As construction firms rely more on technology to manage projects, there is an emerging risk for the industry: the cyber intrusion threat.
Much new construction machinery is computerized, and most design, engineering and construction firms are using some form of cloud computing. They are also increasingly using electronic platforms to manage projects, which are ripe for cyberattacks:
- Multi-user platforms, which allow contractors, designers and project owners to share data simultaneously.
- Technology-driven applications, such as integrated project delivery, building information modeling, estimating and scheduling programs.
While these tools create efficiencies, the risk of intrusion increases when multiple parties have access to the project data. And if that data is compromised, it could force a halt in construction while you determine the extent of the breach.
Data at risk of exposure includes:
- Sensitive client data
- Confidential project information
- Proprietary data
- Subcontractor data or financials
- Employee data, including personally identifiable information.
The dangers
If cyber criminals gain access to construction data, they could:
- Seriously disrupt a project by destroying data servers and infrastructure, or by threatening the safety of people on-site.
- Infiltrate an owner’s design and security systems.
- Get their hands on your intellectual property or data that gives you a competitive edge.
- Use weaknesses in your system to infiltrate project partners’ and vendors’ IT networks.
Identifying weaknesses
You should ask yourself these questions to identify deficiencies:
- Is your network secure and are you confident it’s protecting your data?
- How much data do you have and where is it stored?
- Do you encrypt your data when it is on your or your employees’ mobile devices and laptops?
- Do outside vendors have access to sensitive information? Perform due diligence assessments before granting them access.
- Are you taking precautions to ensure that third parties are granted access on a need-to-know basis only?
- Do you have policies and safeguards in place to ensure shared information is not disseminated elsewhere?
- Are you training your staff in cyber security and malicious e-mails?
Cyber insurance
Most commercial insurance policies will not cover damages caused by data breaches, but cyber insurance will. Depending on the policy, it can cover losses from various cyber and electronic issues, including:
- Unauthorized access.
- Business interruption.
- Network damage by a virus, malware or human error.
- Any state-mandated notification costs if personally identifiable information was exposed.
- Costs of regulatory penalties, and compliance costs.
- Third party security and privacy liability arising out of the failure to protect confidential corporate information, including personally identifiable information.
- Costs associated with impaired access or denial-of-service attacks.
- IT forensics and expenses.
- Crisis management and public relations expenses.
- Loss of business income due to network interruptions.
- Cost of recovering systems and data.
- Cyber extortion loss.