Get Pricing

  • I am looking for…

Support

Risk

Solid Foundation: How Payroll Security Helps Reduce Construction Industry Risks

Doug Bonderud Doug Bonderud

Sunset silhouettes of construction equipment, workers and cranes

Cyberattacks are on the rise in the construction industry, causing financial, data, and reputation damage. To mitigate risks, companies should focus on security culture, vulnerability identification, and getting expert support.

The construction industry is now a top target for cyberattacks. According to recent data, the IT and construction industries accounted for half of all ransomware attacks carried out in 2023. Meanwhile, as noted by the IBM Cost of a Data Breach 2024 report, a U.S. breach costs, on average, $9.36 million.

For organizations, this creates a dual challenge: as the number and frequency of attacks ramp up, so does the cost of a potential looming successful compromise, or system vulnerability. In this piece, we'll explore some of the most common compromise concerns, examine potential payroll security breach impacts and offer best practices to help your team build a solid foundation in data security.

Common system vulnerability concerns

Before cybercriminals can encrypt, steal, or destroy data, they need a way in — and they aren't choosy on point of entry. While breaking and entering always presents a measure of risk, intruders find some digital roads easier to travel than others. Here are four common pathways for cyberattacks.

1) Data breaches, ransomware and malware

As noted above, construction businesses are increasingly targeted by ransomware attacks, often distributed via malicious email attachments or links that direct users to compromised websites and files. Once ransomware packages are deployed on business systems, they begin encrypting critical data.

2) Social engineering

Social engineering, or planned manipulation via phishing emails, phone calls or text messages, poses a significant risk for enterprises. Foremen and site managers are typically on-site, coordinating building and repair projects. An attacker could take advantage of their distance from the main office and administrative support to pose as legitimate third-party contractors or suppliers, convincing them to share sign-in data and otherwise hack mobile devices. Then, they can leverage this access to compromise business networks at scale.

Consider this: an attacker sends site managers an SMS alert with a legitimate-looking link, instructing them to "reset" their HR system password because of a potential breach. If site managers log in using this link, malicious actors may be able to access human resource systems. From there, they can steal information, including employees' payroll, benefits, and performance data.

3) Fraud

Fraud also remains a top data security concern for organizations. For example, if attackers gain access to payroll systems and employee information, they can use this data to communicate with staff, by sending fraudulent payment notifications or requests for "overpayments" to be returned. If employees click on the provided links, they could become the victims of financial fraud. If they download malicious attachments, meanwhile, they may expose organizations to advanced, persistent threats.

4) Business resilience

60 percent of global business leaders say a security breach has impacted their payroll operation between 1 and 5 times in the last two years.

As a result, construction businesses are understandably concerned about what happens after a breach. How do they help ensure threats have been appropriately addressed, data is accessible, and operations can resume? In practice, this requires an integrated approach to security, specifically payroll security, and risk management.

Best practices for a solid data security foundation

To help minimize the risk of a breach, organizations should adopt security best practices, such as:

Recognize the risks

To better defend against a cyberattacker, you should think like one. Start with an evaluation of the current data risks to your organization — what are the most common attack paths, and are these paths a part of your workflow?

For example, attackers often leverage out-of-date solutions, such as Industrial Control Solutions (ICS) or Supervisory Control and Data Acquisition (SCADA) systems, that were never intended to connect to the Internet. By taking steps to secure these devices — such as limiting access and tracking data use — businesses can limit the odds of compromise.

Password best practices

Passwords are another common compromise path but remain a key component of construction payroll and HR operations. While organizations can't eliminate the risk of stolen passwords, they can take steps to limit the frequency and severity of these attacks. Start with these best practices:

One and done

You should never reuse your password across multiple sites. If your account is compromised and you use this email address and password combination across multiple sites, your information can be easily used to get into any of your other accounts.

Password complexity is key

  • Use a long password (ideally, passphrase) which contains lowercase and uppercase letters, numbers and symbols.
  • Avoid "password walking," or using consecutive keyboard combinations, such as qwerty or asdfg.
  • Don't use dictionary words, slang terms, common misspellings or words spelled backward.

Implement two-factor authentication / multi-factor authentication

Enable two-factor authentication (2FA) and multi-factor authentication (MFA) on social media accounts, bank accounts, and any other eligible services whenever possible. These protocols require the user to produce two items of identification:

1. Knowledge, like a password, and

2. A possession, like a mobile phone code, biometrics (e.g., fingerprints or an eye scan) or a physical token.

This extra layer of protection becomes your data's first defense against compromise.

Before building a defensive strategy, make sure to identify and address key risk factors.

Develop a plan

Planning is next. While no two security incidents are identical, most share common characteristics, also called indicators of compromise (IOC). Typical IOCs include reduced network and application performance, large-volume data transfers and unfamiliar user behaviors, such as requesting access from strange locations or at odd times of the day.

Consider the compromise known as payroll fraud. Businesses can help reduce fraud risk with best practices, such as:

  • Confirming that computers have regularly updated anti-virus and anti-malware software installed behind a reputable firewall
  • Physically securing the computer used for processing and approving payroll activities and disposing of confidential hard copy and electronic media appropriately
  • Consistently changing passwords to payroll-related systems with every change in payroll administration personnel
  • Splitting your payroll management tasks so that one individual is responsible for preparing the payroll and another is responsible for submitting it and verifying the output

Create a security culture

All security solutions should be part technology and part human. On the technology side, businesses benefit from anti-virus, anti-malware and anti-spam solutions capable of detecting and flagging potential problems.

On the human side, continuing education is critical. Train staff to recognize phishing and spam emails and provide a clear process for reporting them. They should be suspicious of any messages that:

  • Seem urgent and require your immediate response
  • Request personal information such as user ID, password, PIN, email address or Social Security number, even if it appears to be a legitimate source
  • Are addressed generically, such as "Dear Customer"
  • Contain common misspellings or come from an unknown recipient or one that, when you hover over the recipient, is from a questionable source.

Don't go it alone

The sheer volume of tools, applications and data required for today's businesses to stay profitable creates a natural security weak point. Despite their best efforts, even experienced security teams struggle to manage every tool simultaneously while continually scanning for security threats. You don't have to go it alone. Instead, partner with a reputable HR, payroll or human capital management provider with the industry experience and expertise to help keep your data secure. Related: Access ADP's data security resources library.

Building a better defense

Cyberattacks are a common and understandable concern in the construction industry. Attackers are using every possible pathway to gain access, and firms should do everything they can to help protect themselves from cyberattacks.

Fortunately, there are actions you can take to reduce the likelihood of a cyberattack using a multi-faceted approach to cybersecurity. By combining advanced detection tools, regular employee training and secure data solutions, firms are better prepared to detect, deflect and defend against attacks.

Firms should find a payroll and HR partner they can trust to have proper security protocols and one that has deep construction industry experience.

Learn more

Download our guide: Five key challenges shaping the construction industry and how to handle them.

Recommended for You

Tools & Resources

Take your organization to the next level with practical tools and resources that can help you work smarter.

Visit Resource Center

Recommend a Topic

Is there a topic or business challenge you would like to see covered on SPARK?

Subscribe to SPARK

Stay in the know on the latest workforce trends and insights.

Choose your subscription(s):

Your privacy is assured.

Recommend a Topic

Is there a topic or business challenge you would like to see covered on SPARK? Please let us know by completing this form.

All submissions will be reviewed and considered for use in future SPARK articles.

Important: If you need ADP service or support, visit ADP.com/contact-us/customer-service or call 1-844-227-5237.

Your privacy is assured.