The Middle East construction sector is vulnerable to cybercrime, as highlighted by a recent survey by Freshfields, Accuracy and NYU Abu Dhabi. Those at risk need to take steps to enhance cybersecurity preparedness.
Twenty years ago, an international construction company experienced an audacious extortion attempt: pay $50m in ransom or a crane driver would be shot. (Thankfully no one was shot, and no-one paid $50m). Unfortunately, in today’s construction sector, extortion is a more prevalent risk, but the threat comes in the form of cyber-attacks, rather than a sniper rifle. With that in mind, we asked the Middle East construction sector if they were capable of effectively combatting cyber-crimes. The answer: not really.
Freshfields, Accuracy and New York University (Abu Dhabi) recently collaborated on a survey of the Middle East construction sector to evaluate the risks that construction project participants face in relation to cybercrimes and to gauge their level of preparedness. The survey was conducted among senior-ranking respondents, primarily working in large companies in the Middle East region.
In this blog, we summarise the reasons the construction sector is vulnerable to cyber-attacks, offer an overview of our survey’s results and make some recommendations for enhancing cybersecurity preparedness.
Why is construction in the Middle East vulnerable to cyber-attacks?
In our view, the construction sector, particularly in the Middle East, is vulnerable to cyber-attacks for five key reasons:
- Middle East construction projects involve a range of sensitive data, including identity information needed for worker/staff visas, potentially fingerprint or iris recognition data for accessing site, bank details and payment information for the purposes of paying the supply chain, and design details showing access points for the finished asset. In the wrong hands, this data could be used for nefarious purposes.
- There can be long supply chains – right down to small suppliers and installation companies – with sensitive data traversing that supply chain. The systems in place to protect that sensitive data are only as good as the weakest link in the supply chain. It is self-evident that not every supplier in the supply chain will have the same level of cybersecurity. Moreover, asset technology is typically imported and the customer may have limited visibility on the risk of ongoing digital access through the manufacturer.
- As we know, time is money: any delays to completion can have significant financial implications. That creates additional leverage for threat actors who can use cyber-attacks to threaten project chaos to delay completion.
- Compared to many other regions in the world, public funds are often involved in Middle East construction projects – either directly or indirectly. That adds a political dimension that may create different motivations for threat actors.
- Technology adoption is now on the rise in the Middle East construction sector, which creates greater opportunity for threat actors.
Given these reasons, and against the backdrop of IBM’s research that the average cost of a data breach in the Middle East is rapidly rising (with an average cost per data breach of US$8.07m in 2023 covering both direct and indirect costs), it is important that project participants in the Middle East construction sector are sufficiently prepared to combat cyber risks. But are they?
Cybercrime is rising, but protections are not
Our cyber survey showed an increase in cyber-attacks on construction businesses since the COVID-19 pandemic, with 73 per cent of respondents reporting increased cyber-attacks since 2020. However, in the face of rising crime, only half of the survey respondents felt that their companies’ cybersecurity measures were adequate to protect them against cyber risk, and only 13 per cent saw that their businesses made significant efforts to boost cybercrime prevention measures since the pandemic.
Clearly, even large and sophisticated companies feel ill-equipped to handle the growing risk of cyber-crimes. But what kinds of attacks are typically seen in the construction sector?
Types of cybercrime
Cybercrimes are becoming more advanced and include:
- Ransomware: This is one of the most disruptive and costly forms of cybercrime, where cybercriminals encrypt a company’s data and demand payment in exchange for a decryption key and a commitment to not leak stolen data. Studies show that, in 2022, the construction sector was the sector most targeted by ransomware attacks globally.
- Social engineering schemes: This involves cyber-attackers impersonating senior management and key vendors through business email compromise tactics (eg using a fake email that looks like an official email, or, hijacking the vendor’s email or social media accounts). Their goal is to convince victims to transfer funds or provide sensitive information that can be exploited for financial gain.
- Insider threats: This type of attack arises when someone inside an organisation (an ‘insider’) (inadvertently or intentionally) misuses system credentials which were properly authorised for use within an organisation. Insider threats commonly result in company credentials or sensitive data being made available to external threat actors, who use these details to unlawfully access the organisation’s systems and software for criminal purposes. Insider threats are a common way for a company’s sensitive data can fall into the wrong hands.
The diversity of cybercrimes shows that cybersecurity preparation requires multi-faceted consideration.
How can you protect your business from cybercrime?
In short, while there is no easy fix, there are several measures companies can, and should, take to mitigate cybercrime risks.
Investing in cybersecurity measures
Investing in cybersecurity measures requires a cultural shift where senior managers and executives prioritise cybersecurity and dedicate both financial and human resources to protect their assets and operational integrity. This could include:
- collaborating with cybersecurity experts to advise on the evolving cyber threat landscape;
- dedicating enhanced resources to cybersecurity and raising awareness within the organisation;
- mapping data to ensure a clear understanding of where data is located and how systems interface – both information technology and operational technology;
- promoting effective cybersecurity culture through training on best practices; and
- working with legal counsel to identify weaknesses in existing policies and potential. enhancements
Technical controls and legal compliance
This can include:
- deploying effective technical controls including firewalls, intrusion detection and prevention systems, anti-virus software, encryption, and access controls;
- developing robust backup systems (which are regularly tested) to ensure resiliency and continuation of operations in the wake of a ransomware attack;
- classifying data based on sensitivity, including operation, regulatory and reputational risk to the organisation, and implementing appropriate risk-based access controls based on the criticality of particular data;
- establishing incident response plans (and mock incident training) in the unfortunate event of a breach;
- taking measures in the event of a cybersecurity incident to comply with regulatory requirements and effectively engage with stakeholders without compromising legal positions; and
- conducting investigations to identify the cause, extent, and impact of any data breach.
Project participants in the Middle East will remain vulnerable to cyber-attacks and data breaches until the construction sector as a whole builds preparedness capability. A full version of the findings of the survey, as well as the recommendations, can be found in our briefing: Cybercrime and cybersecurity practices in the Middle East construction industry.
Please get in touch with any of the authors or your usual Freshfields contact with any queries. And our technology quotient blog has more insights on cybercrime and protection.
#MiddleEast #SaudiArabia #UAE #construction #cybercrime
