Cybercrime has evolved to the point where companies of all sizes are probed by bad actors regularly for weak points. This situation will likely worsen as artificial intelligence (AI) makes attacks easier to launch, simpler to scale, and harder to block.
Unfortunately, the industry’s response to this growing threat has been somewhat muted. The current threat environment leaves little room to delay strengthening their cyber-defenses.
Executives must ensure companies have a well-designed cybercrime strategy in place. Otherwise, businesses will remain exposed to a growing threat that can disrupt operations, cause financial loss, and damage reputation.
The following sections provide an overview of the major cybercrime risks facing middle-market and large companies in the construction industry. They include measures to prevent attacks, limit damage and restore operations.
-
Executive impersonation and payment fraud
Attackers are employing AI to improve existing payment fraud tactics. These efforts go beyond using the tools to create more persuasive phishing emails and fake invoices. Attackers are using realistic AI-generated audio and video to impersonate executives during calls to then pressure finance teams to approve fraudulent wire transfers or payments.
-
Identity and privileged access abuse
Cybercriminals often target employee credentials as a way to gain access to company systems. They prefer privileged accounts (e.g., finance team, system administrators, executives) since these accounts allow elevated access to sensitive systems. Attackers can use that access as a beachhead to launch a comprehensive attack.
-
Ransomware and operational shutdown
A major concern for large companies in construction is the ongoing risk posed by ransomware attacks. Larger companies face sophisticated targeted attacks that combine operational disruption and extortion. Furthermore, many attacks also target backup systems, preventing the company from restoring operations quickly, or at all.
-
Supply chain and vendor compromise
Large companies in the construction industry rely on a wide range of suppliers, including software providers, file-sharing platforms, payroll providers, project management platforms, among others. Many of these suppliers are well integrated with your company’s internal systems. These integrations are convenient. However, a cyberattack on any of these suppliers could provide criminals with a direct path to launch an attack against your company.
What is the best strategy?
Effective cybercrime strategies typically focus on three core areas: strengthening the company against attack, containing attacks that get through, and restoring operations quickly. The following five points outline the key areas of this strategy.
-
Strengthen identity and privileged access
Deploy strong employee authentication mechanisms across your company, such as phishing-resistant multi-factor authentication (e.g., passkeys and smart cards). Take additional precautions for employees who have elevated access or can authorize payments.
Implement a “least privilege” strategy to protect sensitive systems and data. This approach ensures that employees have access to only the systems and information they need for their jobs.
Lastly, payments above a certain value should require the approval of two different employees. Any payment request or invoice outside of normal channels must require additional validation for confirmation.
-
Reduce vendor and software supply chain risk
Attackers often reach their intended targets by first breaching a trusted vendor, such as a payroll vendor, cloud storage provider, or project management system. Your company’s security often depends heavily on your vendors’ security practices.
Carefully evaluate vendors who have access to sensitive information, ideally by reviewing their System and Organization Controls, or SOC, Level 2 report. SOC Level 2 reports show an independent auditor’s assessment that a company has implemented and used effective security controls over a period of time.
-
Harden critical systems and validate controls
Evaluate all essential systems regularly to ensure their software is up to date and remains secure. These systems include email, remote access, file sharing, financial systems, and project management tools. These assessments can uncover potential problems (e.g., weak configurations) before they become a breach.
Consider implementing “default deny” controls. Default deny controls block actions or software that is not explicitly allowed. These systems reduce your company’s attack surface and make it harder for attackers to execute malicious software.
Larger companies can further enhance security by hiring a reputable penetration-testing firm. These firms simulate real-world cyberattacks and are useful for testing critical systems and uncovering vulnerabilities.
-
Improve resilience and recovery
The ability to recover quickly from an incident is just as important as trying to prevent one in the first place. Companies should maintain secure offline backups alongside their regular backups. It’s important to test backups regularly to confirm critical data is properly stored.
Develop a recovery plan that prioritizes essential systems and key personnel. This strategy is an essential component of your company’s overall response plan and enables you to resume operations quickly.
-
Have a company response plan in place
Create a cyberattack response plan that clearly outlines responsibilities. Every role should have predefined action steps, so each team understands what they must do and in what sequence. This plan is essential so that IT, legal, operations, communications, and the executive team know what to do in case of a breach.
The external communications strategy is another essential component of your response plan. Develop a plan for notifying customers, regulators, and, when applicable, investors. Lastly, public companies should be prepared for the U.S. Securities and Exchange Commission’s cyber-incident disclosure requirements, including Item 1.05 of Form 8-K. Companies must file Item 1.05 within four business days of determining that they have experienced a material cybersecurity incident. The disclosure must address the material aspects of the incident’s nature, scope, timing, and impact.
