Cyber Risk and the Construction Industry

Posted by Mark Greisiger

A Q&A with Douglas Clare of FICO
A joint effort between FICO and the U.S. Chamber of Commerce, the Assessment of Business Cybersecurity (ABC) offers a benchmark for analyzing the security readiness of American business against cyber attack. When the first quarterly installment was released in late 2018, the construction industry scored highest among the reviewed industries, demonstrating the least amount of cyber risk. We spoke to Douglas Clare, Vice President of Cyber Security Solutions at FICO, about why this industry stands out but also why more can be done to protect it.

What types of cyber risk or threats are facing the construction industry?
From the industry standpoint, it’s actually very similar to the threats and risks everyone else faces: perpetrators out to do damage any way they can, looking for weak points, sending phishing emails so that you will divulge information to allow them into your network. What might be fundamentally different from elsewhere is that this industry is not sitting on piles of consumer data. Unlike retail, banks or healthcare, construction companies don’t hold on to a treasure trove that might be attractive to bad guys. At the same time, there are certainly risks. Malware can be unleashed through innocuous-looking emails, for example. That’s how Petya malware, which rocked healthcare organizations very badly in 2016, was distributed: an executable disguised as a PDF was emailed to HR departments as a job application. This type of threat can easily gain traction in industries where certain operating systems are widely used and thereby exploitable.

With the Internet of Things being adopted more widely in construction management—particularly for the tracking of heavy equipment—we can see the risks for hacking and manipulating dangerous machinery. Another point is that construction also tends to spill into building management and security—the security and camera systems in the physical space, as well as things like the HVAC system in today’s smart buildings, could create gaps that lead to downstream liabilities. The world of the digital and the kinetic are colliding and that creates all sorts of opportunities for problems to occur.

Is this sector any more or less susceptible than others?
Though we actually see less risk, I won’t say that construction is more secure than other industries but based on an empirical assessment of 2400 organizations across 10 different sectors, I would say that construction is the least risky. I’m not ready to attribute that to higher security measures but simply that it’s been a less common target because it’s less data rich. If you average out the risk in the other sectors combined it’s still about half as risky as the rest. This might also change as we see more targeted attacks like Petya, which took down hospitals and healthcare organizations that were all running on the same Windows operating system. Theoretically construction could be vulnerable to a similar type of attack. What would be useful for people in construction is to take a closer look at cyber security best practices in these other industries and figure out which ones can be adopted to fit their needs. Just because construction has less risk doesn’t mean that companies should be complacent.

How can a customer (or cyber insurer) leverage FICO’s ABC to get a handle on their exposures?
I think it’s useful as a benchmarking tool. We publish statistics and the ABC summary shows the average score of the country across all businesses. It helps industries and businesses assess their own security and whether it’s performing better or worse than average, which could also determine the level of urgency to drop everything and make changes in security processes and procedures. Our goal is really to promote awareness and start these conversations.

Are there any risk trends that FICO has identified (good or bad)?
One thing is that those sectors that have the biggest risk are those typically with the biggest networks, with the most IP addresses exposed to the internet. Construction has less than half the size of the next riskiest sector, which is transportation. The more exposure your sector has to the public, the more risk you’re going to carry.

In summary…
We want to thank Doug Clare for his insights into cyber’s impact on the construction industry. Doug makes some great points, especially about not being complacent given the rise of cyber perils such as ransomware, a threat that does not necessarily discriminate among its targets/victims. Ransomware can result in a significant business interruption and loss exposure. For a construction company, that might be catastrophic given dependence on network availability in order to bid for and win new projects and other data/network-centric business needs. FICO has a long history of providing state-of-the-art threat intelligence solutions to better educate clients, and we thank Doug for his thought leadership here.