Protecting progress: construction cybersecurity in Australia

As the traditional construction process connects with transformative digital technologies, robust cybersecurity systems have become crucial for Australian construction operators.

We understand that this added responsibility can be overwhelming, which is why in this article we’ll break down the key aspects of cybersecurity and compliance and what you can do to protect your sensitive data.

Common construction cybersecurity threats

As construction has taken advantage of digitisation technologies, the amount of data collected and shared online has exploded. This is highly attractive to cyber criminals, as they look for entry points to steal sensitive data such as proprietary designs, financial data, and employee records.

According to a 2023 IBM report, the average cost of a data breach in Australia had grown by a whopping 32% in the preceding five years up to AUD$4.03 million. According to the Australian Cyber Security Centre, in the 2020-21 financial year, there were 67,500 cybercrime reports in the construction industry with losses exceeding AUD$33 billion.

Phishing scams make up over 22% of breaches against Australian construction companies. Phishing is acting as a trustworthy entity to extract sensitive information, often via emails. Notably, the Australian Cyber Security Centre issued an alert to all construction companies in 2021 revealing they were being targeted by cybercriminals using business email compromise (BEC) scams, leading to loss of control of bank accounts.

The second most common breaches are ransomware attacks (17%). This is where cybercriminals encrypt critical files and demand hefty ransoms for their release.

Human error is not to be underestimated. An employee untrained in security risks can leave passwords on a sticky note or a malicious insider could leak or sell sensitive data. Both events can have grave consequences.

While all industries are subject to these and other cyber attacks, they affect the construction industry in specific and compounded ways.

The impact of cyberattacks on construction operations

The interconnected nature of construction projects amplifies the impact of security attacks. A successful cyberattack on a construction company can cause delays or permanent disruption to a project. These halts can stretch out to hundreds of days leading to mounting costs.

Companies can be fined millions for inadequate data protection. In addition, the average recovery cost of a data breach is increasing year on year.

Clients, investors, and regulatory bodies alike expect construction firms to uphold rigorous security standards. A breach of trust resulting from a cyber attack can tarnish the reputation of a construction company, leading to lost contracts and diminished market standing.

These impacts are significant, but there is much you can do to protect your construction cybersecurity and building operations.

Strategies for safeguarding sensitive data

Implement robust cybersecurity measures

• Create secure backups of data, both on-site and cloud-based. This allows data to be restored in the event of an attack and enables work to continue uninterrupted.
• Apply strict access controls and user permissions so only authorised personnel can access sensitive data. Use role-based access control (RBAC) for added security.
• Implement data encryption and secure network architecture including firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS). It’s also a good idea to review the security practices of your third-party vendors and contractors who have access to your data and ensure their cybersecurity measures meet your standards.

Build a cybersecurity culture

Construction firms must prioritise employee education and training initiatives to foster a cyber-aware workforce. Regular training should be mandatory for all employees and must include:

• How to identify phishing scams
• Password management
• Safeguarding sensitive information
• Updates on the latest threats

Educate your employees about data security best practices – they are the first line of defence against cyber threats.

Compliance best practices

Develop data protection policies and procedures

Create and regularly update your incident response procedures and policies. Similarly to a fire drill, test what to do in the event of a cyber attack, for example, practice a hypothetical ransomware scenario. Your policies should include a decision-making framework, ransom payment criteria, legal avenues, construction compliance requirements, and if possible, cyber insurance.

Conduct regular compliance audits and assessments

Data protection laws have had to catch up with the fast growth in cybercrime. The Critical Infrastructure Protection Act 2018 was updated in 2022 via the Security Legislation Amendment Bill (SLACI) in response to spiking cyber attacks on Australian infrastructure assets.

This amendment requires owners and operators to regularly review and implement measures for cyber risk management, preparedness, prevention and resilience. Companies taking construction cybersecurity seriously and who want to be eligible for government contracts will ensure adherence.

Ensuring data privacy and confidentiality

Begin with only collecting, using, and disclosing information if you have theperson’s consent to do so. Ask yourself whether you could collect de-identified information instead of personal information or minimise how much detail you need from that person or business. Try to balance your data-gathering needs with your construction compliance responsibilities.

Modern construction cybersecurity for today’s digital risks

A combination of measures is necessary to protect your construction operations. Make it a priority to understand the prevalent threats and their impact, implement safety measures, and embrace compliance best practices.

In addition, use construction management software with robust in-built security features that are up to the challenge of modern construction cyber security risks. Our connected construction management systems have been awarded the Cyber Essentials Plus certification and we keep all your key data points protected in the same place, which is a great incentive to update.

Curious how much smarter and faster your construction company could work?Connect with Trimble Viewpoint and find out!

How much smarter and faster could your construction company work? Connect with Trimble Viewpoint and find out!