Your Construction Workforce – Your Biggest Cyber Risk and First Line of Defense

With the growth of cyber-related crime at an unprecedented high, it’s clear that no organization is completely immune. Many industries are falling behind in their appreciation of cyber losses. While digitalization is a common feature of boardroom discussions, confusion remains regarding the risks and potentially harmful impact of digitalization and technology, particularly for organizations with lax cybersecurity culture.

Earlier this year, we captured the concerns of 350 construction executives in our Construction Risk Index. The results showed that risks related to digitalization and new technologies are top of mind, with four of the top 10 risks falling into this category. The risk “increased security threat from cyber-attacks and data privacy breaches” was placed ninth for the industry overall, highlighting that cyber loss prevention has become mission-critical for construction companies.

The construction industry is not less at risk or immune to a cyber-related loss compared to other industries

A slower adoption of technology and digital growth means construction is generally perceived as lagging behind other industries in its efficiency of cyber security. However, executives in the Risk Index noted they could no longer afford to be passive about this threat and no one should think that construction is less at risk or immune to a cyber-related loss compared to other industries.

Virtual design capabilities are constantly developing and sensitive data might be at risk if hackers penetrate a network through applications such as building information modeling. Indeed, malicious actors in the cyber space act indiscriminately. The industry must understand that if these actors can observe monetary or intellectual gain via the targeting of their organizations, they must consider themselves viable targets and should prepare to meet this threat accordingly.

The construction industry does, however, pose unique challenges to the cyber question, particularly in recognizing the specific touch points where a risk may present itself. For example, construction companies aren’t just vulnerable to loss of data, but the increasing use of technology in design and modelling leaves open a space for attack, including physical damage to people and property via non-physical attack (i.e., hacking).  The introduction of multi-user platforms accessed by different individuals both within and outside of a construction company poses an additional threat as access points and credentials are more difficult to control.

As business reliance on IT functions grows and advances in technology present organizations with unlimited opportunities for innovation, new dimensions of risk are added with cyber breaches becoming widespread. When developing digital solutions, construction companies must ensure that cybersecurity is given due consideration prior to release of any initiative and isn’t neglected at the expense of a competitive advantage.

Some insurance carriers reported up to 400% increases in ransomware attacks in 2016

Some insurance carriers reported up to 400% increases in ransomware attacks in 2016; these attacks can cripple a network and shut down not only computer networks and design platforms, but in some cases, mobile equipment usage and the ability to meet bid deadlines due to an increasing reliance on network access for completion.

One of the biggest challenges for the construction industry is that it’s heavily decentralized and operates with a large number of stakeholders, making cyber threats from and by employees more difficult to manage. According to Dean Chapman of Willis Towers Watson’s Cyber team “It is my belief that the human will always be the weak point in any cybersecurity chain. A cybersecurity plan can be rendered worthless if the workforce is unaware of and unable to help the organization mitigate cyber threats.”

While most employees in the construction industry don’t sit in front of a computer, those with network access are still creating vulnerability if they’re not sufficiently and regularly trained on cybersecurity.

As found in the Willis Towers Watson 2017 Cyber Risk Survey, 85% of U.S. employers regard cyber security as a top priority at their organization, yet many are not deploying the training, incentives and strategies to create or inspire a cyber-savvy workforce. The informal nature of the construction industry makes this even more challenging.  Further, executives of construction companies can be targets of social engineering schemes whereby unsuspecting victims are fraudulently led to transfer funds to cybercriminals.

Educating employees at all levels of the organization is therefore an essential first step in reducing cyber risk. As the use of technology grows, security awareness training must be included in the cybersecurity strategy, and should focus on helping employees identify, report and mitigate an attack effectively.

Click here for more information on our holistic view of cybersecurity. We look forward to discussing ways companies can foster a culture of awareness and training in future communications.


Learn more about comprehensive cybersecurity from Willis Towers Watson.


William (Bill) Noonan is the Head of North America Construction – Client Engagement and co-leads the National Construction Practice for Willis Towers Watson.

Categories: Construction, Cyber Risk | Tags: , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *