Ransomware for construction

Architecture, engineering and construction firms are twice as likely to face ransomware attacks as other industries, according to new research

The threat, scope and impact of ransomware attacks is growing – and, alarmingly, a new report has warned that companies in the architecture, engineering and construction sector are more than twice as likely to fall victim these attacks as firms in other sectors.

The report, by cloud content security and governance specialist Egnyte, found that almost a third (31%) of AEC firms that were victims of ransomware were attacked at least twice within a 16-month period – and a small number were targeted even more frequently.

While it can be difficult to pin down how much ransomware is on the rise, Egnyte said all the indications point to a rapid increase in the number of attacks.

It points to the 2020 FBI Internet Crime Report, which said the number of reported ransomware incidents rose from 2,047 in 2019 to 2,474 in 2020. Meanwhile, Cybersecurity Ventures predicted that in 2021, a business will be attacked by ransomware every 11 seconds.

Figures from Ransomware Facts show the government sector has the highest proportion of organisations reporting an attack in the past year at 15.4%, followed by manufacturing at 13.9% and construction at 13.2%.

AEC ransomware threat

Egnyte’s research found that within the study cohort, 28% of the total number of ransomware attacks detected were in the AEC industry, compared with 72% for all other industries combined.

The report notes that AEC firms have several factors working against them that may contribute to the higher rate of targeting. They are schedule-driven and any delays to due lack of access to files will significantly impact on costs and damage their brand. Coupled with the industry’s low profit margins, this could make AEC firms more likely to pay a ransom to get up and running again.

Larger companies were found to be at a higher risk. More than a quarter (26%) of firms with more than 1,000 employees reported a successful ransomware attack, compared with only 1% of accounts in companies with fewer than 200 employees and 4% of accounts in companies with between 201 and 1,000 staff.

This indicates that while larger firms are more likely to have relatively advanced cybersecurity awareness and resources, they also have deeper pockets, making them a more attractive target, as well as more data in a lot more repositories, increasing the number of potential entry points and vulnerabilities.

The damage caused by attacks

The damage caused to an AEC company’s operations by a successful attack depends on how many files are affected and the criticality of those files.

Egnyte found that, on average, 18,812 files were impact by an attack, with the minimum being 2,822 and the maximum topping 42,101. For scale, some of Egnyte’s customers have hundreds of millions of stored files.

The average time for an AEC company to resolve the issues caused by an attack is 155 hours. In many cases, firms can access their data much quicker but the average a company can expect to experience some disruption to its operations for 6.5 days. Globally, the average downtime due to ransomware is between 15 and 23 days, depending on industry, company size and other factors.

Of the accounts that reported an attack, 31.6% were impact more than once, with 7.9% reporting four or more incidents in a 16-and-a-half month period.

Ransomware protection

The report cautions that while there is no 100% guarantee of avoiding a ransomware breach, there are a number of best practices that can reduce the impact on operations and costs. Egnyte breaks these down into three phases: Identification, Containment and Eradication.


The faster an attack is identified, the easier it is to limit the damage it can do. Preventative and automated detection capabilities include:

  • Running up-to-date endpoint detection response to continually monitor and respond to cyber threats.
  • Establishing identify access management to limit access to specific technologies and files.
  • Employing a next-gen firewall and zero-day threat detection to intercept first-of-a-kind attacks.
  • Implementing unusual behaviour detection to identify anomalies that could be a ransomware attack.


Once an attack is detected, an organisation must move quickly to stop self-replication and restrict access to targeted files.

Companies’ trash purge policy should be adjusted based on requirements. Egnyte recommends at least every 30 days after deletion of data.

  • Implement a codified file version policy. Best practice is to retain at least three versions.
  • Setting a reasonable content retention of lifecycle policy.
  • Implement script blocking functionality to restrict the use of cookies.
  • Install automatic ransomware notifications so adminis­trators can cut off user access in case of a breach.


When an attack is contained, the next step is to eliminate it from the system by purging any potentially infected files and replacing them with a clean backup. This requires predetermined actions as part of a complete disaster recovery plan, such as:

  • Backing up all data with a third-party cloud vendor.
  • Enabling selective file restoration to reduce downtime.
  • Establishing a vetting process for both employees and equipment to reduce the chance of reinfection.
  • Creating a clean network to run operations until you are sure all ransomware has been eliminated.

Ransomware education

Egnyte concludes that the final – and most important – piece of best practice to guard against ransomware is education. The Verizon Data Breach Investigations report 2020 found that 85% of all breaches involved a human element, including phishing, business email compromise, lost or stolen credentials, using insecure credentials, human error and misuse.

These issues can never be eliminated entirely, as people will make mistakes, but education can significantly reduce the likelihood of them occurring, the report states.

A comprehensive cybersecurity awareness programme, that is formalised, updated and delivered to all employees on a regular basis will go a long way to preventing a successful attack.

Ronen Vengosh, VP of AEC at Egnyte, said: “The threat of ransomware continues to rise as economic and technological factors make AEC firms prime targets for threat actors.

“Firms need to invest in a holistic defence programme which is a combination of the right prevention technologies, content governance and user education so they can mitigate potential attacks and avoid any business disruptions.”


BIM Today

Tel: 0843 504 4560




Please enter your comment!
Please enter your name here