Based on Corvus’s Threat Intel team data, the frequency of ransomware attacks on the construction industry increased 48% from 2022 to 2023. Encryption software firm NordLocker, in its latest report on cyber attacks, ranked construction as the #1 most targeted industry.
This post will spotlight why construction firms are especially vulnerable and what they face today based on data from our Threat Intel findings. We’ll also look at what construction firms are doing right and how they can further safeguard against cyber risks.
The construction sector, essential to the growth and maintenance of global infrastructure, is facing urgent cybersecurity challenges. Much is at risk: Financial accounts, business-sensitive information, and the intellectual property and data of employees and projects.
At the crossroads of cybersecurity risk and technological progress, the industry is experiencing sophisticated ransomware assaults interrupting operations and data breaches compromising critical project information.
The increasing use of Internet of Things (IoT) devices, such as connected sensors, drones, and wearable technology, introduces new cybersecurity threats. Many construction businesses have also adopted operational technologies such as supervisory control and data acquisition (SCADA) networks, building information modeling systems (BIMs), machine learning, and robotics, further expanding the attack surface. As new technologies become more prevalent in construction practices, the industry is grappling with ensuring the security of physical assets and digital infrastructure.
Adding to the challenge is the wide range of interconnected parties involved in construction projects, including suppliers, subcontractors, engineers, and architects. Every entity is a possible foot in the door for hackers looking to breach security, steal confidential data, or interfere with regular business activities.
Many construction firms and contractors underestimate their cyber risk. They are unaware that they frequently serve as a point of entry for hackers looking to target more profitable targets — a builder’s clients.
For years, the construction industry enjoyed a sense of security, seemingly immune to cyberattacks, as suggested by a research paper by the Association of General Construction of America in 2021. However, this perception has been shattered. A 2023 survey from Dodge Construction Network and content security company Egnyte reports that 59% of firms experienced a cybersecurity threat within the last two years, a stark departure from the past. Yet the same survey shows that most of the industry isn’t prepared for a cyberattack.
Successful attacks have dire consequences, with 77% of respondents in the Dodge-Egnyte survey saying they would experience critical schedule delays if access to documentation were blocked for more than five days. But ransomware attacks typically take much longer to resolve than that. Data from Statista points out that the average length of interruption after ransomware attacks in the United States was 24 days as of the second quarter of 2022.
A Travelers Companies survey notes that construction businesses aren’t well-prepared to mitigate cyber risks; 87% of construction business decision-makers rely on technology functioning properly so their business can operate, but 40% believe their business is becoming somewhat riskier each year. Only 20% say they are knowledgeable about the cyber issues that could harm their companies. And only 30% have a business continuity plan to help them survive and recover from a cyberattack.
A sampling of high-profile cyberattacks against the construction industry illustrates how criminals are intentionally targeting businesses for financial gain. One firm experienced a cyberattack that resulted in defensive measures, like shutting down specific systems to mitigate further long-term harm, according to a Securities and Exchange Commission Form 8-K filed by the company. The company also hired third-party cybersecurity experts to aid its investigation and recovery efforts.
A Candian-based contractor, who works on military bases and electrictiy generation plants, was hit with a ransomware attack in March 2023. This led to initial concerns surrounding the security of Canada’s defense department — highlighting how impactful downstream risk can be with the right victim.
On a more promising note, we’ve observed that construction firms are implementing risk mitigation strategies and improving internal security procedures. For those at the earliest stage of developing a security program, basic examples include mandating use of a password manager and implementing MFA. Many firms are conducting staff training to communicate cyber security requirements.
Systems to receive, track, and store electronic and paper-based documents are seeing increasing adoption. Keeping records of what has been shared, when, and with whom helps prevent sensitive information from being accessed by the wrong people. Construction firms also now recognize the importance of keeping software up to date and implementing “need to know” processes, where access is only granted for the required information, and ensure access is removed when staff leave the project or business.
The most prepared firms are taking preventative security measures like attack surface management, penetration testing, and vulnerability assessment to provide security teams with a proactive approach to discovering blind spots and securing their most critical assets.
Even as the industry improves at preventing and mitigating cyberattacks, threat actors will continue to invent new strategies and tactics. That’s why, at Corvus, we want to partner with construction firms to help manage the risks they face. Our underwriters have the necessary cyber expertise and real-time data insights to meet the construction sector’s needs.
It's now easier than ever for the construction industry to add an experienced, committed cyber insurance partner to the blueprint. Learn more about the broad policy language, competitive terms, and endorsements we offer for the construction industry.