I used to build houses. I was pretty good at it, believe it or not. My formative years in the military were squeezed in between years of building, managing and struggling in the construction industry. It’s a hard life, but the pay can be great and there is something to be said about building a physical thing that will be around for a long time. Craftsmanship is a unique trait, and the trades are where some of the most amazing things get built. Perhaps it may be common knowledge that the trades are notoriously averse to the tides of technology, perhaps not. I would argue that for being such a large sector of small businesses, there is a problem with the adoption of technology. According to the Small Business Administration, greater that 10% of all small to medium sized businesses are in the construction sector. Even more astounding is that about 99.9% of all construction companies are considered small to medium sized businesses. So, being conservative with our math, if about 45% of SMBs make up the GDP of the United States, we can assume about 4-5% of GDP comes from this uniquely small construction sector. This is not trivial.
When most people think of cybersecurity or hear about a cyberattack, visions of global banks and Fortune 500 companies come to mind. “Big Tech, Inc. just lost all their user data to an attack; move on, nothing to see.” This is not necessarily wrong, but it leaves a critical factor out of the equation. There is a prevailing mindset that small businesses on Main Street are simply too small to be a target. If 45% of the economy is too small to be a target, I have a bridge in San Francisco for sale. The sad truth is that these small businesses are prime targets for cyberattacks. Maybe not from nation state actors, but cybercriminals are actively taking advantage of this market segment. Even worse, one of the fastest growing targets in this target rich environment is the construction sector.
The construction industry has long been defined by physical risk and hard assets. The rapid digitization of the sector has created a perfect storm enabling cybercriminals to capitalize like never before. This hits home for me. I work with sever organizations in the space, helping them get this digital transformation done in a secure and functional way. Their bottom line is my bottom line. For years the risk management has been focused on the job site, and to an extent it still should be. However the single biggest threat we see today isn’t somebody falling off the scaffolding; it’s a phishing email.
In an already risky industry, there are new hurdles that must be overcome. We have a huge rush towards digitization while simultaneously suffering from cultural lag: the risk profile is exploding. The immense pressure companies feel to get on board with new technologies is creating an inherently insecure situation. There is a “move fast and break stuff” vibe going on, and not on purpose. Insecure deployments, IoT, new BIM technologies yet to be vetted by industry, all of which are creating a digital attack surface ripe for exploitation. A digital attack surface where one simply did not exist a decade ago. This is a scary new landscape for organizations that still can’t grasp the sensitivity of much of their data. There are tons of PII, confidential data, IP and multi-million dollar financial transactions. Couple this with the immense operational tempo of the industry and you have a perfect storm ripe for criminals to take advantage of. If you have to shutdown operations because of ransomware, this is the industry that is most likely to pay. Time is money.
There is a rapid rise in cybercrime in the construction industry. This is a fact that can no longer be avoided. 60% of small businesses that suffer a cyberattack with fold…disappear, gone forever. In the construction sector alone, data breaches have increased 800% between 2019 and 2020 alone. Incident response cases have doubled. There has been an outsized increase in phishing. Business email compromise is easy money for these criminals. Construction is tied with manufacturing as the top target for ransomware. The data is screaming at us to do something. Threat actors have identified the construction industry as a prime target for exploitation and are not waiting for us to catch up. This problem is accelerating, don’t wait to become a statistic. For an industry that so easily manages complex tasks, we should be able to apply that same discipline to this staggering problem.