Blueprints for disaster? Protecting information in the construction industry

The construction industry encompasses a diverse array of organizations, each playing distinct roles at various stages of a project. This includes design firms, contractors, real estate agencies, etc. Despite their differences, these companies share a common challenge: addressing a range of unique and sometimes overlapping information security threats.

In recent times, the construction sector has been rapidly embracing digitalization. A vital component of this digital transformation is the adoption of Building Information Modeling (BIM) technologies. While large corporations have almost universally adopted BIM, smaller and medium-sized firms are catching up swiftly.

However, this rapid digitalization has not been uniformly accompanied by adequate attention to information security. The industry is encountering a critical juncture where advanced technologies are being implemented without parallel advancements in cybersecurity measures. The lack of focus on security leads to increased cyber incidents, causing financial losses and reputational harm.

Moreover, unlike sectors such as healthcare and banking, the construction industry has largely sidestepped strict data privacy and security regulations. This lack of regulatory pressure has meant that the industry has not been compelled to confront its cybersecurity weaknesses proactively.

A study by IBM Ponemon found that 74% of construction-related organizations are unprepared for cyberattacks. A survey conducted by Forrester found that over 75% of those surveyed from the construction sector reported experiencing a cyber incident within the previous 12 months. This situation underscores the urgent need for heightened awareness and implementation of robust information security measures in the construction industry.

At-Risk Data in Construction Projects

Information leakage is one of the most common cyber threats in the construction industry. The risk of data leakage in the construction industry encompasses a wide array of information, each type carrying its own set of consequences if compromised.

Marketing information is particularly vulnerable. Consider a report that offers an in-depth analysis of developing a new area, including insider details about upcoming projects like a new metro line or a large children's entertainment complex. These details, if not publicly known, can be extremely valuable. If competitors access such information, it could spark a land battle, driving up prices and diminishing the area's investment appeal.

Technical information is also at risk. Construction projects, especially those using BIM software tools, often require extensive collaboration and consultation. This process generates a wealth of technical data, including libraries of BIM families, templates, knowledge bases, and regulatory documentation. If this information is leaked to competitors, it could lead to the loss of trade secrets and significant financial investment in document creation and consultant fees.

The loss of customer data poses another threat. For instance, if two construction projects targeting the same audience are built close to each other, the leakage of customer information can lead to significant losses.

Finally, the leakage of financial information can have severe consequences, too. Given the construction industry's sensitivity, any information loss can potentially lead to bankruptcy, as well as administrative and criminal liability.

Beyond the risk to competitors, sensitive information about building designs and construction projects could fall into the hands of hackers or terrorists, potentially aiding criminal activities.

There is a common misconception that data breaches primarily affect large corporations. However, the Verizon Data Breach Investigations Report (DBIR) revealed that 43% of cyberattacks targeted small businesses. This statistic underscores the significant challenge smaller organizations face in responding to threats, primarily due to their limited resources available for deployment in the event of an attack.

Construction Industry's Cybersecurity Issues

The construction industry faces a myriad of information security challenges that urgently need addressing. Among these is the escalating threat of sophisticated malware, including crypto miners, ransomware, and spyware. Additionally, there is a growing concern over supply chain attacks, which exploit network and software vulnerabilities and pose a serious risk to the entire IT infrastructure.

A particularly acute problem in construction is the misuse of cloud services for information and file sharing. Often, these services lack proper logging and control over access rights. The absence of role-specific access and targeted information sharing exacerbates this issue. Compromised accounts in computer systems pose a significant risk, especially since many construction sector companies lack an effective password policy.

Furthermore, the use of employee mobile devices introduces additional threats, as these can be easily stolen or infected with spyware.

A fundamental issue is the low level of cyber literacy among employees, particularly those not specialized in information tech. Employees often use the same password across multiple personal and professional accounts and handle sensitive information carelessly. This includes uncontrolled access to information and data transmission to partners without encryption.

The construction industry also faces specific onsite problems, such as unauthorized site access, substance abuse, theft of materials and equipment, and unmonitored equipment use. These incidents not only compromise physical security but also pose a threat to digital information security.

Actually, there exists a diverse array of around 20 categories of information security threats in the construction sector. These threats encompass the potential alteration, theft, or destruction of sensitive data. Vulnerabilities can arise from various sources such as Wi-Fi networks, websites, emails, clouds, etc.

The sources of cyberattacks vary, ranging from external hackers operating remotely, competitors, and even those within the organization, known as malicious insiders. This latter group is particularly common and concerning. It involves individuals employed by the company who, while appearing dedicated, may actually be covertly working for another entity or even competitors. Disloyal employees in construction have ample opportunities to transfer confidential information to external parties secretly.

One of the key challenges faced by construction firms, especially small and medium-sized enterprises, is the lack of specialized information security expertise. Many of these companies do not have dedicated cybersecurity personnel or departments.

This vulnerability is often compounded by the absence of even basic protective measures like firewalls. The lack of awareness leads to a misconception that there are no security issues at all. Consequently, security breaches that do occur are frequently not recognized, or if they are detected indirectly, they are not thoroughly investigated, nor are preventive measures planned for future incidents.

Such oversight can lead to serious consequences, like confidential building plans being leaked online or company computers being targeted by ransomware attacks.

Securing Information Effectively

To protect information in such a situation, an integrated approach is needed. A comprehensive strategy combines both organizational and technical measures. Solving even a single problem described above typically requires implementing a variety of solutions. Remember that information security, like any business strategy, should be customized to fit your company's size and the specific risks it might encounter.

Here are some steps to consider for effective protection:

• Basic Cybersecurity Measures

Again, sometimes, even basic security measures are missing. Start at least with the implementation of fundamental security measures like antivirus and firewall protections.

• DLP System

Set up a Data Loss Prevention system to safeguard against data leaks. This system will monitor potential leak channels like emails, removable media, printing, and sharing files through websites or instant messaging.

• Network Audit Tools

Introduce a system that tracks changes within the network. This tool will help you track when and what files were accessed, altered, or deleted and, crucially, monitor file access permissions granted to devices, specific employees, and third parties. It will also help spot unauthorized or irregular configuration changes, detect devices that do not comply with standards, and identify failed backups.

• Cloud Access Security Brokers

Use CASB for monitoring activities in cloud systems. CASBs help to enforce security policies, monitor data traffic, ensure compliance, and detect threats.

• Secure File Sharing with Virtual Data Rooms

VDRs ensure that attached files are sent to protected storage. Features like document permission levels, multi-factor authentication, encryption, and digital watermarks enhance security and reduce email server load.

• Mobile Device Protection

Utilize Enterprise Mobility Management (EMM) solutions to encrypt and separate corporate data from personal data on mobile devices, storing it in a secure container.

• Mandatory Access Control

Implement, where possible, Mandatory Access Control (MAC). It is a security model that restricts access to resources based on fixed security policies. In MAC, access permissions are assigned based on the user's clearance level and the resource's classification.

• Security Awareness Programs

Focus on improving employee cyber literacy. Use services like simulated phishing tests to identify and educate employees who might inadvertently click on malicious links or open dangerous files.

• Security Information and Event Management

Employ Security Information and Event Management (SIEM) systems for efficient incident tracking and management.

• Reliable Backup Strategy

Maintain a robust backup system to safeguard critical data and ensure business continuity. Use the 3-2-1 rule: three total copies of data, two local but on different devices, and one offsite. Ensure backups are automated, encrypted, and tested frequently for integrity.

• Video Surveillance Integration

Implement modern video surveillance to prevent various onsite violations. This system can be integrated with access control and employee presence monitoring, as well as equipment movement and usage tracking.

• Cyber Insurance

Consider acquiring cyber insurance to mitigate financial risks associated with data breaches and other cyber incidents.

• Incident Response and Disaster Recovery

Set procedures to effectively handle and mitigate the negative effects of security breaches. Plan for restoring systems, data, and operations after a catastrophic event.

Again, keep in mind that the BIM system is crucial in a construction project, as it is central to all participants, each of whom could potentially be a weak point. Many of the protection steps mentioned above should be applied to BIM protection.

Final Thoughts

While the construction industry is witnessing innovation, its unique aspect is the lack of time and expertise to enhance data protection. The responsibility for cybersecurity should be a top priority for organizational leaders.

Engaging external consultants to evaluate risks and develop a robust security system is a practical approach. It is essential to allocate the budget for various security measures and establish dedicated teams to implement and manage them. 

The industry has seen a rise in cybersecurity spending after years of being relatively underfunded. While this increase in investment is a positive development, the most critical factor remains a well-devised risk mitigation strategy to effectively minimize potential threats.