Dive Brief:
- Contractors have a looming problem — most of the industry isn’t prepared for a cyberattack, according to a new survey from Dodge Construction Network and content security and management company Egnyte.
- Among surveyed AEC firms, 59% say that they have experienced a cybersecurity threat in the last two years, according to a press release. GC’s were the hardest hit — 70% have experienced a threat, and 30% have had a ransomware attack since 2021.
- Seventy-two percent of architects, engineers and contractors rate themselves as having a moderate or higher degree of preparation for an attack that would cause them to lose access to documents, according to the anonymous survey. Despite this belief in their preparation, however, 77% said they can’t go more than five days without access to their documentation before they experience serious schedule impacts on their projects. That period pales in comparison to the 24-day duration of an average ransomware attack, according to Statista.
Dive Insight:
Based on the results, “most of the industry is not prepared for a serious cyberattack,” the survey’s authors wrote.
These cyberattacks may not even have the AEC firm as the end goal. Stel Valavanis, the CEO of onShore Security, wrote recently on Construction Dive that contractors often act as the entry point through which hackers can strike at more lucrative targets — a builder’s clients.
“Construction companies may not think of themselves as likely victims, but from the perspective of cybercriminals, they are the weak point in the wall of defenses surrounding these high-value targets — which puts them squarely in the hacker’s crosshairs,” Valavanis wrote.
Preparation is key
Earlier this summer, the Securities and Exchange Commission released new public disclosure rules for cyberattacks, requiring that public companies report on material cybersecurity events and outline the facts of the breach on the SEC’s Form 8-K.
The most common mitigation strategy is to improve internal security procedures, according to the survey, examples of which could be keeping and updating unique passwords or having the latest security software installed.
Many other firms create rules around exchanging data, such as creating an information backup, using a secure service and maintaining built-in security measures, but far fewer require or use security compliance certificates.
The report wasn’t all bleak. Firms that do engage in these preventative measures usually have good results, it said
“Promisingly, most of those who pursue security compliance certificates and improve their internal security procedures find these measures highly effective, suggesting that there are good options for the industry to effectively address these challenges,” the authors wrote.