Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


7 cybersecurity non-negotiables for construction companies

Jun 21, 2021

Construction companies make good targets for cybercriminals.

They regularly make large and frequent transactions. The perimeter of their network is larger to accommodate employees working on different job sites, which expands the attack surface. And there isn’t a set of outside regulations guiding their cybersecurity practices like there is with financial institutions and healthcare entities, which means many construction companies have less mature controls and are easier targets for everything from ransomware to fraudulent wire transfer to accounts payable fraud. 

What’s pushing cybersecurity in construction

In the past, cybersecurity was considered an IT issue. Now, cybersecurity is national news on a daily basis. Most recently, the Colonial Pipeline ransomware attack led to a six-day shutdown of the pipeline, disrupted the gas supply chain in the southeast, spiked gas prices nationally and led to the company paying a $4.4 million ransom to get back up and running. Construction executives are seeing huge data breaches make the news and realizing this is a business risk they must manage.

Then there’s the Department of Defense (DoD). To bid on and win contracts, construction companies now must get CMMC certified, which requires an audit proving they have a strict set of security controls in place.

Lastly, you have insurance companies. They’re the ones paying out millions in claims to cover ransoms, legal costs, forensic investigations, etc. Now, they’re putting stricter requirements in place for businesses looking to acquire cyber insurance. If you don’t have proper controls in place, you might not even be able to get coverage in the first place. And one cyberattack could devastate a business without insurance. 

7 cybersecurity tips for construction executives

So, what are the things that you can do to protect your business and yourself? We’ve put together seven cybersecurity non-negotiables: 

1. Implement multifactor authentication for remote access and cloud-based services

Passwords are easy to crack — especially when people reuse passwords across accounts and create easy-to-guess passwords. Having a second method of authentication — aka multifactor authentication (MFA) reduces risk significantly. One popular form of MFA is receiving a code texted to your mobile device in order to log into your email account on your laptop.

2. Train employees regularly

People are the weakest link in security. Human error or negligence contributes to approximately 90% of data breaches. Employees get duped into providing login information through social engineering, they send a wire transfer or buy gift cards based on an email that appears to be from the CEO, or they leave an unencrypted laptop in their car that gets stolen.

Companies pay a lot of money on tools and technology to safeguard their IT, but you need to ensure resources are allocated to training your employees on cybersecurity best practices, what scams are out there and how to avoid falling for them. Make sure that everyone in your organization knows to perform an “out-of-band” verification for changes to payment instructions, wire transfers, W2 requests, and bid information.

3. Perform regular vulnerability assessments and penetration testing to identify weaknesses

You need to understand where you’re vulnerable before you can address it. At Wipfli, we are hired to perform “red team” exercises that simulate a real-world attack. When we show executive leadership how we were able to compromise their network to gain access to client or employee data, financial records or trade secret information, it’s far more powerful than simply giving them a technical report showing how many patches were missing on servers.

4. Implement real-time detection and response

Implementing real-time detection and response capabilities helps you identify indicators of compromise early. This includes advanced endpoint protection to look for applications that are behaving like ransomware and to identify unusual behavior — such as impossible logins to your Office 365 accounts. 

Recently, we identified that one of our clients’ Office 365 accounts was logged into from Hungary shortly after a login from Wisconsin. We were able to detect that quickly, have the employee reset their password, and now they are implementing MFA and blocking IP addresses outside of the U.S.

5. Ensure proper vulnerability management

Software vulnerabilities are discovered frequently, so keep software current and apply security patches. It is essential to patch and update quickly so that those vulnerabilities cannot be exploited. 

6. Test your backup and recovery plans

It’s important to ensure you have the ability to restore data in the event of an attack like ransomware. And that means backing up your systems at least one a day, if not hourly. It also means testing your backup capabilities. If you don’t test them, you can’t be sure they work properly. For example, if you back up your data to Microsoft Azure, take that data in Azure, rebuild it on another server and then test from a user perspective that you are able to access it and that it’s functional. 

7. Get appropriate levels of cyber coverage 

Years ago, it was difficult to talk people into buying cyber insurance. The rates were cheap and amount of loss was low. Because it was a relatively new product, there was little uniformity in coverage, not to mention underwriting process. 

Now, insurance companies are getting tired of writing out big checks for losses, especially for ransomware. Premiums are going up even if you haven’t had a loss, and underwriting and risk rating will continue to increase. When losses happen, insurance companies are looking for inconsistencies in what was disclosed on the application and what was in place to avoid payment of claims, and some are now requiring certain controls (such as MFA and endpoint detection and response) as a condition of coverage. 

Have a conversation with your insurance agent to understand the coverage that you have as well as any gaps in that coverage. Talk with them about specific examples: Does insurance cover ransom payments? Does it provide ongoing monitoring if your customers’ data was impacted? Does it cover costs related to business interruption? Do you have coverage for losses associated with fraudulent wire transfers related to social engineering? Do you need to use certain vendors on your panel? Can you add key vendors?  Are there specific controls that need to be in place to qualify for coverage? 

Wipfli can help implement cybersecurity best practices

The cybersecurity threat landscape continues to expand, and both nation state and organized crime are real threats to businesses. Construction companies need to protect themselves by creating resilience.

Wipfli can help. From performing vulnerability assessments and penetration testing, to implementing real-time detection and response, to testing your backup and recovery plans, our cybersecurity specialists have seen it all and know how to protect your business. Let us identify and close your security gaps so you can greatly reduce the chances of a data breach. Click here to learn more about our cybersecurity services.

Sign up to receive additional cybersecurity content and information in your inbox, or continue reading on:

Multifactor authentication: Why you need it now
6 common internet fraud schemes, and how not to become a victim
Worried about cyber threats? Here are 3 ways MDR can help prevent data breaches
Cybersecurity 101: What does it involve and what should you invest in?


Jeff Olejnik
View Profile