News
January 8, 2025

Cybersecurity Risks in Construction & How to Protect Your Business

Caroline Raffetto

Most construction firms are diligent about securing their physical tools from theft and damage on job sites.

But what about securing your most vital tool: your IT systems?

As the construction industry becomes more dependent on digital technologies, it is increasingly vulnerable to cyberattacks. This growing threat is exemplified by the recent exposure of a significant vulnerability in a commonly used construction accounting software, highlighting the sector’s susceptibility.

How Cyberattackers Are Targeting Construction Firms

Ransomware

These attacks encrypt a company’s data and demand payment for its release, leading to costly downtime and potential financial damage.

Phishing

Cybercriminals often use deceptive emails to trick employees into revealing sensitive information or downloading malicious software. These emails can seem trustworthy, making them hard to spot.

Business Email Compromise (BEC)

In BEC schemes, attackers pose as company executives or vendors, deceiving employees into transferring funds or disclosing confidential information.

Data Theft

Hackers seek valuable construction data, such as intellectual property, financial details, and personal employee or client information, for resale or use in further attacks.

Siegeware

A newer risk, siegeware targets smart building technologies, giving attackers control over critical systems. This can lead to operational disruptions and pose significant safety risks.

Why Cybersecurity Is Critical for Construction Companies

Widespread IT Use

Construction companies rely on IT systems for operations just like any other business. Tools like email, shared files, and accounting software are just as essential to running a construction business as heavy machinery. Consequently, they are vulnerable to traditional cyberattacks.

Digital Transformation

While innovations like Building Information Modeling (BIM), Internet of Things (IoT) devices, and smart buildings have revolutionized construction, they also present new cyber risks.

Sensitive Data

Construction businesses manage highly sensitive data, including project blueprints, financial records, and personal details of clients and staff. A breach could result in severe repercussions, such as financial losses, legal penalties, and reputational damage.

Operational Disruptions

Cyberattacks can halt construction progress, causing delays and escalating costs. For instance, ransomware can lock key systems, pausing work until a ransom is paid. This can lead to expensive downtime and missed deadlines.

Additional Cybersecurity Challenges

Companies may face even greater risks if they encounter the following issues:

Limited Resources

Smaller companies may lack the budget or expertise needed to implement effective cybersecurity defenses, making them more vulnerable.

Lack of Awareness

If employees are not well-trained on cyber risks and best practices, they are more likely to fall victim to phishing or BEC attacks.

Insufficient Security Measures

Without dedicated IT staff or advanced security systems, companies become easy targets for hackers.

How to Protect Against Cyber Risks

To safeguard against cyber threats, construction companies must take proactive measures, regardless of their size. A tailored cybersecurity strategy should be developed based on each company’s specific needs.

At the very least, any strategy should include:

Employee Training

Regular cybersecurity training can help staff recognize phishing attempts and other common threats.

Access Control

Restricting access to sensitive data ensures that only authorized personnel can view or modify critical systems.

Regular Software Updates

Keeping all systems up-to-date prevents attackers from exploiting known security gaps.

Incident Response Plans

A clear, well-practiced response plan enables companies to react swiftly to cyber incidents, minimizing damage.

“At CohnReznick, we routinely work with construction companies of all sizes to help them understand their unique cybersecurity challenges, then take proactive measures to protect themselves, their operations, and their data against cyber threats. We also help organizations that are experiencing a cyberattack repel the attack, resume business operations, and reduce their legal risk.”

For questions or to enhance your company’s cybersecurity posture, contact David Sun at David.Sun@CohnReznick.com.

As a leading advisory, assurance, and tax firm, CohnReznick helps forward-thinking organizations achieve their vision by optimizing performance, maximizing value, and managing risk. With offices nationwide, including Greater Washington, the firm serves a variety of industries including construction, government contracting, hospitality, not-for-profit, renewable energy, and more. For more information, visit www.cohnreznick.com.

News
January 8, 2025

Cybersecurity Risks in Construction & How to Protect Your Business

Caroline Raffetto
Construction Industry
Washington

Most construction firms are diligent about securing their physical tools from theft and damage on job sites.

But what about securing your most vital tool: your IT systems?

As the construction industry becomes more dependent on digital technologies, it is increasingly vulnerable to cyberattacks. This growing threat is exemplified by the recent exposure of a significant vulnerability in a commonly used construction accounting software, highlighting the sector’s susceptibility.

How Cyberattackers Are Targeting Construction Firms

Ransomware

These attacks encrypt a company’s data and demand payment for its release, leading to costly downtime and potential financial damage.

Phishing

Cybercriminals often use deceptive emails to trick employees into revealing sensitive information or downloading malicious software. These emails can seem trustworthy, making them hard to spot.

Business Email Compromise (BEC)

In BEC schemes, attackers pose as company executives or vendors, deceiving employees into transferring funds or disclosing confidential information.

Data Theft

Hackers seek valuable construction data, such as intellectual property, financial details, and personal employee or client information, for resale or use in further attacks.

Siegeware

A newer risk, siegeware targets smart building technologies, giving attackers control over critical systems. This can lead to operational disruptions and pose significant safety risks.

Why Cybersecurity Is Critical for Construction Companies

Widespread IT Use

Construction companies rely on IT systems for operations just like any other business. Tools like email, shared files, and accounting software are just as essential to running a construction business as heavy machinery. Consequently, they are vulnerable to traditional cyberattacks.

Digital Transformation

While innovations like Building Information Modeling (BIM), Internet of Things (IoT) devices, and smart buildings have revolutionized construction, they also present new cyber risks.

Sensitive Data

Construction businesses manage highly sensitive data, including project blueprints, financial records, and personal details of clients and staff. A breach could result in severe repercussions, such as financial losses, legal penalties, and reputational damage.

Operational Disruptions

Cyberattacks can halt construction progress, causing delays and escalating costs. For instance, ransomware can lock key systems, pausing work until a ransom is paid. This can lead to expensive downtime and missed deadlines.

Additional Cybersecurity Challenges

Companies may face even greater risks if they encounter the following issues:

Limited Resources

Smaller companies may lack the budget or expertise needed to implement effective cybersecurity defenses, making them more vulnerable.

Lack of Awareness

If employees are not well-trained on cyber risks and best practices, they are more likely to fall victim to phishing or BEC attacks.

Insufficient Security Measures

Without dedicated IT staff or advanced security systems, companies become easy targets for hackers.

How to Protect Against Cyber Risks

To safeguard against cyber threats, construction companies must take proactive measures, regardless of their size. A tailored cybersecurity strategy should be developed based on each company’s specific needs.

At the very least, any strategy should include:

Employee Training

Regular cybersecurity training can help staff recognize phishing attempts and other common threats.

Access Control

Restricting access to sensitive data ensures that only authorized personnel can view or modify critical systems.

Regular Software Updates

Keeping all systems up-to-date prevents attackers from exploiting known security gaps.

Incident Response Plans

A clear, well-practiced response plan enables companies to react swiftly to cyber incidents, minimizing damage.

“At CohnReznick, we routinely work with construction companies of all sizes to help them understand their unique cybersecurity challenges, then take proactive measures to protect themselves, their operations, and their data against cyber threats. We also help organizations that are experiencing a cyberattack repel the attack, resume business operations, and reduce their legal risk.”

For questions or to enhance your company’s cybersecurity posture, contact David Sun at David.Sun@CohnReznick.com.

As a leading advisory, assurance, and tax firm, CohnReznick helps forward-thinking organizations achieve their vision by optimizing performance, maximizing value, and managing risk. With offices nationwide, including Greater Washington, the firm serves a variety of industries including construction, government contracting, hospitality, not-for-profit, renewable energy, and more. For more information, visit www.cohnreznick.com.