Hacked: Construction Contractor E.R. Snell Shares How to Bounce Back from a Cyberattack

Man sitting in front of his computer after a ransomware attack
If you think a cyberattack could never happen to your construction business, think again.
Getty Images

Construction projects are large, complicated undertakings. With construction firms managing multiple projects, with dozens of stakeholders collecting, handling and sharing sensitive data, it’s easy to see why the construction industry has become the number one target for ransomware attacks.

This is especially true for contractors that are still using a mix of manual processes, different software solutions and on-premise data storage to run their operations, as cybercriminals often see these firms as ripe for the picking. While modern, cloud-based software solutions and workflows tend to be well protected with the latest data and cybersecurity measures in place, legacy systems and workflows are much harder to safeguard properly, providing plenty of potential opportunities for breaches. 

The consequences of a data breach are far-reaching. In most cases, business disruption leads to a loss of revenue and long-term reputational damage. The cost alone can be crippling with breaches carrying an average price tag of $4.24 million per incident. Even with an awareness of the problems a cyberattack would create, many construction businesses have the mindset of “that would never happen to us,” until it does. 

When The Unthinkable Happens

In September 2020, E.R. Snell Contractor, Inc. learned firsthand that a data breach can happen to any organization. It was a moment Justin Snell, the company’s vice president of technology, will never forget. 

“On the Sunday before Labor Day, we started receiving alerts that our antivirus software was disabled, which was impossible,” said Snell. “As we looked more closely at the network, we could see that files were being encrypted, and by the time we realized what was going on, all of our servers were hacked. The next morning, I was on the phone with the FBI. It was surreal.” 

At the time, 90% of E.R. Snell’s software system was on-premise and 10% was hosted in the cloud. Both the cloud and on-prem servers were backed up daily. “In case of an emergency, we relied on access to these backups to initiate our recovery plan,” said Snell. “Unfortunately, in addition to encrypting our on-prem servers, the hackers deleted almost all of the cloud backups.” 

The hackers were also able to compromise an employee’s email account, place a key-logger on the on-prem mail server and gain administrative access. Through the chat service, the hackers then demanded a ransomware payment through bitcoin.

Beefing Up Security

Within 24 hours, E.R. Snell had hired an incident response team and attorney. Luckily, the company was prepared with cybersecurity insurance and able to quickly file a claim. 

E.R. Snell also engaged Trimble Viewpoint to help move its Vista ERP to the cloud and to the connected Trimble Construction One suite of solutions. “The Viewpoint team jumped into action immediately to help,” said Snell. “They understood the severity of the situation and within days were moving data and getting everything set up so we could continue to work. All of our critical services were back up within a week.” 

Multi-factor authentication was also set up on all critical accounts, including email. During these processes, all backups being held for ransom were recovered, giving E.R. Snell the freedom to ignore the ransom demands.

Though E.R. Snell avoided paying the ransom money, it was far from untouched by the attack. Insurance and betterment fees were paid out, in addition to multiple days of lost work. Due to the lack of available software, multiple departments had to turn to manual processes that required excess time and resources. Throughout the three weeks of triage, E.R. Snell hired an outside accounting firm to rebuild five months of data and an outside IT firm to rebuild more than 200 computers. From beginning to end, it took three months to completely rebuild all the missing data.

Snell recalls that 2020 was the first year the company invested in a cyber insurance policy. “I was an advocate for the policy and fortunately, our carrier insisted that we needed it,” he said. “It goes without saying but we will definitely carry cyber insurance going forward.” While cyber insurance is recommended and a much-needed safety net, it won’t prevent cyberattacks. As prime targets, construction organizations need to take other measures to lower the probability of a successful attack.

Leveraging the Cloud to Mitigate Risk

Since its recovery, E.R. Snell has made several companywide adjustments. One of the biggest changes was moving 80% of its systems to the cloud and keeping only 20% on-prem. In hindsight, it’s a change Snell wishes the company made a lot sooner. 

“Trusting our data to Trimble Viewpoint’s Vista in the cloud is an insurance policy in itself,” he said. “It doesn't make our company bulletproof, but it mitigates a lot of the risk. We now have peace of mind knowing that our data is more secure in the cloud with encrypted, user-level permission controls, single sign-on and multi-factor authentication.” 

In addition to moving to the cloud, Snell recommends a written disaster recovery plan that is regularly reviewed and tested. “It doesn’t have to be complicated,” he said. “We conduct an annual in-depth review of our plan but also run monthly and quarterly reviews and DR tests where we simulate all of our servers going down and restore backups.”

Best Practices for Construction Cybersecurity

By planning and investing in proper security, it’s possible to mitigate cybercrime risk. Here are four things construction businesses can do right now to protect against cybercriminals:

1. Stop Taking the Bait: All it takes is the click of a wrong link or attachment for ransomware to download to a computer. Triple check all emails from strange email addresses, URLs or requests.

2. Continuous Training: Build a culture that is constantly aware of data security. Employees should be looking out for threats as they open every email, visit every website and perform any action on their computing devices. Hosting training sessions and showing employees exactly what they should look for is a great step towards avoiding a cyberattack.

3. Passphrases Not Passwords: Breaking employee passwords is one of the most common ways for cybercriminals to access company data. To increase security, it is recommended that employees use an entire phrase when creating a password. Including spaces between a minimum of four words is a great start, but to make it even more complicated, try adding in characters, numbers and case-sensitive words. By lengthening and complicating this form of security, hackers will have a much more difficult time getting through.

4. Multi-Factor Authentication (MFA) on High-Value Assets:  Enabling the MFA feature on all assets is ideal but at minimum, make sure all high-security logins require employees to verify their identities in more than one way.

When a cybersecurity attack occurs, time is of the essence. Cybercriminals are known for attacking companies more than once, especially when they were easy to exploit the first time. Any company that does not have a plan in place is only making the hacker’s job that much easier. 

“Cybercrime is more organized than it’s ever been,” said Snell. “We do all we can to mitigate the risk but it's never going away, and we don't want to be an easy target. Think about a thief walking into a parking lot and checking car doors. He may check 10 car doors and get lucky with one unlocked car. You don't want to be the one that's unlocked. Education and continued investment in cybersecurity are paramount. Looking back at why we were targeted, it makes perfect sense that a construction company may not have the best security protocols in place but today, we do.”