construction Companies‘.
Backing up your data is critical in protecting it. Sadly, “I should have backed up my data” is the all-too-familiar cry of the desperate data-deleted victim.
Implement a zero-trust access policy. While it may make you unpopular with some clients and suppliers, having a system that insists on trustworthiness before gaining access will protect your company from the damage a cyberattack can cause.
Architecture, engineering and construction companies carry an additional burden in that they are compelled to operate with various companies and suppliers and share information with associated companies in joint ventures. This vulnerability makes them a prime target for cybercriminals.
Having a policy that regularly monitors access features and permissions of end users ensures that access is restricted to essential levels and, where necessary, reviewed and adjusted according to company requirements.
Also ensure that 2FA (Two-Factor Authentication) or MFA (Multi-factor authentication) is required to access your IT systems and data. Free apps like Authy, Google Authenticator or hardware security keys like YubiKey make the process easy. Though they do slow the login process down, they significantly cut down on password hacking, phishing and other cybercrime. Another bonus to using 2FA or MFA is that some cyber insurance providers will offer reduced premiums to companies that implement them.
As with so many facets of the industry, the risk-reward balance requires a very intensive evaluation of the company’s digital security. The risk of failing to install adequate security measures could be catastrophic.
