Practice Update

In July, WCOE's Regional Director – West (Southern), Brenda Radmacher, Esq., presented an extremely timely and informative webinar regarding cybersecurity risks and best practices for construction firms. The below Practice Update highlights a few key takeaways from the presentation by Brenda, her colleague Christy Hawkins, Esq.; and industry experts, Danette Beck, Head of Industry Verticals & National Construction Practice Leader, USI Insurance Services and Michael Corcione, Partner, Global Cybersecurity & Privacy Risk Management Lead, HKA.

The construction industry has experienced an amazing evolution in recent years thanks to the rapid adoption of new technologies. While all of this new technology has the potential to make companies more productive and more efficient, it, like all new tools, also creates new risks and liabilities. The modern construction firm must be as vigilant and prepared for cyber threats as they are of jobsite dangers. The first danger to overcome, however, is the misconception that hackers are not interested in construction companies or smaller businesses. This simply is not true. Cybercriminals can now cast a very wide, indiscriminate net with their cyberattacks, entangling companies they were completely unaware of beforehand. More disturbing still is the fact that the cliché of hackers living in their parents' basements has been replaced by sophisticated state-sponsored hacker teams. For example, there is evidence that hackers backed by the Russian government have infiltrated American government agencies and Fortune 500 companies as part of its war with Ukraine, as noted in a recent New York Times article[1]. While these attacks have mostly targeted specific agencies and companies, experts note that there is often "spillover," with the malware used in the attacks spreading beyond the original targets.

It is clear to see how a construction company working on a major infrastructure project or sensitive government installation could be a prime target for hackers. And it is just as clear to see how a company simply going through day-to-day business could become ensnared in a wide-reaching fishing expedition. But with effective planning, due diligence, and vigilance those risks can be greatly reduced.

Why Cybersecurity Matters to Construction Firms

At the most basic level, cybersecurity should be a priority for any construction firm because there are laws you are likely required to comply with. For example, the California Consumer Protection Act (CCPA) became law in 2020, and applies to for-profit entities that collect personal information from California residents and meet any of the following thresholds: (i) At least $25 million in gross annual revenue, (ii) Buys, sells or receives personal information about at least 50,000 California consumers, householders, or devices for commercial purposes or; (iii) Derives more than 50% of its annual revenue from the sale of personal information.

And that is just the tip of the iceberg. Since the CCPA became law, a growing number of states are considering comprehensive privacy laws. In 2022, 29 states considered data privacy legislation.

Even if your company is not subject to data privacy laws like CCPA because of your size or where you do business, you are still vulnerable to cyberattacks. This is why the Cybersecurity & Infrastructure Security Agency recommends organizations of any size “adopt a heightened posture when it comes to cybersecurity, to protect their most critical assets.2

Earlier we mentioned indiscriminate wide-net cyberattacks, the most common of these are email phishing scams. For those not familiar, this is when cybercriminals use email messages to obtain data from individuals or gain access to your network. These email messages are most often sent by the thousands to addresses, which are often obtained through equally nefarious means. A 2019 study conducted by cybersecurity firm KnowBe4 highlighted just how vulnerable construction companies are to phishing attacks. They found “those who work in construction are the most susceptible to phishing attacks among small-to-medium-sized businesses and the second-most likely to fall for a phish among large corporations.”3 The study, “Phishing by Industry 2019,” surveyed nine million users across 18,000 organizations with simulated phishing security. Other industries found to be most vulnerable to phishing include hospitality, finance, and healthcare.




To navigate our site
To search our site

Welcome to our new site

Click anywhere to enter