web analytics
Home | Columnists | Legal | Legal - Top cybersecurity concerns for the construction industry

Legal - Top cybersecurity concerns for the construction industry

image Denis G. Ducran, Senior Counsel, Peckar & Abramson, Houston, TX

HOUSTON - Modern technology has made many things more convenient, from email in your pocket to looking at who is ringing your doorbell by glancing at your phone. But constant connectivity has also opened us up to attacks and as such, it is more important than ever to be vigilant and prepared. Because the construction industry is not always at the forefront of adopting new forms of technology, particular emphasis must be placed on cybersecurity and data privacy. Below are some of the top concerns for the construction industry related to cybersecurity and data privacy and why ongoing training is essential.

The Internet of Things
    In today’s world, we are hard-pressed to find devices which are not “smart” or connected to the internet. Every time you ask Siri a question or start the car from an app on your phone, you are using the internet. Baby monitors, HVAC systems, home security, smart lightbulbs, the list that makes up the internet of things goes on and on. All of this connectivity is wonderfully convenient, but any time a piece of equipment accesses the internet, it is exposed to hackers. Many people may ask, “what does it matter if hackers gain access to the air conditioner?” Besides the obvious temperature control issues, this can be a point of entry for hackers to gain access to more sensitive computer systems where personal and business information is stored. Many believe that is exactly what happened during Target’s well-publicized data breach. Hackers gained access to Target’s POS system through an HVAC vendor without proper security. As a result, training is essential for contractors and subcontractors who are given access to networks or other portals.

Jobsite Security

    Hackers will always seek the path of least resistance. If the front door is locked why not see if the back door will open? With cyber attacks making headlines many companies have invested money in securing their data and implementing best practices regarding cyber security in the home office. But what about on the jobsite? Construction sites are buzzing with activity and oftentimes have computers or devices that connect to networks at the home office. If devices are left unlocked or someone enters a restricted area undetected they now have access to those systems and the money and time invested in securing the home office was for naught. For this reason, dual-factor security is gaining popularity and highly recommended by IT professionals. This type of security requires a secondary device such as a smart phone to log into a computer.

Phishing/Spear phishing
    While not specific to the construction industry, phishing and spear phishing are major threats that must be protected against. Numerous contractors have been victimized by these scams to the tune of millions of dollars. With potentially hundreds of employees, hackers want Personally Identifiable Information (PII) or access to company information that can, in some way, get them money. With phishing, attackers are looking for information or login info from the target. This will be a more generic email casting a wide net looking for low-hanging fruit. Spear phishing is more targeted. Attackers engage in social engineering, such as looking at LinkedIn or other websites to find out who your colleagues are, potentially spoof their email addresses and mention colleagues in an email, ultimately hoping that you will provide the information they need to access your system or steal personal information that you willingly provide thinking that the attacker is a trusted colleague. Spear phishers go after who they believe are likely to have access to and will provide them the information they need.

    One major cyber security problem many companies face is spoofing – where an email looks like it is coming from a reputable, known source. The email appears to be from a friend, colleague, vendor, etc. when it is actually from a malicious actor. The construction industry deals with many payments from developer to contractor and contractor to subcontractor. Often these are very large sums of money. If an outside actor finds out about a regularly scheduled wire transfer they can send an email shortly before or at the time a payment is due asking the company to change the routing information. At that point, if undetected, the money is being handed to the attacker instead of its intended recipient. This can create substantial financial loss, and in the worst case, causes companies to go out of business.

    Liability in the event of a cyber attack is a major concern in the construction industry. Who is to blame and who should bear any losses? Whether it is the owner/developer, the contractor or the subcontractor the fingers will be pointing. Going even one step further, what will insurance cover in the event of a cyber attack or data breach? It will be very important moving into the future that cyber security and data privacy concerns are worked into contracts so that everything is clear from the outset. With proper training, hopefully liability will not be the ultimate problem, but it is important to consult with an attorney fluent in these issues when drafting and negotiating contracts. Fortunately, many insurance markets have started to offer cyber-insurance products to protect against some of these risks.

Government Requirements
    Anyone working on public projects or government contracts will need to not only be aware of cybersecurity issues to protect public infrastructure, but also will need to understand government requirements related to cybersecurity. Depending on the project, contractors will need to adhere to different standards about cybersecurity and data protection.
    The construction industry faces daily challenges due to the complexities of cyber security, information integrity and data privacy. Increased awareness and ongoing training will assist the construction industry avoid incidents before they occur.
    Denis G. Ducran is Senior Counsel in Peckar & Abramson’s Houston office. A board-certified construction lawyer and registered architect, he focuses primarily on construction industry transactions, litigation, arbitration and risk management. He may be reached at: dducran@pecklaw.com.

Need a Reprint?

Author Info

CN Contributor info@constructionnews.net