News - Construction News

Hook, line and sinker – don’t get caught by the phishers

23 Apr 19

It’s a dangerous world for businesses; almost half were hit by a cyber attack last year, and construction companies are increasingly finding themselves in the cross-hairs of the criminals. With complex supply chains consisting of numerous contractors and third-parties, those in the construction sector are often seen as an easy target as there are so many avenues into the corporate network. Government recognised this earlier this year, announcing fines of up to £17M for infrastructure firms that fail to implement adequate security measures.

Every day a myriad of emails are exchanged, forming a complex web of communication between architects, contractors, clients and other stakeholders. And it’s not only the emails that can be a conduit for a successful cyber attack, but phone calls, physical access to facilities, contractor computers with access to networks and poorly managed user accounts. Exploiting these vulnerabilities is known more broadly as social engineering.

The construction industry is particularly susceptible to cyber attacks since its security practices are generally less formal. Historically, the construction industry has adopted new technology at a slower rate than other sectors, leading to vulnerabilities that cyber attackers are beginning to exploit. With an extensive supply chain, too, it’s difficult for the construction industry to consider the potential impact of contractor security on its own networks, which make it a prime target.

Social engineering is all about deception – making a target hand over sensitive information, such as passowrds, physical locations and network identifiers, without realising. Often, all a potential cyber criminal will need is an employee name or user name – but even the technology in use or work schedules can create a potential opening for later exploitation, and since the majority of this information could be seen as being relatively mundane, an employee may be willing to hand this over while on the phone or via email. Security technologies are becoming stronger by the day, so attackers instead hope they can exploit human psychology to persuade individuals to unwittingly give them the data they desire.

In practical terms this usually takes the form of a ‘phishing’ email purporting to be from a trusted party, asking you to either reply with log-in details or visit a website that then asks you to log-in. But in reality the cyber criminal is sitting behind it all, hoovering up the credentials and using them to plan a more substantial attack on the corporate network.

Cyber criminals opt for this tactic because it’s so successful, and pretty easy to do. The FBI believes corporate phishing has become a $5 billion global business. The McAfee Labs Threats Report warns that for every ten phishing emails sent by attackers, at least one will be successful. McAfee presented ten real emails to more than 19,000 people from across the globe and asked them to identify whether they were dangerous or legitimate. It found 80% incorrectly identified least one phishing email.

The reason the success rates are so high is because humans are always the weakest link in the security chain. People make mistakes and humans will always be fallible. These attacks exploit social norms and human nature, including reciprocity, curiosity and pride.

Phishing emails have become more sophisticated. Gone are the days of the ‘Nigerian prince’ scam which was sent en masse to millions and tried to trick people to wiring money to a foreign account. These days the attackers can be targeted; impersonating a colleague or contact and asking a seemingly innocuous task to be carried out. It might be the CEO asking a finance assistant to send an advance to a new supplier, or the head of IT asking for your username and password for the intranet. Cyber criminals are putting in the work to research their targets in order to create very convincing communications. The best can be almost impossible to spot.

For construction companies, once an attacker has picked a target there are a huge number of suppliers and third parties that could be spoofed through a spear phishing email.

The question is, what can be done to effectively defend against these attacks? It’s well worth educating staff about security basics and regularly reminding them of the risks. Sensible advice includes only opening emails you are sure about – if the name is familiar but the content seems unusual, check with them first – and not giving the benefit of doubt to strangers or staff members when they ask for sensitive information. But precautions of this kind alone are not enough to stop breaches occurring.

However, the best advice is to implement defences that either prevent the attack from being successful, or at least minimise the effects. These don’t have to be costly either, with some simple steps that are easy to implement being multi-factor authentication for passwords and device encryption on laptops or mobile phones to protect against access to stolen physical devices. It’s about getting the right security foundations in place rather than spending all of your IT budget on ‘next generation’ solutions that end up doing very little if the basics aren’t spot on.

On a practical level, this also involves ensuring admin rights are removed from all employees. Essentially, this means staff are empowered to do the jobs they need to do but don’t have the ability to access the wider network. Therefore, if they do fall for a phishing scam and have their account or machine compromised, the attacker is then prevented from moving through the corporate infrastructure.

Application control is another measure that can make a big difference. Through this only approved applications can run, so anything malicious that is accidentally downloaded by an employee cannot cause any harm.

Construction companies are more vulnerable to targeted social engineering than many other sectors. However, if you get the foundations of good security in place you’ll be in a much stronger position if staff do slip up.