Dive Brief:

• Skanska has announced that it will work with a third-party provider to help streamline and automate its cybersecurity efforts.
• The global construction and development company will use the PenTera automated penetration testing platform by Pcysys to analyze and prioritize its cyber defense vulnerabilities. The software mimics a hacker's mindset and performs continuous machine-based penetration tests that improve a company's immunity against attacks, according to a press release.
• While some large construction firms oversee in-house monitoring of cyberthreats, the use of an outside vendor makes sense for many, according to Johann Dettweiler, director of operations for Fairfax, Virginia-based compliance management firm TalaTek​. "Most construction firms are so focused on the bottom line and the physical deliverables that many aren’t even aware of the various types of sensitive data they possess," he said.

Dive Insight:

Because construction managers must oversee many physical assets, from materials and vehicles to personnel, something as nonsubstantive as data can easily be overlooked as an asset to protect, Dettweiler told Construction Dive. However, data such as employee social security numbers, building plans or construction time frames is easily exploitable and can have serious legal and/or financial ramifications for an organization. 

In addition, the cybersecurity realm is highly complex with many legal and regulatory requirements, Dettweiler noted.

"Working with cybersecurity professionals can make navigating this realm much simpler and help to free up leaders and decision-makers to focus on the profitability of the company and doing what they do best — construction," he said.

Another challenge is that construction companies, particularly smaller ones, do not see themselves as targets, attorney Michelle Schaap told Construction Dive. As such, they may not invest in appropriate security and data protection measures.

"Those companies may be operating older versions of software tools, which may no longer be supported by the vendor, or for which patches have not properly been managed," said Schaap, who leads the cybersecurity practice at Chiesa Shahinian & Giantomasi. 

Small subcontractors that work on large corporate or public projects are particularly vulnerable, she said, noting that the 2013 Target breach that compromised the retailer's POS system was through an HVAC vendor. Target later settled the breach for $18.5 million, which is just a fraction of the $202 million the company says was generated by the incident, in which hackers stole a reported 40 million customer credit card numbers.

Schaap cautioned that vendor lists for large projects like the Target job can often be easily found online.

"An industrious bad actor can do its research and hunt for the weakest link in the project," she said.