Cyber Risks in the Construction Industry
The construction industry in Australia, like many sectors, has undergone significant digital transformation. With this shift comes an increase in cyber risk exposures. The industry’s increasing reliance on technology for project management, communication, and operational efficiency creates numerous vulnerabilities that can be exploited by cybercriminals. Understanding these risks and learning from recent incidents is crucial for mitigating potential damages and ensuring the industry’s resilience against cyber threats.
Main Cyber Risk Exposures
1. Data Breaches and Theft:
+ Sensitive Information: Construction firms handle a vast amount of sensitive data, including personal information of employees, financial records and project plans. Unauthorised access to this data can lead to identity theft, financial loss, and reputational damage.
+ Insider Threats: Employees or contractors with access to sensitive data might intentionally or unintentionally cause data breaches. Lack of proper access controls can exacerbate this risk.
2. Ransomware Attacks:
+ Operational Disruption: Ransomware can encrypt critical project files and halt operations, leading to project delays and financial losses. Construction timelines are often strict, and any delay can have significant repercussions.
+ Financial Extortion: Paying ransoms to regain access to data doesn’t guarantee that the data will be fully restored even after payment and there are also significant impacts if you are found to be paying a ransom to an entity listed on sanctions lists.
3. Phishing and Social Engineering Leading to Significant Financial Loss:
+ Credential Theft: Phishing attacks can trick employees into revealing login details, which can be used to access company systems and sensitive data.
+ Business Email Compromise (BEC): Fraudulent emails that appear to come from trusted sources can result in unauthorised financial transactions or the sharing of confidential information.
+ Misdirected funds and financial loss: Fraudulent emails associated with a BEC or another type of systems breach frequently deceive businesses into sending large sums of money to fraudulent bank accounts. Increasingly, we have seen criminals breach a director’s mailbox and use this access to send internal emails to accounts staff requesting that fraudulent invoices be paid. The construction industry is often targeted because of the large amount of money that flows between businesses, individuals and suppliers.
4. Supply Chain Vulnerabilities:
+ Third-Party Risks: Construction projects involve numerous third-party suppliers and contractors. A cyber-attack on any party within the supply chain can compromise the entire project’s security.
+ Integration Issues: Different systems used by various stakeholders may have integration vulnerabilities that can be targeted by cybercriminals.
5. Internet of Things (IoT) and Operational Technology (OT) Risks:
+ Connected Devices: The use of IoT devices on construction sites for monitoring and control purposes increases the attack surface. These devices often lack robust security measures leaving them vulnerable to a cyber-attack.
+ Industrial Control Systems (ICS): ICS used in construction for managing critical functions can be targeted to disrupt operations or cause physical damage.
Claims Examples
1. Design & Fitout Specialist
In 2024, the accountant of a design & fitout specialist suffered a breach which allowed an unauthorised third party to access the Insured’s accounts payable system and change supplier bank account details. As a result, the Insured processed two payments totalling $106,000 to fraudulent bank accounts. As two weeks passed before the Insured realised that the incident had occurred, only one of the transactions was able to be recovered. Their Cyber Insurance responded for Incident Response, Forensic Investigation, Legal and regulatory assistance and also the Funds recovery. Total claim $150,000.
2. Waterproofer
In 2023, a waterproofer was alerted by a supplier that it had received suspicious emails from the Insured requesting their bank account payment details be updated. The Insured notified Clyde & Co and the Incident Response kicked in to investigate the potential unauthorised access to the Insured’s system. It was discovered that a phishing email was initially interacted with by the Insured, granting an unauthorised third-party access to one of the Insured’s mailboxes. The mailbox was then used to try and trick suppliers into changing the Insured’s bank details. Luckily no suppliers acted on the change of details request. Their Cyber Insurance responded for Incident Response, Forensic Investigation, Data review and Privacy advice. Total claim $30,000.
Risk Mitigation Strategies
1. Invest in Employee Training:
Educating employees about cybersecurity best practices, such as identifying phishing scams and maintaining strong passwords, can significantly reduce the risk of successful cyber-attacks.
2. Double down on call back verification:
As part of your employee training, ensure that all accounts staff know to contact the supplier by phone for any new supplier invoices or any change in bank details. Also ensure staff know to apply the same rigour to internal emails – for example, to contact the boss/management before actioning an email from them requesting payment be made to a supplier (as well as verifying the supplier). Put this policy in writing and educate staff.
3. Implement Multi-Factor Authentication (MFA):
MFA adds an extra layer of security by requiring users to provide multiple forms of identification before accessing sensitive systems or data.
4. Backup Data Regularly:
Regularly backing up critical data to secure offsite locations can mitigate the impact of ransomware attacks or data
breaches by enabling quick data recovery.
5. Secure Supply Chain Relationships:
Collaborate with suppliers and partners to ensure they adhere to robust cybersecurity practices and regularly assess the security of third-party vendors.
6. Stay Updated on Cyber Threats:
Continuously monitor emerging cyber threats and trends to proactively identify and address potential vulnerabilities within your business. The construction industry in Australia is increasingly becoming a target for cyber-attacks due to its reliance on digital technologies, the valuable data it holds and the large sums of money that circulate the industry. By understanding the main cyber risk exposures and learning from recent incidents, construction companies can implement effective measures to protect their operations, data, and reputation.
Email. cyber@360uw.com.au Tel. 1800 411 580 Web. 360uw.com.au/cyber
This content is brought to you by 360 Underwriting Solutions Pty Ltd and 360 Financial Lines Pty Ltd (“360”) as a convenience to readers and is not intended to constitute advice (professional or otherwise) or recommendations upon which a reader may rely. Any references to insurance cover are general in nature only and may not suit your particular circumstances. Reference in this content (if any) to any specific commercial product, process, or service, and links from this content to other third-party websites, do not constitute or imply an endorsement or recommendation by 360.