Outside the usual jobsite hazards, there's a growing threat to business as usual at construction companies: ransomware attacks. Among major industries, construction firms are the third most likely to be the target of a ransomware attack, which can be costly and highly disruptive. Experts say that in order to protect their companies and clients, contractors need robust cybersecurity defenses and a strong, preventative action plan.
A quick ransomware overview
Ransomware—one of the most common cyber threats—is malware that infiltrates a computer system, including desktops, tablets and smartphones. Ransomware differs from other malware in that it blocks access to the computer system until the targeted person or company pays a ransom. Among major industries, only government agencies and manufacturing have suffered more attacks than the construction industry, according to a report by cybersecurity firm Safety Detectives.
Construction contractors are particularly vulnerable to ransomware due to the constant interaction with outside parties: vendors, subcontractors, employees and clients. And, as the industry has further embraced technology (including mobile devices in the field) to improve efficiency and communication, more doors have opened to cybercriminals. Many small and mid-sized construction firms don't have in-house IT staff and contract with third-party vendors for technical service, hosting and support—leaving their businesses, partners and clients more exposed.
These gaps in digital security create opportunities for cybercriminals to infiltrate a construction or roofing company's system and access otherwise private files. In fact, in 2020, nearly one-third of construction companies were targeted by ransomware, according to a report by security experts at Sophos Group. The attacks were spread evenly among small and large-sized firms.
"An attack could hinder a construction firm's ability to meet project a project deadline, which may incur contractual financial penalties and lawsuits," said Kim Abrams, CEO of Abrams Roofing in Louisville, Kentucky. "It reduces the trust of individuals who were once your loyal clients."
In theory, if a contractor has material and equipment on a job, they can keep working after a ransomware attack—but only for a limited time. As soon as the company needs to order supplies, communicate with clients and vendors or generate payments, business would grind to a halt.
To ward off ransomware and other cyberattacks, security experts recommend that construction companies follow five best practices and implement safeguards.
1. Train employees to spot suspicious emails
Cybercriminals need access to a computer system to launch an attack, and email offers an easy pathway. If an employee receives an email from an unknown sender and opens a link or an attachment containing ransomware or other malware, they've thrown the door wide open.
Construction companies should train employees to spot suspicious emails. Instead of opening the message, employees should be directed to contact technical support and managers immediately.
"Instead of viewing the employees as the weakest link, use them as the strongest guardians," said Mario Paez, national cyber risk leader for insurance agency Marsh McLennan Agency.
Denver-based Sol Vista Roofing works with a third-party IT firm to monitor cybersecurity and bolster its defenses. Every quarter, the IT specialists scan and check the company's mobile devices for bugs and issues. The company set up an internal mailbox and has instructed employees to forward any suspicious emails to that address, which the IT department monitors regularly.
"So far, we receive about 12 to 15 emails per week in the inbox that appear to be valid ransomware threats," said the company's owner Kyle Shirley.
To further reduce risks, companies can also block attachments from external emails.
2. Tighten up passwords and restrict file access
Marsh McLennan Agency recommends construction companies institute a dozen controls to bolster cybersecurity. One of the most important is multifactor authentication. With MFA protocols, users must confirm their identity each time they log in or access the system. They do so using two or more identifiers, including a password, PIN or biometric. According to Marsh's findings, 80% of cyber incidents begin with compromised credentials, making user identity a key gateway to attacks.
The agency also recommends contractors restrict which employees have access to computer files—a practice known as privileged access management. That way, if a system is attacked, the damage can be limited in scope.
3. Purchase the right insurance and use support
Construction companies can purchase cyber liability insurance that covers ransomware. This insurance typically pays for business interruption and payments to hackers. However, not all policies cover ransomware, so business owners should read any contracts carefully.
Security experts suggest that owners contact their insurance company immediately if their firm is attacked by ransomware. Many provide a 24/7 hotline for this exact purpose.
4. Back up data regularly and in multiple locations
Even with the best safeguards in place, attacks can happen. To minimize damage, contractors should regularly back up their data and keep security software up to date. Then, if a company is attacked, it can revert to backups and continue operating—whether or not the company decides to negotiate with the cybercriminals or make payments.
Marsh McLennan Agency's Paez recommends storing backup data on encrypted servers, air-gapped computers and cloud-based services.
"That puts you back into the driver's seat, especially with ransomware," Paez added. "They may be requesting a large amount, but if you have backups, you have the option to restore instead of the only option being to pay them."
5. Craft a response plan
To prepare for a possible attack, cybersecurity attorney Joseph Lazzarotti, a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C., recommends construction companies walk through their response plans annually. This should include addressing how managers will communicate with staff, vendors and customers as well as their insurance company and lawyer.
"Sit down with your staff and walk through the scenarios; if you have a ransomware attack and all systems are down, what do you do?" Lazzarotti said. "Think about how you'll communicate with employees, customers, law enforcement and your insurance carrier. Hopefully, it never happens, but it is smart to have an incident plan in place."
Alli Romano is a Denver-based freelance writer, editor and content manager. She has more than 20 years of experience as a journalist and copywriter for media companies and brands and is a skilled digital content producer and social media manager.