Why your construction firm needs to get serious about cybersecurity

Construction firms face a rising level of cybersecurity risk. But too many firms still don’t have a proper cybersecurity strategy in place, which makes the likelihood of a costly, damaging attack a matter of when, not if.

In fact, in a survey of 308 construction executives for Wipfli’s report on the state of technology within the construction industry, 80% reported experiencing at least one data breach within the past year.

Fortunately, there are proven steps and processes you can implement to strengthen your defenses. Done thoughtfully, a cyber strategy will not only protect your business, data and infrastructure but also give you an opportunity to modernize your systems to meet the changing demands of the industry.

Let’s explore further.

Construction firms face a web of interconnected cybersecurity challenges

Cybersecurity isn’t only a challenge for the construction industry. It’s universal, with businesses across all sectors being regularly targeted by threats like ransomware, email compromise or fraud.

But in some ways, construction is especially vulnerable. The construction business tends to be fairly traditional, with an emphasis on following proven processes rather than chasing new ideas — and that has left firms more exposed than their counterparts in other industries.

Here are some of the major cybersecurity-related challenges construction firms face today:

• Underinvestment: Construction companies have historically underinvested in IT and cybersecurity. Manufacturers, for example, spend 3% to 5% of revenue on IT, while construction typically spends closer to 1% to 2%.
• Large financial transactions: Construction firms buy large amounts of materials and expensive equipment. They also receive large draw payments from their clients. This makes them lucrative targets for cybersecurity attacks due to their historically poor security investments.
• Rising insurance premiums: Insurance providers are now charging construction companies higher cybersecurity insurance premiums because of the higher risk those firms face.
• Cyber requirements in contracts: The Department of Defense and other federal agencies now require construction firms to meet cybersecurity maturity model certification (CMMC) requirements in order to bid for contracts. Private data center contracts will often have similar rules. National Institute of Standards and Technology (NIST) security requirements are also appearing in many contracts.
• Disconnected systems: As many construction firms still rely heavily on older software and technology, they frequently don’t have integrated, cloud-based systems in place. This usually leads to fragmented, siloed data and a larger footprint for an attack.
• Slowed productivity: Companies using outdated tech systems are often less productive than their peers. From a cyber-specific perspective, consider the impact an attack could have on your ability to conduct day-to-day operations.
• Limited IT talent: Construction firms using legacy tech solutions may struggle to hire skilled IT employees, as talented candidates typically prefer to work for businesses that use the latest tech.

All of these elements either increase the risk of a cyberattack or prevent your business from bidding on certain contracts or otherwise finding opportunities. Fortunately, there is a relatively straightforward solution to this problem.

A holistic approach toward cybersecurity can strengthen your business

In many cases, you’re often better off upgrading your cybersecurity and IT infrastructure over one defined upgrade period rather than doing it piecemeal over several years. This holistic approach allows you to modernize your entire tech stack to not only strengthen your cyber defenses but also transition to cloud-based, integrated systems that will help you remain competitive with your peers.

The key to making a holistic upgrade strategy work is creating a roadmap and then following it. Start by doing an IT health and cybersecurity assessment. Work with an advisor to look at tech trends within the construction industry, consider the age of your own systems, identify critical gaps and measure your cybersecurity risk profile via a NIST Cybersecurity Framework (NIST CSF) assessment.

Once you know what needs to be upgraded, put together a budget based on criticality. A full tech upgrade might take over a year, although this can vary depending on your organizational needs, so your budget can help you plan out how to make good use of that time by deciding which systems to upgrade first.

After you have your roadmap in place, you’re ready to implement.

Outsourcing can make it simpler to upgrade your cybersecurity defenses

If upgrading your whole tech stack on your own sounds like a lot to handle, consider outsourcing. The right outsourcing partner can manage most of your cybersecurity and IT needs for you.

Outsourcing is especially useful for construction firms because modern cybersecurity typically requires more resources than a single, in-house IT person can bring to bear. An outsourcing relationship can allow you to access top-tier cybersecurity talent without needing to hire your own larger internal team.

And while every situation is different, outsourcing is often cheaper than building up your internal capacity — and sometimes considerably so.

However, an outsourcing partner can’t do everything for you. You’ll still need to train your own team on how to limit cybersecurity risks by avoiding phishing attempts or other common attacks.

What are the key barriers to change?

Construction leaders who want to spearhead a cybersecurity and IT upgrade may first need to overcome several barriers to change. These include:

• Lack of clarity around risks: Some leaders may not realize just how vulnerable their business is. To create buy-in around an upgrade, you can ask an advisory firm to conduct penetration testing of your existing systems.
• Cultural resistance: Construction firms that still rely heavily on legacy systems and processes may also be culturally resistant to change.
• Confusion around regulatory requirements: Construction isn’t used to being a regulated industry, so many firms may be unaware or not fully under CMMC or similar requirements.
• Communications: Your internal IT person may struggle to articulate the business case for tech upgrades because they don’t have the knowledge and background.
• Transition or succession complications: An owner who is preparing to exit may see cybersecurity upgrades as something that the next owner can worry about — but should consider that implementing an effective, modern tech stack will actually boost the value of the business in a sale.

What are the benefits of upgrading your cybersecurity and tech?

For construction firms, investing in modern cybersecurity and IT infrastructure, whether as an internal capacity or through outsourcing, carries clear business benefits. Five big areas of interest include:

1. Reduced risk of attack: This is obviously a big one. With better defenses and more modern systems in place, you’ll be less likely to experience a major (and majorly expensive) cybersecurity incident.
2. DoD contracts: If you meet CMMC requirements, you’ll be able to bid on DoD and other government contracts
3. Data center bids: Strong cybersecurity is also often necessary to compete for complex private sector projects like data centers.
4. Competitive advantage: If you get ahead of competitors in upgrading your systems, you’ll be able to move faster, with a lower risk of being slowed by an attack.
5. Recruiting: You’ll have an easier time recruiting talented employees who want to work for innovative companies.

Learn more about how construction firms are upgrading their technology

Wipfli interviewed 308 construction executives to find out how firms are deploying technology today. Read the full report, “The state of technology in the construction industry” to gain fresh insights on cybersecurity, AI, data strategies and growth.

How Wipfli can help

We help construction leaders strengthen their businesses and meet changing industry demands. Ask us to assess your cybersecurity risk profile and explore solutions like outsourcing to modernize your defenses. Learn more here.

Read more

• Cybersecurity is a financial issue, not just an IT problem
• AI in construction 101: How to keep your firm competitive
• How to improve performance with smarter construction technology management