< Back to Thought Leadership

Cybersecurity in the Construction Industry

By: Tom Skoog, Cybersecurity & Data Management Practice Leader

Cybersecurity for the construction industry is a growing challenge. The industry is moving towards digital connectivity, not only across the supply chain, but also ‘on site’ as more metrics related to performance, progress, and health & safety are monitored in ‘real time’. This increase in connectivity increases cyber-risk as the bad guys have additional “doors and windows” to crawl through to access systems and data.

Reducing the Risk

The construction industry is facing increasing cyber-risks based on changes in the environment and delivery options. But it has also been notoriously slow at identifying and addressing its cyber-risk vulnerabilities. Cybercriminals are targeting industries based on where they believe the industry has been slow to implement basic cybersecurity processes and technology.

A ransomware attack on a construction company can prevent them from invoicing, paying bills, potentially executing payroll processes, and bidding on new work.

Preventing Cyberattacks

The following is a list of basic steps that construction companies can take to reduce the risk of a ransomware attack or data breach on their organization.

  1. Patching – – Either your IT department or your managed service provider should be aggressively applying patches to your workstations and servers. Patches close technical vulnerabilities publishers find in different type of software. The bad guys become aware of these vulnerabilities, and it is a race to see who can get to that vulnerability first, either you by patching it, or the bad guy before you patch it.
  2. Strong Passwords AND Two-Factor Authentication – – One of the attacks bad guys will launch is if they get into your network, they will copy the password file from Windows or other software packages. If employees have weak passwords, it is easy for attackers to obtain the unencrypted versions of those passwords. To mitigate this risk, everyone should utilize strong passwords, and this should be augmented where possible with two-factor authentication. Administrative IDs and remote users should require two-factor authentication at a minimum.
  3. Training/Awareness – – Most ransomware attacks occur because attackers trick employees into clicking on a link or a file, or worse, providing their login credentials through phishing emails. This in turn allows the bad guys to get their malicious software into your network. Employees need to be trained about the do’s & don’ts and the red flags to look for in phishing emails. You should consider testing the effectiveness of your training efforts by executing internal phishing email tests to identify those requiring additional training.
  4. Control Administrative Accounts – – Compromised administrative accounts gives someone full and complete access to the functionality of your systems and network. You should limit the number of people who have administrative capabilities to only those requiring it to perform their job function (IT support personnel). Business users should not have administrative capabilities associated with their user ID. Also, administrative access should always require two-factor authentication.
  5. Encryption – – The ability to encrypt data on workstations and servers has never been easier and it is a cost-effective measure to further protect your data from theft or modification. Encryption capabilities exist within Microsoft Windows V10.
  6. Quality Data Backup – – In the event you are impacted by a ransomware attack, you are essentially faced with two options to get your systems back and online. The first option is to pay the ransom and hope they unlock your systems. The second is to format all your systems and restore the systems and data from backups. Your backups should employ the 3, 2, 1 strategy. You maintain three copies of each backup. Two copies are maintained off-site and one of the off-site copies is immutable (cannot be changed) and air/gapped (cannot be accessed by anyone but your IT staff.
  7. Access Controls – – By limiting “who can do what” in your systems, you reduce the risk of data breach of information. Access control measures exist within all application systems
  8. Next Generation Anti-Virus Software – – Most organizations have standard anti-virus software (e.g., Windows Defender) on their workstations and servers. An added detection mechanism would be to purchase and install a next generation anti-virus software tool (e.g., Carbon Black). While standard anti-virus tools look for virus “signatures” that get updated nightly, The next generation tools look at the behavior of your machines (workstations/servers) for anomalistic behaviors within your operating systems (e.g., a system file executes at an abnormal time). This helps detect “zero-day” attacks, meaning the anti-virus software vendors are yet aware of the new virus.
  9. Monitoring – – You need to be monitoring your various logs, audit files, etc. on a regular basis. If you try to do this internally, it is very manual and time intensive and frankly, not effective. It is recommended that you engage a third party who specializes in monitoring networks for security events. They have the people, processes, and technology to detect potential breaches or attacks and take actions to contain and eradicate those attacks.
  10. Cyber-Insurance – – Given the significant increase in ransomware attacks in the construction industry, companies are encouraged to insure their operations against a cyberattack. Many of the items discussed in this article will be requirements of several cyber-insurance carriers.

If you have any questions about cybersecurity in general, or the items discussed in this article, feel free to contact your Blue & Co representative, or our cybersecurity practice leader, Tom Skoog, at tskoog@blueandco.com.


Indiana Sales Tax Changes for Nonprofits

By: Angela Crawford, CPA, Senior Manager The recently enacted Senate Enrolled Act (SEA) 382 (2022) makes significant changes in the way not-for-profit organizations purchase and sell items exempt from sales tax. Sales tax information Bulletin 10 has been revised to reflect these changes. While sales tax-specific changes are detailed within the bulletin, here are the […]

Learn More
Facility Emergency Department Leveling | Stethoscope laying on top of financial reports | Blue & Co., LLC

Is Your Current Facility Emergency Department Leveling Process Working?

Blue & Co. has performed many Emergency Department Leveling Reviews for hospitals. The two most utilized leveling criteria are “points-based” or “intervention-based.” In either case, each hospital must determine which facility resources (or attributes) to include within its criteria, and how these resources crosswalk into ED visit levels (99281-99285). This can create significant reimbursement differences […]

Learn More
tax, expenses, tax code updates

R&E Expense Amortization

By: Desi Burton, Manager The Tax Cuts and Jobs Act (TCJA), signed into law in late 2017, was the most comprehensive update to the U.S. tax code in over 30 years. The TCJA was generally viewed as extremely favorable to many taxpayers, resulting in significant reductions in business and individual tax rates. In exchange for […]

Learn More