Dive brief:
- Contractors have a looming problem: Most of the industry is unprepared for a cyberattack, according to one new survey from Dodge Construction Network and content management and security company Egnyte.
- Among AEC companies surveyed, 59% say they have experienced a cyber security threat in the past two years, according to a Press release. GCs were the most affected: 70% have experienced a threat and 30% have had a ransomware attack since 2021.
- According to the anonymous survey, seventy-two percent of architects, engineers and contractors rate themselves as having a moderate or higher degree of preparedness for an attack that would cause them to lose access to documents. Despite this belief in their preparedness, however, 77% said they can’t go more than five days without accessing their documentation before suffering serious schedule impacts on their projects. This period pales in comparison to the 24-day duration of an average ransomware attack, according to Statista.
Diving knowledge:
According to the results, “the majority of the industry is not prepared for a serious cyberattack,” the survey authors wrote.
These cyberattacks may not even have the AEC company as their ultimate target. Stel Valavanis, CEO of onShore Security, recently wrote this on Construction Dive contractors usually act as a point of entry through which hackers can attack more lucrative targets: a builder’s customers.
“Construction companies may not be considered likely victims, but from a cybercriminal’s perspective, they are the weak point in the wall of defenses surrounding these high-value targets, putting them squarely in the crosshairs of hacker,” Valavanis wrote.
Preparation is key
Earlier this summer, the Securities and Exchange Commission published new rules for public disclosure of cyberattacksrequiring public companies to report significant cybersecurity events and describe the facts of the breach on SEC Form 8-K.
The most common mitigation strategy is to improve internal security procedures, according to the survey, examples of which could be maintaining and updating unique passwords or having the latest security software installed.
Many other companies create rules around data sharing, such as backing up information, using a secure service, and maintaining built-in security measures, but far fewer require or use security compliance certificates.
The report was not entirely bleak. Companies that engage in such preventive measures tend to have good results, he said
“It’s promising, most of those looking for safety compliance certificates and improving its internal security procedures find these measures very effective, suggesting that there are good options for the industry to effectively address these challenges,” the authors wrote.
