Why Are Construction Companies Being Targeted by Hackers?

Outdated systems, invoicing procedures, and staff members who are not familiar with cybersecurity: These are the three main reasons companies in the architecture, engineering, and construction (AEC) industry are being targeted by malicious hackers and cybercrime groups. The types of cybersecurity incidents that AEC companies are dealing with a range from the spectacular to the mundane. Some hackers seek to take control of construction cranes; others breach office networks for identity theft purposes. There is no real common denominator other than the unfortunate reality of hackers being inherently attracted to this sector because they see it as an easy score.

If we look at IT security statistics and reports from recent years, it is clear to see that hackers are increasingly targeting AEC firms and hitting them with phishing, network intrusions, ransomware, remote code execution, and other types of cyberattacks. Money is the motivating factor in the vast majority of these attacks; nonetheless, a small percentage of cybercrime perpetrated against construction businesses is related to hacktivism, sabotage, corporate espionage, and political ideology.

Before we go into more detail about the three aforementioned reasons hackers are going after construction businesses, it should be mentioned that the cybersecurity landscape has changed significantly over the last decade. There was a time when IT security was largely preventive and defensive; these days, however, the threat environment has increased to a point that requires active vigilance and mitigation. What this means is you can no longer install a firewall and antivirus software and call it a day. Business owners should assume that they will get hacked at some point, and there should be contingency and recovery plans in place when this happens.

Hackers See AEC Companies as “Low-Hanging Fruit”

When you think about the traditional ways in which many builders and developers manage their companies, sophisticated cybersecurity is not the first thing that comes to mind. A general contractor in Joliet who runs her company as a family-owned business, for example, will probably not pay too much attention to matters such as updating the server operating system or applying critical patches to software such as Microsoft Office. This GC may still be running an old client/server network in the office because “it just works.”

The reality of the AEC industry is that many companies do not invest in IT security because they are not familiar with it; this is something that hackers know very well, and they will take advantage of it anyway they can. The Joliet GC mentioned above is more likely to worry about managing roofing crews and dealing with building code inspectors than whether hackers can break through a weak firewall, penetrate the office network, and get into the QuickBooks folder where she keeps payroll data and reports. This would be an easy score for hackers who deal in identity theft and credit card fraud.

Invoicing in the AEC Industry

Modern cybercrime crews tend to recruit well-rounded individuals who can bring more than just hacking skills to their nefarious organizations. These “Renaissance Hackers” are more like business analysts in the sense that they conduct research and plan their operations accordingly, which is why they have a pretty good idea about how developers, builders, and contractors work. They know this line of work involves considerable invoicing in terms of accounts payable and accounts receivable; they also know that the parties involved include vendors, suppliers, subcontractors, and partners being paid random amounts on every project.

Phishing, spoofing, and social engineering the most common acts of cybercrime suffered by construction firms. The way hackers are able to deviate payments unnoticed during these attacks prove they know enough about how invoicing works in AEC companies. Hackers routinely pose as vendors, subcontractors, or A/R clerks so that they can fool accountants, project managers, and bookkeepers into transferring funds to a different routing number. In this case, the attack vector may be email, voice calls, text messages, and even an internal chat system. It is not uncommon for the attack to be conducted on a Friday afternoon when employees are getting ready to enjoy the weekend.

AEC Industry Participants and Cybersecurity

The average builder, developer, or general contractor cannot be expected to enjoy the advantage of tech-savvy staff members who happen to know a lot about IT security. AEC industry employees are expected to be well-versed in operating computers and other digital devices, but they may not be familiar with how phishing scams are conducted. These employees may have a lot on their plate and may not have the time to dissect every email to ensure that they are not being phished. They may not know how social engineering works because this is not a subject they reviewed before. How many GC bookkeepers would think an email attachment from a new vendor such as a Microsoft Excel invoice would have malicious intent? Do you think they would know what to do when they received the email?

When it comes to information and network security, education is not something that AEC industry firms can rely on. Employee training on IT security matters can be effective, but only to a certain extent. The problem with the AEC industry workforce is that it is too dynamic; it presents many moving parts and suffers from a high rate of employee turnover. As previously mentioned, hackers are highly aware of this, which is why employee training on its own will not be sufficient; it needs to be complemented with solutions such as compartmentalized security, prevention, active monitoring, and threat mitigation.

Need Help?

Need some help keeping your company safe from hackers? Schedule a call with us to talk about how we can help you with your IT security strategy.

We have helped companies in the construction industry become more efficient than ever. Right now, we’re working with companies that have seen where the security holes are and are able to plug them up before something bad happens to their business.

We can help you create a successful strategy and formulate a roadmap to ease the transition.