Cybersecurity is everywhere in the news today because hackers have been very successful in exploiting human weaknesses across a broad array of industries. Our construction industry appears to be tempted to brush off these early attacks, thinking that our industry is not a prime target. However, any business that is connected to the Internet is a potential victim. The construction industry also contains special vulnerabilities related to the physical makeup of our society that do not exist in other commonly recognized target industries, such as the financial or healthcare sectors. In the construction industry, ignorance can hamper a construction company's well-being and its operational security.
Construction executives should be paying attention to and learning from those who have already experienced a major cyberattack. For instance, an owner's plans, specifications and virtual construction data present an easy target. Take, for example, the virtual construction needs of a large construction project. There is almost unlimited access to a building's physical and security design. In addition, many design and construction software systems – such as BIM, Revit, Procore and Aconex – have remotely accessible controls or Internet-connected capabilities. A hacker with access to this data could wreak havoc not only operationally but also through the physical destruction of data, servers and infrastructure as well as ultimately by threatening the safety of individuals on-site.
Even if an attacker has no intentions of causing physical harm, he or she may be interested in obtaining valuable corporate data, such as intellectual property, trade secrets or any other data that could be used for competitive advantage. Furthermore, even in instances where hackers have no interest in your company's data whatsoever, they may nevertheless capitalize on human weaknesses in your system as a jumping-off point for other data systems. This is especially true for contractors, who may offer unanticipated avenues to other targets and is even more pertinent for those in the government contracting space, as they may have access to sensitive government information or capabilities.
Also, construction companies house significant amounts of sensitive employee information, making it a path of least resistance for those looking for a simpler target. They do not care where they get their information. They only care that they get it, and they are patient. A recent survey showed that cyber-attackers went undetected for an average of 243 days.
Moreover, even those construction businesses who do recognize the threat to the industry may be inclined to think that cybersecurity is solely an IT issue. However, preparing for – and responding to – a cyber-incident falls on the shoulders of many more than just IT or information security professionals. In fact, a successful incident response team consists of a multitude of cross-functional representatives in addition to IT and information security, such as legal, compliance, privacy, public relations, government affairs, audit, ethics, and business lines.
No matter how secure or resilient a company's system may be, perfect security does not exist. As many cybersecurity experts profess, "it is not a matter of if but when." Thus, against the backdrop of the inevitable, the time to prepare for a cyber-incident is not while an attack is ongoing. A critical aspect of cybersecurity is preparedness.
Below are some baseline steps members of the construction industry should be taking to ensure cyber-incident preparedness:
As discussed, there is no such thing as perfect security, and the construction industry equally is not immune from a cyberattack. Thus, it is imperative that companies begin to prepare for a cyber-event before an incident actually occurs to ensure a streamlined and coordinated response process and minimize the subsequent aftermath.
While the above principles serve as a baseline for cybersecurity preparedness, a sound information security and incident response program requires skilled, intensive attention and analysis. Holland & Knight's Construction Industry Practice Group as well as our Data Privacy and Security Team have the combined experience to assist companies with cybersecurity incident preparedness, including reviews and analyses of policies and procedures, conducting cyber-exercises, and providing vendor management services. For further information regarding these services, please contact the authors of this article.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.