Is your Construction company at risk of a cyberattack?

by Joanie Hollabaugh, Sr. Director of Marketing

Absolutely, yes — it’s ubiquitous!

According to Wikipedia:

In computers and computer networks an attack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an Asset. A cyberattack is any type of offensive maneuver that targets computer information systems, infrastructures, computer networks, or personal computer devices. Depending on context, cyberattacks can be labelled as a cyber campaigncyberwarfare or cyberterrorism. A cyberattack can be employed by nation-states, individuals, groups, society or organizations. A cyberattack may originate from an anonymous source.

Ledgerwood website under attack

Sadly, I recently informed the Ledgerwoods that, it’s no longer a matter of ‘if’ our website would get hacked — but when. We are constantly being crawled by Russian bots, American bots, and random attempts to log into our admin page DAILY. Take into account that the LAI site is considered a ‘brochure site,’ with no shopping cart or credit card transactions, no personal data collection (short of the newsletter sign up option); no paid SEO (Google Adwords) to rank up visits (so, relatively low traffic) — yet it’s always under attack from multiple entities.

I  receive notices like this every morning (imagine how many attacks “big” websites like Google or Wikipedia would get):

As the marketing director, a major part of my responsibilities includes safeguarding the internet identity and assets of LAI. I monitor the site constantly (via automation plugs ins and third-party contracts) to prevent what seems inevitable. It’s truly a battle against brains far more technical than mine. My advice is to layer your security programs and services to cover every scenario.

How they attack

Via your website

Malware deployed by hackers can hold your website hostage unless you pay a “ransom.” This is a tricky situation, because timing is everything, especially if your site has a user portal or performs financial transactions. (I highly recommend NOT paying it; start planning a strategy for that situation NOW.)

Through personal email

According to CyberArk CMO, John Worrall,* phishing emails accounts for 90% of cyberattacks. These seemingly ‘legit’ emails encourage users to click a link which will either give them access to the recipient’s system or ask for credentials to gain personal data or financial accounts.

Now, this phishing ploy seems obvious, until you see a notice from your bank or a major vendor. On a personal note, I recently received an email notice from Wells Fargo (below) that looked 100% authentic. Luckily, my “spidey sense” kicked in, and I didn’t click on it. Later, I remembered that WF is linked to my personal email and not to my work account. I logged into WF and confirmed that my personal email was the single account linked; plus I checked the account numeric string and discovered it was a bogus account number.

To me, this looks EXACTLY like a WF notice. It even has a fraud link! I received the same email the next day, with a different four-number string after the XXXXXXXX’s. Again, it’s not an account of mine. For someone who is more paranoid than cautious about cyber threats, they almost fooled me. Scary stuff! (I did report it to WF’s fraud division.)

Why your small construction company isn’t safe

Cyberattacks don’t happen just at larger construction companies. Small and mid-sizes businesses generally don’t have robust security policies or insurance. This makes the SMB companies ‘low-hanging fruit.’ Less effort, with generally better results. They are looking for YOUR proprietary data including designs, bid info, pricing on materials or equipment, or again, private information on employees.

Ways to combat:

  • Always make sure that your SERVER and HARD DRIVE are BACKED UP
  • Use strong login passwords that mix upper and lowercase with numbers and symbols
  • Caution employees (put it your handbook or employee manual) NOT to CLICK LINKS on emails unless they are 100% trustworthy
  • Remember to check the actual email account, not just the ‘from’ header. Even though the branding may look authentic, the sender can be identified by the fraudulent email sender.
  • Safeguard your website as well:
    • Set up daily scans
    • Add multiple layers of security (settings in your hosting account, plugins, etc.)
    • Have health checks installed and operating
    • Use two-factor verifications for admin level account log-ins
    • Purchase and install an SSL certificate (google is now blocking sites without them now — deeming them ‘unsafe’)

Move to the Cloud

This may seem counter-intuitive, as keeping your business identity and assets ‘close to the vest’ may seem safer that putting it “out there.” However, consider that the safeguards that cloud-hosting entities put into place will far outreach your spending or your technical understanding and capabilities. Our hosting partner, Swizznet, assures that they have 99.95% network uptime, with “anti-ransomware, cutting-edge technology to secure your cloud hosted accounting service data.” Soon, LAI will be totally on the Swizznet cloud. This is a reputable, trustworthy company which Tony Merry fully vetted before bringing to LAI and Sage — read about it HERE. If you want to learn more, click the button below.

Due diligence

Lastly, protect your company with scheduled security audits, and clearly communicated email policies. Use server firewalls, ad blockers, spam filters and other tools that will help to protect your assets. If you don’t have the internal resources, outsource it. Many services charge reasonable monthly fees to monitor your website. I use SiteLock for the LAI website and have been happy with their service and response time.

You can never use too much caution! It’s scary out there…

*Citations and more resources