Cybersecurity: A business threat for Contractors

Recent strides in the construction industry to automate processes—such as accounting, project management and Building Information Modeling (BIM) software—introduces a corresponding set of new cyber risks. Contractors are vulnerable to the same cyber threats that impact any industry—including phishing scams, ransomware attacks and distributed denial of service, to name a few. While larger construction firms have taken measures to increase cybersecurity, many small to mid-sized companies aren’t fully aware of what threats they could face, or how to start hedging against them.

Compared to the financial services and healthcare industries, construction companies may not seem like a prime target for hackers, but documented cyber attacks have proven otherwise. Nine construction companies reported experiencing cyber attacks in 2015, an increase from just three incidents the prior year, according to the 2016 Verizon Data Breach Investigations Report.

In addition to proprietary employee data, other potentially vulnerable information includes sensitive client data, tenant personally identifiable information (PII) and non-public material information. Construction firms also house computer-aided design (CAD) drawings and blueprints to sensitive buildings, which hackers can exploit to inflict physical damage. From a national security perspective, firms involved in the construction of sensitive government facilities, critical infrastructure or even facilities for emergency management, public health or medical providers, could also be vulnerable to a cyberattack that might jeopardize those services.

Cybersecurity vulnerabilities in the construction industry are compounded by the growth of cloud computing and the Internet of Things (IoT). For example, as contractors move management and accounting software to the cloud, employees can access those systems on their personal devices. A breach occurring at the personal level, without the proper cybersecurity, could have severe implications for the larger cloud-based ecosystem. The same principle applies for the growing demand for smart devices, such as heating and cooling systems. With increased connectivity, the security and/or vulnerability of each individual device factors into the whole system’s integrity.

Cyber under-investment and negligence can cause real financial harm to construction companies. Here are the two key ways lax cybersecurity could turn into a business problem before a breach takes place. 

  1. The company can’t survive an initial cyber vetting.

New York’s Department of Financial Services (NYDFS) recently issued the “first-in-the-nation” cybersecurity regulation. Under this guidance, financial institutions are required to implement written third-party cyber risk policies and confirm strong due diligence practices are used to evaluate the adequacy of third parties’ cyber practices. Contractors are increasingly asked to demonstrate sound cybersecurity practices, whether under a law such as the NYDFS cybersecurity regulations or as an emerging best practice. In addition, the standardization of third-party cyber risk assessments makes it easier than ever for companies to vet third-party vendors and contractors. Construction companies that either lack these internal controls or are unable to effectively communicate them may be unable to survive many request for proposal (RFP) processes—or may even be ineligible to participate or prequalify for a project owner.

  1. Your competitors offer more security.

All other things being equal and given the financial and reputational fallout from a cyber incident, clients will opt to entrust their data to contractors with strong, documented cybersecurity practices. To protect their own reputations, decision makers within the client’s enterprise are likely to place a high priority on this issue, making cybersecurity an important differentiator in the marketplace.

Companies of all sizes are at risk. In 2015, 43 percent of cyberattacks were against small businesses with less than 250 employees, according to data from Symantec. The reputational and fiscal damage resulting from a cyberattack is far more impactful for small businesses. In fact, a Cyber Security Alliance study found that 60 percent of small businesses that experience a substantial cyberattack are permanently put out of business within a six-month period. Cybercriminals may specifically target mid-sized and smaller construction companies, which may not have prioritized cybersecurity like their larger counterparts. Further, it may pose a risk to large general contractors who rely heavily on smaller subcontractors, who may not have properly assessed their cybersecurity.

As the construction industry ventures into the technological realm, companies can’t afford to ignore cybersecurity. The first step to strengthening cybersecurity is conducting a risk assessment to understand a company’s vulnerabilities and business risks. Once contractors have a baseline understanding of their cybersecurity needs, they can shore up their policies. Being able to demonstrate a commitment to strong cybersecurity practices is becoming a key issue for today’s contractors, even if they’ve never experienced a data breach.

By Christopher Mellen and Ian Shapiro, BDO USA, LLP. This article originally appeared in BDO USA, LLP’s “Real Estate and Construction Monitor” newsletter (Spring 2017). Copyright © 2017 BDO USA, LLP. All rights reserved.

 I'd like to speak to a Construction CPA.


Tagged Construction, Cybersecurity