If cybersecurity isn’t on your mind, maybe it should be. Forrester found that over 75% of respondents in the construction, engineering, and infrastructure industries have experienced a cyber-incident in the last year.  As construction businesses become more connected via the Internet, they are increasingly being victimized by cyber-attacks because they are not thinking about the potential risks. We’ll tell you what you need to know about cybercrime in the construction industry today, as well as what steps you should take to keep your data secure.
Your construction company is more connected today than it was in the past. You use Internet-connected solutions and remote access systems, such as Building Information Modeling (BIM)(this is how the Target was breached), telematics, and project management software. These and other Internet-based software solutions create opportunities for hackers to launch a cyber attack against your business and potentially your clients.
Construction firms have access to a wealth of information that’s desirable to hackers. Data including intellectual property, proprietary assets, building specifications, architectural drawings, and financial accounts (yours as well as your clients’) are all prime targets for hackers.
These are just a few of the ways that your construction company’s data can be breached:
Hackers are using phishing and spear-phishing email scams to access banking and employee information, such as social security numbers and payroll account data. They target both general contractors and subcontractors – potentially damaging the trusted relationship you have with your clients. Phishing has become a serious problem all over the world and that’s because it works so well. There are two types of phishing and spear-phishing, and though the two can be used separately, they are often used together.
First, a spoofed email tricks the user into visiting a spoofed website. There, the user is asked to enter their login or financial information. Either way, the end goal is to steal information from your employee, and ultimately, any information that can be leveraged for additional attacks.
Spear-phishing, on the other hand, targets a specific individual, business, or organization. Hackers spoof the “From:” in the email field to make it look like it’s coming from a trustworthy source (like your CEO or CFO). They pose as these individuals and request personal information from employees.
A few years ago, Turner Construction was the victim of a spear-phishing scam. An employee was tricked into sending tax information for employees to a fraudulent email account. It included full names, social security numbers, and states of employment and residence, as well as tax withholding data. All of Turner Construction’s employees were affected.
Baltimore-based Whiting-Turner Contracting, another top construction management and general contracting company, was also hit with a data breach. An outside vendor that prepared their W-2 and 1095 tax forms was targeted (this is part of a growing sector of attacks via the trusted supply chain relationship). Suddenly, their employees were reporting fraudulent tax filings being made in their names.
In addition to employee information, personal information regarding employees’ children and beneficiaries who received healthcare insurance coverage through Whiting-Turner was compromised. Scary, isn’t it?
Construction companies are vulnerable to phishing and spear-phishing attacks due to the high turnover nature of the industry. With multiple jobs, job sites, and workers, it’s challenging to set up uniform company training to educate employees about cybersecurity. Plus, the number of vendors and subcontractors used in the construction industry and the changing nature of contracting adds to the risk of someone accidentally leaking confidential information. All of this makes you a bigger and easier target for cybercriminals.
There’s no way to totally prevent your network and data from being hacked with the high turnover rate and a lack of education and awareness in the industry. But you can put a proactive plan in place to protect your IT assets. Here are 8 steps that you should take:
1. Designate A Cybersecurity Chief On Your Staff: Appoint a staff member to be your point of contact and to lay down the law about secure IT best practices. They should also be the liaison with your outsourced or in-house IT team or managed IT services provider. They must understand and help to enforce the regulations and security policies that you want your employees to comply with.
2. Have Your Managed IT Services Company Implement a Layered Defence: You can no longer rely on just one or two security mechanisms. Today, cyber threats are sophisticated and well-designed to circumvent many of the countermeasures that most companies have in place. If your antivirus or anti-spam solutions fail, you’ll have nothing left to protect your data because the firewall your DSL provider gave you is really a firewall in name only. Your managed IT provider can do the following:
3. Develop a Backup & Disaster Recovery Plan With Your Managed IT Provider: You must have a backup copy of your data in the event that it’s stolen, accidentally deleted or falls victim to ransomware. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Make sure your backup systems are encrypted.
Your backups need to follow the Backup Rule of 3-2-1. The data is stored in three locations, in two different physical locations, and one of those locations is in the cloud. Backup to both an external drive in your office and a remote, secure, online data center that your Ottawa IT service company provides. If the backup device is physically connected to your computer, it is NOT a backup, it’s a copy. Backups need to be performed at least daily (preferably they are performed hourly and tested daily). Your managed IT provider can set your backups to occur automatically.
Your managed IT provider must also test your backups regularly for recoverability to ensure they are valid and can do what you are counting on them to do – save your company. This is fundamental to reducing risk, improving security, and ensuring your ability to restore your data if it’s locked down with ransomware or lost for whatever reason.
4. Regularly Train Your Users on IT Security: Your managed IT services company can provide security awareness training for your employees. As you saw with the Turner Construction case, your staff can have a significant impact on your cybersecurity; either they know enough to keep your IT assets secure or they don’t. If not, they present a serious threat to your IT security. Security awareness training will help your employees learn how to recognize phishing and spear-phishing emails, as well as which steps to take to avoid falling victim to them.
They’ll also learn how to handle security incidents when they occur. If your workers are informed about what to watch for, how to block IT theft attempts, and where they can turn for help, this alone is worth the investment. It’s crucial to make sure that they are retrained regularly. People must be reminded often about cyber threats and the dangers they present. Plus, there are always new threats, so it’s essential to stay up-to-date and be aware. Ongoing training and testing reduce the instance of human error that increases your risk of a breach.
5. Keep Your Systems and Software Current: Software developers are diligent about releasing patches for new security threats. Make sure your managed IT services provider installs them as soon as they’re released (after they have been tested, of course). If they don’t, your company will be vulnerable. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. Your managed IT services provider should have a process for testing and deploying updates. It is also very important to apply updates for third-party software (most of the recent breaches have been the result of unpatched systems via third-party applications).
This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t immediately receive security patches leave you exposed. In addition, replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7.
All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft and third-party support may soon disappear as well. Over time, the security and reliability of Windows 7 will make your computers vulnerable and unreliable (due to the age of the hardware):
6. Enforce Access Policies on Mobile/Personal Devices and Restrict Access to the Network: With BYOD (Bring Your Own Device), mobile devices like smartphones, tablets, and laptops present significant security challenges. They’re exposed to external threats, infections, and hackers; and when they’re connected to your internal network, can compromise your company’s security.
Establish security policies for the use of mobile such devices on your network. They should be password-protected so only authorized persons can use them. Also, know who has access to your data, and enforce a “need-to-know” policy. Restrict access to data to only those who need it to do their jobs. Employ role-based access controls With secure logins. Limiting your employees’ authorization with role-based access controls prevents the potential for network based intrusions and suspicious activities.
7. Enforce Strict Password Policies: Weak passwords are one of your weakest links. Have your employees create long passwords (more than 14 characters) that are complex and never use the same passwords for different purposes. If one gets cracked, then a hacker can use it to access information in other places. Have your managed IT services provider install a business-grade password manager and restrict the use of browser-based password systems (i.e. NEVER save passwords in the web browser). When using a business-grade password manager to enforce the use of strong passwords, it will suggest, capture, and secure them at the same time – thus making it very painless to use.
It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters. And don’t use words in your passwords – only letters, numbers, and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an I or including symbols like & #@or %.
8. Protect Your Construction Company with Cybersecurity Insurance: Because cybercriminals are relentless and the threats they’re using are constantly evolving, construction companies are purchasing cybersecurity insurance. Contact your insurance agent to learn more about this and how it will protect you. You will also have to do your part to ensure your coverage obligations are met.
Make sure that your third-party vendors’ IT systems are protected as well. Remember what happened with Whiting-Turners’ tax preparation company? Find out if they are also implementing at least these 8 steps to protect themselves from cybersecurity threats.
Found this article helpful? Visit our blog for more posts. We recommend you start with these: