Remember the good old days when the most common forms of cybersecurity threats involved getting an email from someone claiming to be a wealthy prince or mere data breaches? For better or worse, those days are long gone. 

One of the biggest current worries for business owners is becoming the target of a much more sophisticated cyberattack. Similar incursions into hospitals and government agencies tend to receive most of the media’s attention, but businesses across all industries are being targeted. When it comes to protecting any business online, ignorance isn’t bliss, and construction and home services companies are fast becoming a key target for these kinds of attacks.

“Construction companies are likely being targeted because of their limited awareness of cyber risks and their lack of cybersecurity,” says David DeSilva, head of construction at The Hartford. “While technology is an integral part of daily business, many companies may not have adequate firewalls and protection to ward off sophisticated hackers as cybersecurity isn’t top of mind.”

DeSilva says the average downtime for organizations subject to a cyberattack is 20 days, with ransom demands spiking dramatically in 2022, reaching more than $400,000 per attack in the fourth quarter.

The most common types of cyberattacks

1. Ransomware — These can be the most terrifying for any business owner. A third-party gains access to your computer system, shuts it down and demands a substantial payment to restore service and access.
2. Business email compromise — Construction companies are especially vulnerable in this regard because of their extensive use of suppliers and subcontractors, all of which are typically coordinated via email and involve the exchange of considerable sums of money. If hackers can obtain access to a company’s email accounts, they can reroute payments or solicit tax information under the guise of a legitimate business-related request. According to FBI statistics, this form of fraud resulted in an estimated loss of $2.7 billion of operating revenues in 2022.
3. Credential vulnerabilities — “Many times, contractors have open data connections with their customers for things like electronic bill paying and project management," DeSilva says. "When these connections are linked to their customers’ other important systems, it creates an environment for attackers who’d like nothing more than to steal as much information as they can. Once they have the contractor’s credentials, those cybercriminals can take valuable information from the contractor’s customers.”

Best practice protections

Remember the old PSA that used the tagline “the more you know” to educate the public on a range of topics? That slogan applies perfectly to construction companies and the need to remain vigilant against the threat of cyberattacks and the extreme monetary impact they can have. After all, it’s hard to protect against something you’ve failed to recognize is happening. For email compromise, especially, it’s crucial to keep an eye open for potential phishing attacks and take necessary responsive actions against them when they do arrive in your inbox — and they will.

Regarding ransomware, it’s imperative to identify potential weaknesses in your systems and fix them immediately. According to Matthew Magner, head of specialty cyber underwriting at The Hartford, this includes systems such as Microsoft’s operating system and VPN applications for remote access, in addition to proprietary in-house systems.

“The impact of ransomware isn’t limited to ransom payments and clean-up costs,” Magner says. “But it may also include reputational damage.”

Beyond technical protections and general awareness, it’s important to educate employees on the risks and hallmarks of cyberattacks, including conducting anti-phishing exercises, while also implementing multi-factor authentication protocols for all users, especially those with access to critical data such as financial transactions.

Once the low-hanging fruit of general awareness and basic safety protections are put in place, DeSilva strongly recommends companies maintain frequent offsite and encrypted backups of all company data, deploy a VPN for all remote access to company systems, prepare an incident response plan and ensure all SPF domains and DKIM records are properly configured.

“A comprehensive cybersecurity strategy and incident response plan helps ensure the appropriate processes and technology are in place to help mitigate risk,” Magner says.

---

About the author: AEM is the North American-based international trade group representing off-road equipment manufacturers and suppliers, with more than 1,000 companies and 200-plus product lines in the agriculture and construction-related sectors worldwide. AEM has an ownership stake in and manages several world-class exhibitions, including CONEXPO-CON/AGG.