The construction industry is changing rapidly and more and more projects are relying on emerging technologies for management and completion. There are now major cyber related concerns regarding “smart” equipment such as cranes and drones and SAAS/IAAS systems used for project planning and management. ‘Connected’ systems utilized by third-parties (general contractors and subcontractors) to share and centralize sensitive data may also expose a project to cyber risks.
While these technological advancements certainly make projects run more efficiently, they also give rise to exposures which are new to the industry.
This coupled with the fact that most construction companies do not fully appreciate their cyber exposures or do not have the means to properly mitigate them, puts a project at great risk.
Here are some cyber risks that construction companies should be aware of:
Business Interruption/Project Delays – A cyber breach resulting in loss of sensitive information such as blueprints or plans or even intentional shutdown of systems. Mitigating such a breach can cause costly delays for a project. One must keep in mind, an outage due to a cyber-event at a third-party such as a subcontractor could also cause major delays.
Contingent Bodily Injury or Property Damage caused by a security breach or system failure. An example of such event would be a ‘smart’ crane that is hacked and causes damage to a building or worse, a worker or civilian (See Forbes article - Exclusive: Hackers Take Control of Giant Construction Cranes).
Contractual Penalties imposed against you (by written contract) for failure to deliver your product on time due to a cyber-event.
Ransomware, Phishing or Social Engineering scams enacted in order to steal money or siphon confidential information. Understand that these types of threats can originate from a cyber-criminal or malicious competitor.
Fortunately, the major tenets of a sound cyber security and business continuity plan apply to the construction industry as well.
- Understand where sensitive project data is stored, who has access to it, and how it is protected.
- Train employees to recognize scams and educate them on what to do if they notice something out of the ordinary or click on something they shouldn’t have.
- Update and patch systems on a scheduled basis and update firmware on all equipment from printers to cranes.
- Develop a comprehensive Disaster Recovery Plan and Business Continuity Plan.
- Invest in a Cyber Liability insurance policy that is specifically written to cover construction industry exposures.
Everyone from the Owner, the General Contractor, to the plumber and landscaper should consider how a cyber-attack can impact their business and plan accordingly.