Is It Time to Step Up Cybersecurity?
Industry data shares insights into current practices & potential improvements

New technologies for use on construction projects have the potential to help contractors deliver better projects on schedule, on budget and more safely. However, that new technology also brings new risks into the construction industry. 

Like every other major industry across the globe, contractors need to be concerned about cybersecurity, especially as they shift to more data-driven approaches to managing their projects. 

But how prepared is the industry now to deal with a cyberattack? To get a glimpse into this, the fall 2021 issue of the Civil Quarterly, a research-based quarterly report published by Dodge Data & Analytics in partnership with Infotech, Hexagon, Command Alkon and DCW, featured new data on the degree to which civil contractors, engineers and owners are actively engaged in improving their cybersecurity. 

The results reveal some best practices currently in use in the industry, along with a need to bolster the current efforts. 

Attitudes About the Risk of a Cyberattack

There is broad awareness in the industry of the possibility of a cyberattack, with 52% of contractors who consider it possible that their company could be a victim of such an attack, and 24% who consider it likely. However, that leaves an additional 24% of contractors who consider such an attack unlikely. The size of the company in question plays a big role in the degree to which they are concerned. 

Among large companies (those with annual revenues of $50 million or more), only 16% consider such an attack unlikely and 33% feel they are likely to face such attacks. In contrast, nearly half (43%) of small companies (those with annual revenues of under $10 million) consider themselves unlikely to be a victim of such an attack, while only 5% believe an attack is likely.

Part of the challenge is the invisibility of this threat. Many cyberattacks that occur are not publicized, and most of the time companies deal with them quietly. Therefore, this makes it difficult for a company to gauge how many attacks are successfully being perpetrated in the industry — especially if the attack does serious harm to a company.  
This may be leading to a disregard or an underinvestment in the construction industry to prepare for cyberattacks.

In fact, when asked to select the top factors that would encourage them to invest more in their cybersecurity, the highest percentage of contractors by far (52%) said that seeing an increased number of reported attacks on companies like theirs would influence them to make greater investments. See Figure 1 for a more in-depth breakdown of responses.

In addition, in response to a separate question about the top obstacles for greater investment, nearly half (44%) said that they didn’t think the risk to their company warrants further investment.

Another top factor that would encourage one-third of the contractors participating in the study to invest more in cybersecurity is more awareness of how cyberattacks occur on businesses of their size. It is particularly difficult to prepare for an attack if there isn’t enough information about how these attacks are accomplished. All these findings show that the industry needs more information to better understand the level of the threats they face and how best to prepare for them.

Protection from Cyberattacks

The good news is that the study revealed that many contractors already have in place some basic protection from cyberattacks. Security systems are the most adopted method in the industry.

80% of contractors back up their data daily. This is a particularly common practice among midsize (80%) and large (88%) companies but is reported less frequently by small ones (61%). Use of firewalls and anti-malware software is standard practice across the industry, with both adopted by over 90% of all civil contractors and use among small companies nearly at the same level as use by large ones.

Email security software is also widely used, with 85% or more of midsize to large firms using these tools and 73% of small firms doing so. However, large companies are much more likely to respond to the need to make sure their staff does not make them vulnerable to a cyberattack.

This is an area that small and midsize companies need to consider more seriously to improve their defense. 80% of large companies have documented cybersecurity policies, but only 56% of midsize ones and 28% of small ones have them. 65% of large companies engage in cybersecurity training for their staff, but midsize companies (42%) do so less frequently, and such training is rare in small companies (13%). 

 

Insurance policies covering cybersecurity also see a wide disparity by company type, with large companies (58%) more frequently investing in them than midsize (35%) or small companies (28%). However, over half (52%) of those who do not currently have these policies are considering putting them in place in the next few years. 

The study also looked at adoption of several other measures in the industry, including use of multifactor identification, enterprise password managers, mobile device action plans, protected internet of things (IoT) devices and creating an incident response playbook. 

For each of these, use by large companies was far more extensive than among midsize and small companies, and none of them are used by more than half of all the contractors who participated in the study.

The study did suggest one possible resource for expertise on many of these less widely adopted practices. The most used method was employing documented cybersecurity practices (90% of those surveyed). Owners of civil construction projects also indicated the degree to which they use many of these methods, and unlike the contractors, they are widely adopted by owners in this sector.

Take a look at Figure 2 for more on how project owners are handling cybersecurity. Since Dodge research with owners reveals that owners are seeking to increase their digital workflows with contractors, the digital security of those contractors has a direct impact on the degree to which their own organizations are protected against cyber threats.

 

Therefore, sharing their expertise about documented cybersecurity policies, cybersecurity training and a mobile device action plan, among other areas, could help make their organizations more secure, and it would certainly help contractors better prepare for the cyber threats they will face in the future.

The data demonstrates that many contractors take cybersecurity seriously, but that many are also operating with too little information. It suggests that companies should consider making themselves more secure, and perhaps even hiring a potential source of expertise that they can work with to improve their security in the future.