How Safe is Your Construction Data? 5 Attacks to Avoid

5 minute read

You already know how tough it is to complete a construction project on-time and on-budget. Data is a critical element to your success and can help or hamper your ability to meet deadlines, issue invoices, and get paid. 

Ultimately, data is how your company makes informed decisions and maintains a competitive edge.  

Download Your Ultimate Digital Transformation Guide Now

To protect this data, you must care about cybersecurity. Otherwise, data loss will become one more obstacle to completing project schedules and budgets, as well as achieving company growth and employee retention.  

When you think of data security in the construction industry, you may tend to focus on mitigating risk and creating backup plans for whatever happens. Cybersecurity has the same focus—create consistent data and workflow backups—to maintain seamless business continuity even when your business experiences a cyberattack. 


Making Cybersecurity a Priority

The UK Government, who requires site cybersecurity and information security plans for many public contracts, set up the National Cyber Security Centre (NCSC)—a UK government agency—to work with SMEs (small- and medium-sized enterprises) in all sectors to promote cybersecurity, knowledge, and training.  

The organization has discovered construction firms are sensitive to the bad PR surrounding news of being vulnerable to a cyberattack and can be more difficult to engage than other sectors. So, they’re creating a dedicated campaign targeting construction SMEs. 

And, according to Marsh McLennan, a professional services firm in the areas of risk, strategy and people, a 2020 survey by the UK government discovered “only 70% of domestic construction firms thought cybersecurity was a high priority compared to 80% of average businesses.” 

So, construction lags in cybersecurity technology adoption compared to other sectors even though, according to Nordlocker cloud storage service, “construction is the industry most targeted by ransomware attacks, and is among the leading impacted by other data security incidents like phishing, wire and electronic fraud, and more.” 

Construction Clients Could be the Target   

When it comes to cyberattacks, sometimes the construction company is the target but, sometimes, the real target is a client of the construction company. Malicious actors will hack the construction company to get data about the client. Or the supply chain may be targeted to interfere with construction or to get money.  

According to the UK Government, “the AEC supply chain with its complex network of owners, developers, general contractors, trade contractors, material suppliers, and third-party logistic providers to be quite vulnerable. With data shared across platforms, there is a risk of cyberattack with every new digital connection.” 


War Heightens Cyber Threats

Security concerns were high before 2022. The Cyber Readiness Report for 2021 published by business insurance company, Hiscox, shows an increase in cyber threats in 2021 compared to previous years and listed construction as one of the top five targeted industries. 

In February of this year, Russia invaded Ukraine, and some countries began supplying Ukraine with weapons. This essentially created a proxy war between the West and Russia fought only on Ukraine soil and in the digital realm. This had a huge impact on the construction industry.  

In March, U.S. President Joe Biden warned his country about digital attacks promoted by Russia. “The magnitude of Russia’s cyber capacity is fairly consequential and it’s coming. One of the tools [Putin’s] most likely to use is cyberattacks. They have a very sophisticated cyber capability. The point is that he has the capability. He hasn’t used it yet, but it’s part of his playbook,” he said to a business roundtable quarterly meeting in Washington, DC.  

Many in the construction industry are turning to the cloud to prevent cyberattacks. With the cloud, data backups occur automatically and vendors can provide the latest data protections.  

The cloud offers you an extra layer of protection. 

According to Norton, the digital security experts, servers are usually located in warehouses that most workers can’t access. All information stored on these servers is encrypted, meaning they are scrambled, making it far harder for cybercriminals to access. 

Of course, the best way to avoid cyberattacks and other forms of data loss is knowing how to identify the forms the attacks take and by having a standard method for collecting and sharing data.  

Knowing how other construction companies experience data loss is one way to stay on alert and put plans in place to avoid becoming a victim. 

Here are the top five ways construction companies experience data loss.

1. Phishing Scam 

Everyone is familiar with receiving an email claiming to be someone you know, but it turns out to be someone else trying to convince you to take an action or reveal information that the party committing the phishing scam can benefit.  

However, phishing scams have become more sophisticated methods of bypassing security controls dedicated to email and web traffic to gain data, such as social media, voice messaging (vishing), text messaging (smishing), and even QR codes.  

These multichannel attacks are proving more successful to victims who haven’t received training in how to guard against them. Smaller subcontractors could be vulnerable if they don’t have a formal training program in place. 

This affects everyone from enterprises to individuals.

2. Ransomware

Ransomware is a software capable of blocking and/or taking a person’s or company’s data. What separates ransomware from other malicious software (malware) is the ransom the attacker places on the data. If the data owner pays the ransom, the attacker will either unblock access to the victim’s data or not publish it.  

According to a report, “Top industries hit by ransomware” published in December 2021 by encryption software firm NordLocker, construction was the top industry hit by ransomware attacks that year. 

Victims range from large multinationals to owner-operators since the premise behind ransomware is to extort money from victims.

3. Account Takeovers 

Account takeovers (ATOs) occur when some malicious actor gets into the digital account of an enterprise (or individual).  

 It could be your social media, or your accounting, or your project management software. 

Any software, which requires setting up an account, can be taken over by an unauthorized user. Then they can then block legitimate users and take, delete, or change information.  

This impacts everyone from large enterprises to individuals. 

4. API Abuse

Application programming interface (API) refers to the set of protocols used to create and integrate an application software. They reside between the web server and application and simplify how new applications get incorporated into existing architecture. 

According to Gartner, a company that provides business guidance to executives, the majority of API “surfaces” prone to API attacks are web and mobile applications, API-to-API traffic, and APIs exposed to employees or partners, surprisingly followed by publicly available APIs. 

Gartner also states API traffic has grown by more than 50% during the past two years—more rapidly than the maturity of security controls, which will result in a lot of unmonitored APIs. Also, new styles of APIs and application architecture will create new vulnerabilities. 

This targets business of all sizes, including those in the built world.

5. Employee Mishandling 

Employees are a business’s main concern when it comes to data loss and cyberattacks—either from them not properly recording data, not backing up their devices frequently enough, losing a device, or inviting malware onto company servers because they don’t recognize it or getting fooled by a phishing scam. This is true whether you’re a large general contractor or a small roofing firm.

Remote work creates greater vulnerabilities, because information is on multiple servers—some of which is out of the control of the business. This can make it more difficult to verify people’s identities, so people are more likely to fall for phishing scams.  

This happens at companies of all sizes.  

When companies experience significant data loss for a long period of time, it can temporarily cripple the business. The average cost of a data breach in the United States is about $9 million. Ensure your data is secure, so your construction business can continue uninterrupted and profitably.  

Take a look at how Asite, a holder of theInternational Standard Organization (ISO) 27001 security certification—the global gold standard in information security—can help keep your construction project safe.  Learn more now. 


Nathan Medcalf writes about technology, heavy equipment, and construction for numerous clients and has been published in more than 30 trade publications since 2006.

Asite Insights in your inbox.

Sign up for product news and our latest insights published monthly.  It's a newsletter so hot, even global warming can't keep up.