Organisations in construction and other industries need to carefully manage risk associated with cyber security, a webinar has heard.

Hosted by the Australian Construction Industry Forum (ACIF) along with NBN Co, the 2023 Construction Industry Cyber Security National Webinar examined trends regarding cyber crime along with strategies that organisations can adopt to protect themselves.

Speakers included Nick Sincock, Assistant Director, Cyber & Infrastructure Security Group (SA), Department of Home Affairs; and Paul De Araujo, Security Influence Initiatives Manager at NBN Co.

The session was moderated by Russell Kelly, National Business Engagement Manager at NBN Co.

According to Araujo, risks associated with cyber crime should not be underestimated.

Indeed, in the 2021/22 financial year:

  • 76,500 cybercrime reports were made via the Australian Government’s ReportCyber web site. This equates to one cyber attack every seven minutes.
  • The overall cost of reported losses around the nation amounted to approximately $33 billion
  • Average losses per attack amounted to $39,000, $88.000 and $62,000 for small, medium and large businesses

Moreover, Araujo says there are several misconceptions regarding cybercrime.

First, there is a notion that cyber criminals predominately target large corporations.

In fact, many scammers target smaller organisations as it is easier to scam multiple small businesses and individuals than to attack a single large entity. Small organisations are more vulnerable as they have fewer IT resources and their workers often perform multiple functions.

In addition, targets extend beyond profit-making entities and can encompass charities, hospitals, schools and religious organisations. In fact, hospitals are popular on account of the sensitive data they hold. So too are charities, whose donor data can be used against other individuals or corporations.

Not all motives are purely financial. In addition to financial gain, motives for attacks can include political objectives, espionage, religious motives or disgruntlement. Some hackers simply want to prove a point or out-hack others.

Finally, notions about phishing scams being readily identifiable via incorrect spelling or poor image quality are outdated.

As noted below, a large number of phishing scams are now more sophisticated and can take on the appearance of being genuine. Some are even targeted and draw upon information regarding individual users which is gathered via personal websites or social media.


How Cyber Attacks May Occur

According to Araujo, several types of attacks are common.

First, there are phishing scams. These involve malicious emails or other messages that seek to prompt users to either give away money or sensitive information or to download infected files.

Such messages may originate via email, SMS, social media, gaming or other means. They usually include links which direct users to fake web sites.

The messages may come with a sense of urgency, such as cancellation of a services or overdue payments. In other cases, they may promote giveaways which are too good to be true.

In the past, many such messages were identifiable through spelling errors or poor-quality images.

Nowadays, a significant number are designed to appear to be realistic and to catch out busy people.

Whilst some attacks are random and are sent to tens of thousands of potential victims, others are targeted at specific individuals or organisations. These attacks leverage information obtained from web sites or social media accounts in order to promote the appearance of legitimate correspondence.

The prevalence of these should not be underestimated. Over the first five months of this year, the ACCC web site Scamwatch received more than 45,000 reports of suspected phishing activity.

Next, there is ransomware.

Often delivered in the form of a virus, this is malicious software that intends to cause harm to systems or networks. It will either encrypt data or lockdown a victim’s computer in the hope of extracting a ransom payment.

This software is often delivered via a phishing attack.

The third type of attack is business email compromise.

Under this scam, cyber criminals attempt to trick target businesses into making payments into the criminal’s account through causing the business to mistakenly believe that they are paying a legitimate invoice to a legitimate supplier.

To do this, a scammer may potentially:

  • Compromise the inbox of victims, search through emails, intercept an invoice and alter the bank details. The unsuspecting user will then go and pay the invoice but will unwittingly deposit the money into the scammer’s account.
  • Create fake emails that appear to be from legitimate suppliers and which purport to inform the user of a change in supplier bank details. Users then ‘update’ their details and unwittingly pay future invoices into the scammer’s account.
  • Hack into the accounts of suppliers and send out mass emails to the entire customer base which falsely ‘advise’ that the supplier has changed banks or bank details.

To execute these plots, perpetrators need to compromise your system. This can be done through password attacks, phishing emails or ‘spear phishing’ attacks or the purchase of credentials via the dark web.

Spear phishing attacks refer to targeted phishing attempts whereby the scammer targets certain individuals or organisational departments via social engineering. Often, this is done using information obtained via LinkedIn – a common source of data regarding organisations and individual professional workers.

Finally, attacks can occur via trusted insiders. Whilst these can result from rouge or disgruntled employees who wish to harm their business, it more often occurs where businesses are compromised by unsuspecting staff.

Potential examples could include the inadvertent display of sensitive information to people at the front reception or to cleaners who enter the office after hours. It may also involve the compromise of devices which are owned by individual employees but which may contain sensitive corporate information.

On one occasion, Araujo came across a personal computer at the lost baggage counter of a large European carrier. Attached to the PC was a post-it note with a system password.

(A simple phone call to suppliers to verify invoices or changed bank details can help to prevent fraud which occurs through business email compromise.)

What can be done?

In terms of strategies, Sincock points to several measures.

To avoid business email compromise, he encourages organisations to verify any notifications of unusual invoices or changed payment details directly with suppliers. This should occur via an alternative contact mechanism such as telephone. It should not occur through the email in question or through any changed contact details contained within the email.

Next, all devices should be equipped with the latest software version. This includes phones, laptops, PCs and other devices.

This is easily done by adjusting settings to receive automatic updates.

Third, there is multi-factor authentication – a system which requires two or more proofs of identity in order to access files or accounts. This can include a combination of things you know (passwords, secret questions etc.), things you may possess (smart cards or authenticator apps) or physical attributes such as retina scans or fingerprints.

This is particularly useful for protecting files or accounts which may contain personal, financial or other sensitive information. These multiple layers make it more difficult to hack in and to obtain sensitive data.

Next, there are passwords. This is the first line of defence for access to computers, systems and personal information. To ensure that these are effective, these need to be as strong as possible.

When it comes to passwords, several common practices can leave users vulnerable to password attacks such as dictionary attacks or brute force attacks. Such practices include the use of similar passwords across different sites or applications, use of simple and predictable password creation strategies or having passwords written in places where they may be uncovered – including on documents which are stored within PCs. Often, these strategies are employed as coping mechanisms as users grapple with the difficulty of remembering passwords for many different applications.

When it comes to strong passwords, length beats complexity.

Whilst many have been led to believe that combinations of uppercase, lowercase and special characters are complex and secure, research now shows that this is not the case.

In fact, Sincock says combinations that employ these complex characters with seven- and eight-character passwords can now be cracked in 31 seconds and 39 minutes respectively. By contrast, a fourteen-character password using only upper and lowercase letters remains secure for around 64,000 years.

To remember longer passwords, a useful tool is a passphrase. This is a string of random words that is used for authentication that is longer than a traditional password. These are harder to crack than common password attacks and are easier to remember compared with random characters. Numbers and special characters can be added if needed to comply with password requirements if necessary.

These passphrases should have at least four or more random words and should be at least fourteen characters in total. Note that the words should be random – passphrases which employ words that are commonly used together are more readily subject to password attack.

To help create and maintain large numbers of these long passphrases for different applications, passphrases can be stored on a password manager. This is an application which can be saved on phones, PCs and computers to store a collection of passphrases. Use of password managers frees users from needing to remember which password or passphrase apply to different accounts. Since most password manager apps use military grade encryption, these are difficult to hack. The app can also generate passphrases for you.

Whilst the notion of storing all passwords in a single location may seem counterintuitive, Sincock says this is far preferable compared with either using weak passwords or similar passwords across multiple sites. This is especially the case in light of the security which these apps employ.

Accordingly, password managers are a safe and practical means by which to store and manage strong passwords.

Finally, Araujo stresses the importance of people management and organisational culture.

On this score, organisations need to ensure that workers are informed about cyber security and are aware of any practices which may place organisations at risk. A strong organisational culture is needed which promotes a shared responsibility for maintaining cyber safe practices.

This is especially important for those workers who possess sensitive or privileged information.

Speaking particularly about the construction sector, Arujo says strategies risks and strategies are broadly similar to those in other industries.

In light of the breadth and diversity of construction supply chains, however, construction firms need to be especially proactive in ensuring that third party connections are secure and should be particularly diligent in responding to matters such as invoices or changed bank details.

Other actions may include:

  • Knowing how to report cyber security incidents or cybercrime. This can be reported to ACSC via
  • Knowing your networks and contacting your IT provider, managed service provider and/or cloud service provider for help and advice.
  • Evaluating risks associated with cyber security chains.
  • Preparing for cyber security incidents by having incident response, business continuity and disaster recovery plans in place. These should be regularly tested.
  • Contacting IDCARE if you have been hacked to support you through the process and to help you to develop a response.


It Will Happen, Be Ready

Above all, Arujo says businesses and individuals need to be prepared for cyber threats.

“Sadly, it’s not a matter of ‘if’, it’s a matter of ‘when’”, he said – referring to the likelihood of cyberattacks on individual organisations and people.

“We all need to be prepared for when that day comes.”


Enjoying Sourceable articles? Subscribe for Free and receive daily updates of all articles which are published on our site


Want to grow your sales, reach more new clients and expand your client base across Australia’s design and construction sector?

Advertise on Sourceable and have your business seen by the thousands of architects, engineers, builders/construction contractors, subcontractors/trade contractors, property developers and building industry suppliers who read our stories across the civil, commercial and residential construction sector