Fraud protection a must for construction industry

You’re a construction contractor, so there’s no need to worry about computer hackers or cybersecurity thieves beyond installing basic computer security. After all, what are hackers going to find out, how many bricks you ordered?

This approach to cybersecurity can, and very likely will, seriously wound or even kill a construction company. It applies to every company's electronic components: desktop computer; laptops; smartphones; and anything else that can be broken into electronically.

Construction companies are increasingly targeted by cyber criminals, who are quite often very smart people who have dedicated their lives to destroying yours. It’s not personal, it’s business: they don’t care about you. They want your money and information and they’ll spend all day, every day, figuring out how to get it.  

What information might criminals be after?

  • W-2 forms
  • Tax information
  • Financial records and account numbers for your company, subcontractors;, and clients
  • Billing statements
  • Social Security numbers
  • Employee medical information

That’s a partial list. Even information you might think is uninteresting, such as a building plan, could be valuable to a hacker. Additionally, if a damaging intrusion is successful it could expose you to legal liability from persons or companies harmed by the breach. The list of criminal acts is long and getting longer. Among the most prevalent are:

  • Phishing and Spearfishing: In phishing, a fake – but remarkably authentic-looking – e-mail from a company with which you do business requests information about employees or payment. Spearfishing is the specific targeting of a person or business to steal information or plant malware (malicious software).
  • Ransomware: thieves break in and encrypt your data, saying if you want your information back and unencrypted you’ll send the money they demand.
  • Extortion: thieves steal valuable, embarrassing, proprietary, or some other form of information and demand payment or they’ll make it public.
  • Unscrupulous competitors: what might they find or learn if they were to get into your computer system?

Even your computer’s webcam can be used against you by an effective hacker, as the San Diego Union Tribune reported: “This week, web-surfers could watch scientists in a lab at UC San Diego, employees talking at a nearby construction company, and the inside of a house filled with musical recording equipment.” 

Various types of attacks aren’t a matter of a thief or scammer coming straight at you. Instead, they come through a side door of which you’re unaware. A report on the construction-related hacking of several companies for possible capture of W-2s illustrates that companies are vulnerable even through the actions of another player, as this company’s message to employees stated:

“This information was stolen through a sophisticated social engineering scheme in which an outside party posing as another person convinced an employee of Central Concrete Supply to provide copies of the documents by email on February 23, 2016. The data was not obtained through any breach of the Company’s information technology systems.” 

The famous breach of Target stores was accomplished by cyber criminals who gained access to Target’s systems through a HVAC vendor.

The problem is relentless. Here are 8 proactive steps construction companies can take now:  

1. Install the latest cyber protection software and keep it current. Keep security patches updated. However, be cautious even here as fake patches have been used to plant malware. Does the message ask you to click on a link, or for password or other confidential information for “security purposes?” if so, it may well be fake.

2. Education for management and staff. You want to spend time discussing existing and future projects. Nevertheless, to protect both, you and your staff must be able to recognize suspicious cyber activities. The more you know, the less the thieves can profit.

3. Investigate the security levels of companies and individuals that have even electronic access to your systems. If their security protections are lax it puts you in danger.

4. Keep to a minimum the number of staff members who have access to your sensitive information and assign responsibility to back up your data, preferably daily. This is a good defense against ransomware, for example. Keep data in a secure, separate location.

5. Build electronic defensive fortifications. Think of information as your treasure, and around your treasure you install or build cyber searchlights; firewalls; electrified fences; and vaults. Two-step, or two-part, identification is helpful. Two-step identification uses text or code in addition to a strong (note strong) password. Even if a cyber-criminal figures out a password the second step bars the door.

6. Never click on a link in an e-mail from a friend or associate if it asks you to do so to see something important, or valuable, or critical. If there’s any doubt, take the old-fashioned approach and call the other person to verify the message.

7. Contract with experts – really expert experts – to audit your systems to see where vulnerabilities exist. If they can find them, so can thieves.
8. Check into insurance for protection against the variety of problems and damage caused by cybercrime.

Think of it this way: as a construction company, you’re constantly preaching safety. You protect your employees; building; tools; and equipment. Cybercrime protection is another such measure. It’s frustrating, aggravating, and perhaps even discouraging, but highly necessary.


I'd like to speak to a Construction CPA.


Tagged Construction, Cybersecurity