How are they affecting the construction industry?
According to Statista, there were 480,000 cyberattacks in the United States in 2022. The estimated cost of cybercrime in the country for 2024 is $452.3 billion, which is expected to reach $1.816 trillion by 2028. In 2022, over 3,000 people nationwide became victims of phishing attacks, while business email compromise attacks impacted nearly 22,000 individuals. In 2023, nearly seven in 10 organizations in the United States were hit by a ransomware attack.
Statista says that if managed properly, cybersecurity measures can mitigate and minimize the risks of cyberattacks. However, companies usually face challenges implementing security systems for various reasons. The main challenge is usually raising awareness among employees.
The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over three years, according to IBM.
The Insurance Journal reports that cyber insurance premiums in the United States surged 50% in 2022, reaching $7.2 billion in premiums collected.
According to a 2021 report from the Associated General Contractors of America, the construction industry is “one of the leading industries impacted by data security incidents … the number of cyber security attacks in the construction industry is growing exponentially.”
AWCI Member Experiences
Those are some of the statistics, but we tend to rely on information from AWCI members in construction companies around the country. We asked our members if cybercrime has impacted their company, and if so how. We also asked what measures they are taking to mitigate the threat of cybercrime and how effective these have been.
Eric Corder, director of information technology and security at Performance Contracting Group in Missouri, says, “We have been the target of numerous malicious threats and continue to be a target for social engineering attacks [attempts to coerce the intended victim into divulging sensitive information by pretending to be a known person or legitimate entity]. The impacts of cybercrime on our company have ranged from the direct costs of incident response to changes in processes and technologies that better enable us to secure our information, as well as that of our employees and customers. We have also invested in awareness campaigns and training to raise our employees’ suspicion to helpful levels and protect the organization from the increasing sophistication of social engineering attacks, many of which are now powered by artificial intelligence.”
Craig Condie, director of information technology at Daley’s Drywall & Taping in California, says, “We, like any company, have experienced frequent cybercrime attempts from multiple attack methods: email, text, phone calls, browser links, and now QR codes are the most common tactics used. This has been continuous and seems to be increasing. We have had minor incidents and have strengthened our protection methods.”
John Senneff is the IT director for the three Marek companies in Houston. In his 30 years with the company, he has witnessed an entire evolution of technology. “For the last six or seven years we’ve really been concentrating heavily on cybersecurity,” he says. “That’s about when there was this big increase in awareness about phishing campaigns, credential harvesting and ransomware attacks.
“We had an event that we had to combat and take care of, and we realized very quickly that we did not have the skills or the proper tools in place. The trends for cyberattacks and cybercrime are not slowing down. If anything, they are ramping up drastically, and with the enhancements of AI, it’s just getting worse.
“We’ve had to commit a lot of money, time and resources to build the cybersecurity program that Marek needs, not only to protect our data, our assets and our companies, but also to protect the people we work with—vendors and customers. It doesn’t matter what size company you are—big, small or somewhere in the middle—if there is an opportunity for a bad actor and they feel they can seize it, they will. You’d better be prepared as an organization to combat that.”
Marek Director of Credit Steve Winn explains, “My focus is on negotiating contracts that contain cybercrime insurance and, sometimes, indemnity for cybercrime events. The average data breach in the United States costs $9 million—up from $4 million a year ago, and worldwide costs are projected to hit $23 trillion. How can the average company sustain such a hit, much less provide the indemnity to other companies? Why should Company A be liable for the errant clicks by the employees of Company B? It’s a recipe for massive bankruptcy, and the construction industry is a prime target.”
“Cybercrime insurance is becoming increasingly expensive to the point where it may not be commercially available,” he says. “We see contracts that contain requirements for coverage, but with the costs mentioned earlier, can the average company carry enough to cover claims for itself, much less others?”
Winn explains a recent example in which Marek received a contract from a GC for a large oil company. The prime contract contained such an indemnity. “What construction company could pay for the damages for that oil company to recover, restore and remediate its system?,” Winn asks. “Then there’s the oil company’s downtime. That’s where we get that $9 million bill!”
Ron Karp, principal at Advanced Drywall Systems in Florida, recalls, “We received a group of emails from one of our vendors asking us to pay him ahead of schedule by depositing the payment via ACH into his ‘new’ bank account. The email looked legitimate, so the accounting department made the payment. Two weeks later we received an email from the vendor asking us when he could expect his payment. Once we were able to piece together what had happened, we turned it over to our insurance company.” Karp’s company was reimbursed.
Karp also has a recent example: “Just this week, one of our clients received an email that appeared to be from us, asking that they change the manner of payment to a direct deposit into our ‘new’ bank account. The client responded by email and copied me, which was when we discovered the attempted fraud and put a stop to any change in our payment routine. It’s a non-stop flow of phishing emails, and I don’t see any way to stop it other than to protect oneself by not responding, blocking them and deleting the email. I routinely do this several times a day.”
Bill Fritz, president at Mission Interiors Contracting LLC in Texas, says, “We have had no impact, although the potential is extreme. Considering the requests from vendors to direct pay through ACH with EFT and the increasing delay and loss in mail delivery, the risk continues to accelerate. Any information through online delivery is always at risk with the ever-increasing cybercrime perpetrators who are far more computer literate and cutting edge than most of the public can understand.”
Jessica Pfeiffer, president of BCT Walls & Ceilings, Inc., in Pennsylvania, appears to be one of the few exceptions when she says, “Fortunately we have not been impacted with any cybercrime (knock on wood).”
Responding to the Threat
The responses to the threats and the measures put in place vary considerably from company to company.
Corder says, “Performance Contracting has taken a proactive approach to cybersecurity and risk management by adopting several frameworks from the National Institute of Standards and Technology. These frameworks are used to regularly evaluate risk, implement mitigations, monitor controls and provide roadmaps for the maturity of their program.
“We have also adopted the principles of Least Privilege and Defense in Depth to protect our people and networks. This means that individuals are only provided with the access needed to effectively conduct their role in the organization, and a layered approach is used to cover as many potential vulnerabilities as possible, often with more than one control. To achieve our desired security results, we have invested in full-time information security personnel and established an information security team. Some examples of our controls include formal awareness training, regular social engineering tests, third-party vulnerability and penetration testing, managed detection and response, physical security controls, and policies and playbooks for security and incident response.”
“Thus far, our approach to security has proven successful, providing a reduction in risk to the organization and allowing us to operate relatively unimpeded,” he continues. “Performance Contracting’s future plans include continuing to increase the maturity of the program, staying up-to-date with the ever-changing security environment, and remaining agile and able to respond to any incidents that may arise.”
Condie says, “We are protecting ourselves through outsourcing our cybersecurity to a reputable leader in this market and have contracted them to secure our servers, endpoints, firewalls and email scanning. In addition to these physical safeguards, we have weekly online training available to all users to raise awareness of various cyber threats. The training includes a brief video and a test that is scored and used to rate the user and company in comparison to other users and companies.”
Although BCT Walls & Ceilings has not experienced any cyberattacks that they are aware of, Pfeiffer says, “We have security measures in place through our IT person and of course an antivirus program that runs continuously.”
Karp says, “Every email that has anything to do with funds is followed up with an in-person telephone call to make sure the email is valid. We’ve also added another level of firewall/spam protection to our system in an attempt to limit this. Are they working? Yes and no. Even with the added firewall and spam protection, we still receive plenty of junk emails that attempt to gather personal and financial information.”
Fritz says, “The truth is no small company really thinks about cybercrime until they become a victim, which is too late. Innovative progress of ideas and concepts is a must to stay at the top of your industry. Most of the time we don’t think of possible negative consequences before proceeding with the latest and greatest technological innovation.”
The enormous increase in the use of technology in all phases of the construction industry has without question brought with it increased vulnerability to cybercrime.
John Hinson, president of branch operations at Marek in Texas, says, “This is a growing issue as we are spending a ton of time and money proactively protecting ourselves and our clients.”
The measures that Marek have taken and are taking are extensive and continually evolving to try to keep ahead of the criminals.
Senneff stresses some key factors in the Marek approach to cybersecurity. While space doesn’t allow the full description he provided, the main points are listed here:
• Ownership and senior management buy-in and the realization that cybersecurity is not an IT problem but an organizational problem are key to a successful cybersecurity program.
• Having excellent relationships and partnerships with cybersecurity vendors and utilizing their expertise is key to protecting your business.
• Continual monitoring of all networks, servers and endpoints using the right cybersecurity tool sets to identify abnormal traffic.
• Running regular end-user awareness campaigns: training, simulated phishing campaigns and other measures help raise awareness.
• Having a very robust backup and recovery system in place allows the company to recover quickly from incidents, with minimum downtime.
• Updating and patching all servers and endpoints is also vital.
• Be very wary of the increasing prevalence in contracts of language that tries to make the subcontractor liable for any cybersecurity incidents and consequences. Strike those clauses where possible. Don’t sign a contract that could cost your company more than it can bear if there is a cybersecurity incident.
On this last point, Winn says, “Companies need to carry coverage for themselves and require their business partners to adhere to cybersecurity best practices. This kind of due diligence provides the best security for everyone—not the insurance coverage. I believe contractual indemnity and requiring coverage for cybercrime will change the landscape for the construction industry. Companies simply cannot bear the costs for the data breaches experienced by other companies. Those companies should be liable. Construction companies will do well to take care of themselves.
He adds, “This is why we all need to adhere to best practices from technical measures to correcting employee habits.”
David C Phillips, a freelance writer and photographer, is an original founding partner at Words & Images.