Why the construction industry is under threat

Author: Gary Hibberd

Date: 17 June 2020

When you’re asked to think of sectors which might be the target for Cybercrime, many might believe that the Construction sector would be low on the list.

If you’re one of these people, then you need to rethink this situation and fast.

Phishing for customers

Firstly it’s always worth remembering that there are many Cybercriminals who don’t care what industry you’re in. Phishing emails are called this, because they don’t care who they catch. Does a fisherman sitting on the banks of a river care which fish he catches? Not really. How big is the fish? That’s the question.

The Construction sector in the UK is worth more than £110 billion per annum and contributes 7% of GDP (ref. Government Construction Strategy). Approximately a quarter of construction output is to the public sector, and three-quarters is to the private sector.

There are plenty of big fish and little fish to go after in this sector, so why wouldn’t they target it?

Concrete Evidence

In early May 2020 both Interserve and BAM Construct had to shut down some of their computer systems after falling victim to a cyberattack.

They did a great job in containing the virus because they knew how to respond effectively. They had invested in building effective technical and organisational measures to protect the Data they shared. But how many other construction companies can state the same? Certainly, some of the larger companies can, but what about the sole traders? The smaller suppliers who don’t see this as their problem?

Both BAM Construct and Interserve were involved in the building of Nightingale Hospitals for the NHS, to help in the fight against COVID19. Thereby proving that Cybercriminals don’t care what your project is; The more urgent the need, the more vital the build, the more likely you will be willing to hand over some money to them.

No insulation from Cybercrime

I started my computing career back in 1984, working on Burrough computers in a large building contractors payroll department. We understood the importance of protecting payroll data, and that supplier records and transactions should be equally protected.  

Protecting data was relatively easy because processing was a highly manual process. But today, almost everything is automated and available via websites, apps, third-party software and complex networks. 

Cybercriminals love complexity because with complexity comes the chances of gaps. And a gap is a window of opportunity to a Cybercriminal.

Just consider for a second the kinds of professions involved in the construction sector;  architects, building service engineers, surveyors, site managers, consultants, contractors, and sub-contractors.

Within each category, there are hundreds of trades and professions that will contribute to the design, development and build process. 

Cybercriminals know that information needs to be shared between these people and know that any delay in build can be highly disruptive and costly. Therefore they will target these professions in the hope to disrupt enough to persuade them to pay a ransom.

Disruption in the pipeline

But Cybercriminals aren’t just hitting the Construction sector with phishing attacks. They have far better, insidious methods of attack, which include sitting and waiting in your systems; waiting for the perfect time to strike.

Due to the increase in suppliers, and therefore invoices raised, there is an increased risk of invoice fraud. Cybercriminals gaining access to networks may sit patiently in the background for weeks and months, monitoring emails and transactions, waiting for the chance to update banking details or order quantities.

A construction company we spoke to recently chased their supplier for goods not yet received. The supplier stated that they had yet to receive payment for these goods. It transpired that the construction company had transferred over £175,000 to fraudsters over two weeks earlier. Why? Because the construction company sent an email asking the supplier for payment terms and details and duly received a response. But not from the supplier…

It is often said that a chain is only as strong as its weakest link; And in construction, the supply chain can be extremely long. Are the controls on supplier management strong enough? What should the procurement department do to protect the company? What background-checks should be undertaken? How do you control the payment process? The answer to these questions is beyond this blog, but the questions need to be answered.

People; The Bicks and Mortar of construction

If we thought the supply chain was complex, then we need to pause and think about the number of people involved in the construction industry. From sole traders; electricians, plumbers, painters, plasterers through to merchants and construction companies hiring armies of brickies and scaffolders. The list of skills and therefore, people are vast.

Construction companies, process vasts amounts of personal data; from CVs through to payroll data, this information passes through multiple hands and can be stored in multiple locations, all of which may be uncontrolled and insecure.

Consider for a moment a labourer arriving at a building site with their proof-of-id; Passport, driving licence and utility bill.  What happens next to this information? Where is it stored? Who has access to it?

Again, Cybercriminals know that construction companies hold vast amounts of personal data, all of which is highly valued on the dark market, where passport details retail at around $3,490. How many passport images do you think the average construction company holds? 100? 1000? 10,000?

This is why the General Data Protection Regulation (GDPR) clearly states that organisations must only hold data for as long as is necessary. How long is ‘necessary’? That’s up to you to answer. But you must answer the question.

Conclusion; Don’t build a house of straw

Cybersecurity in the construction industry is a must. It is a highly professional sector that relies on people and technology to provide a service. We can’t ignore the fact that Cybercriminals are looking for easy targets, and they generally target sectors (and individuals) who believe they are impervious to attack. They target those who mistakenly think that they have nothing worth stealing. Sometimes it’s not about directly stealing money from you; It’s about what they can obtain from you (personal data, customer details, inside information, supplier details).

If you’re in the construction industry, I hope you have approached the design of your Cybersecurity processes as you would with any other project you’re involved in. Start with a floor plan. Design it from the bottom up, and consider all the constituent parts. Cybersecurity isn’t an IT issue; It’s a business risk.

Good Cybersecurity includes People, Premises, Processes, PCs and Providers. A house built only of straw will be quickly blown away by the wolf at the door. If you only focus on one thing (IT) to secure your business, then you’re just as likely to be eaten too!

Finally, it’s worth remembering that the road to success is always under construction. If you’re reading this thinking “We looked at this back in 2018 when the GDPR came in”, maybe it’s time to look at your Cybersecurity practices again.

After all, I know that Cybercriminals are looking to see if you are.