As technology has become integral to running a construction firm, cyber criminals have dramatically stepped up their attacks on the industry, and experts say it’s only a matter of time before the unprotected fall victim.

In fact, ransomware—in which a virus takes over a computer or device until the victim pays a fee to regain access — happens every 11 seconds and costs businesses $20 billion annually, according to the Ransomware in the Construction Industry report. It showed that more than 13% of firms reported an attack in 2020 and that the average ransomware payment was $178,254, up from $84,000 in 2019.

But those numbers only tell part of the story, because criminals are using other methods to breach data systems and websites, warned Nick Ondo, commercial insurance and risk advisor with Frank H. Furman Inc., which works with contractors.

Along with ransomware, Ondo said cyber criminals are employing the following techniques:

“Tech has transformed construction workflows and it’s expected to work all the time,” Ondo said. “That’s why a cyberattack will absolutely have some level of devastation associated with it.”

He said attacks are increasingly automated and have risen 56% on small businesses, while the frequency has jumped 40%.

John Kenney, CEO of Cotney Consulting Group, said he’s worked with three construction clients during the last six months that suffered more than a $1 million in losses. “A company can be wiped out when it’s hacked,” he warned.

No matter what type of attack, the entry point is typically the same: a phishing email that gives criminals access to a company’s data. Here are five ways to protect your business from cyber criminals:

1. Educate and train. The first line of defense is educating employees about phishing emails, how to spot them and what to do if they suspect they received one. Ongoing training and testing are necessary as well. A number of firms now specialize in this area, and experts recommend investing in these measures. Kenney said 20 or 30 employees can be trained for around $5,000. Ongoing training subscriptions, which include faked phishing emails that mimic the latest threats to test employees’ skills, can cost $20 per employee. “That’s money well spent,” he said.   

2. Strengthen passwords. Ondo recommended ensuring that systems are protected with multifactor authentication and stronger passwords. As the name suggests, multifactor authentication requires two devices to gain access to company networks. Typically, a verification gets sent to one device that must be entered on another device, which makes breaching data systems much more difficult. “It’s going to get to a point in the near future where cyber insurance carriers are not even going to write a policy if you don’t have two-factor authentication,” Ondo said.

3. Encrypt data and back it up in the cloud. Encrypted data is harder to hack and less vulnerable to ransomware attacks. The latest versions of Apple and Microsoft operating systems automatically encrypt data. But third party vendors also offer encryption services, which average $235.  Along with encryptions, backing up data in the cloud ensures that even if the local system gets accessed, the data can’t be held for ransom. Kenney said the most important step is making sure that data is backed up on separate servers. “You definitely want to make sure it’s not being backed up on the same server,” he said.  

4. Purchase cyber insurance. Although the cost increased almost 80% in the second quarter of 2022, experts said the investment is well worth it. Some insurance companies, such as Furman, will do a cyber security report as part of developing an insurance premium. Kenney said a medium-sized construction firm could expect to pay $10,000 a year for a $10 million policy. “It’s still very reasonable policy to have for a backup,” he said.

5. Use online resources. A wealth of information and training is available for little or no cost online. For example, the Cybersecurity Toolkit for Small Businesses from the Global Cyber Alliance provides a good foundation for getting started. Associations such as Associated General Contractors and the National Roofing Contractors Association offer cybersecurity training and prevention programs as well.

“If you conduct business on the internet, your company is not too small for a potential cyberattack,” Ondo warned. “And it’s worth at least having the conversation with an IT expert to understand how exposed you are and how to mitigate that.”

Kenney offered this final warning: “It’s not a matter of if, it’s a matter of when right now. The more aware and the protected you are, the less likely you are to get hit.”