Do You Think Your Ottawa Construction Company Won’t Become a Victim of Cybercrime?

Think Again…

If cybersecurity isn’t on your mind, maybe it should be. Forrester found that over 75% of respondents in the construction, engineering, and infrastructure industries have experienced a cyber-incident in the last year. [1] As construction businesses become more connected via the Internet, they are increasingly being victimized by cyber-attacks because they are not thinking about the potential risks. We’ll tell you what you need to know about cybercrime in the construction industry today, as well as what steps you should take to keep your data secure.

Accept The Fact That Your Ottawa Construction Company Is a Cyber Target

Your construction company is more connected today than it was in the past. You use Internet-connected solutions and remote access systems, such as Building Information Modeling (BIM)(this is how the Target was breached), telematics, and project management software. These and other Internet-based software solutions create opportunities for hackers to launch a cyber attack against your business and potentially your clients.

Construction firms have access to a wealth of information that’s desirable to hackers. Data including intellectual property, proprietary assets, building specifications, architectural drawings, and financial accounts (yours as well as your clients’) are all prime targets for hackers.

These are just a few of the ways that your construction company’s data can be breached:

  • Phishing and spear-phishing scams
  • Unlocked and misplaced employee laptops and mobile devices
  • Unauthorized access to company networks (both yours as well as your clients)
  • Breached data and websites
  • Insider cyber theft or employees accidentally posting confidential information online
  • Access to data shared with third parties (regardless if it is authorized or not)

Be Aware That Email Scams Are A Major Threat

Hackers are using phishing and spear-phishing email scams to access banking and employee information, such as social security numbers and payroll account data. They target both general contractors and subcontractors – potentially damaging the trusted relationship you have with your clients. Phishing has become a serious problem all over the world and that’s because it works so well. There are two types of phishing and spear-phishing, and though the two can be used separately, they are often used together.

First, a spoofed email tricks the user into visiting a spoofed website. There, the user is asked to enter their login or financial information. Either way, the end goal is to steal information from your employee, and ultimately, any information that can be leveraged for additional attacks.

Spear-phishing, on the other hand, targets a specific individual, business, or organization. Hackers spoof the “From:” in the email field to make it look like it’s coming from a trustworthy source (like your CEO or CFO). They pose as these individuals and request personal information from employees.

Even Large Companies Get Tricked…

A few years ago, Turner Construction was the victim of a spear-phishing scam. An employee was tricked into sending tax information for employees to a fraudulent email account. It included full names, social security numbers, and states of employment and residence, as well as tax withholding data. All of Turner Construction’s employees were affected.

Baltimore-based Whiting-Turner Contracting, another top construction management and general contracting company, was also hit with a data breach. An outside vendor that prepared their W-2 and 1095 tax forms was targeted (this is part of a growing sector of attacks via the trusted supply chain relationship). Suddenly, their employees were reporting fraudulent tax filings being made in their names.

In addition to employee information, personal information regarding employees’ children and beneficiaries who received healthcare insurance coverage through Whiting-Turner was compromised. Scary, isn’t it?

Your Construction Company Isn’t Immune To Cyber-Attacks

Construction companies are vulnerable to phishing and spear-phishing attacks due to the high turnover nature of the industry. With multiple jobs, job sites, and workers, it’s challenging to set up uniform company training to educate employees about cybersecurity. Plus, the number of vendors and subcontractors used in the construction industry and the changing nature of contracting adds to the risk of someone accidentally leaking confidential information. All of this makes you a bigger and easier target for cybercriminals.

How Can You Protect Your Construction Company From Data Breaches?

There’s no way to totally prevent your network and data from being hacked with the high turnover rate and a lack of education and awareness in the industry. But you can put a proactive plan in place to protect your IT assets. Here are 8 steps that you should take:

1. Designate A Cybersecurity Chief On Your Staff: Appoint a staff member to be your point of contact and to lay down the law about secure IT best practices. They should also be the liaison with your outsourced or in-house IT team or managed IT services provider. They must understand and help to enforce the regulations and security policies that you want your employees to comply with.

2. Have Your Managed IT Services Company Implement a Layered Defence: You can no longer rely on just one or two security mechanisms. Today, cyber threats are sophisticated and well-designed to circumvent many of the countermeasures that most companies have in place. If your antivirus or anti-spam solutions fail, you’ll have nothing left to protect your data because the firewall your DSL provider gave you is really a firewall in name only. Your managed IT provider can do the following:

  • Segment your networks with a modern subscription-based firewall (that way, it is always up to date to defend against the threats). Network segmentation categorizes IT assets and data and restricts access to them.
  • Use measures to detect IT compromises. They should be using solutions like Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs), along with a centralized managed antivirus/malware solution to help you detect security threats in their early stages.
  • If remote access is needed, make sure a secure remote access with a VPN is used (preferably as an integrated component of the firewall). A virtual private network encrypts data channels so your users can securely access your IT infrastructure via the Internet. Most business-grade VPN solutions will have centralized user management so they can accommodate the high staff turnover rate.
  • Secure and encrypt your wireless connections. Your company Wi-Fi must be separate from your guest Wi-Fi or public networks. Your construction company’s internal wireless must also be protected with at least WPA2 encryption. FYI: Much of your staff will not need access to the “corporate” network, so “guest” wireless access will be fine.
  • Implement mobile device management. This will wipe data from a device if it’s lost or stolen. You will also need to consider different rules for personal vs. corporate-owned devices and what you can and cannot do to a personal device.

3. Develop a Backup & Disaster Recovery Plan With Your Managed IT Provider: You must have a backup copy of your data in the event that it’s stolen, accidentally deleted or falls victim to ransomware. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored, and who has access to the backups. Make sure your backup systems are encrypted.

Your backups need to follow the Backup Rule of 3-2-1. The data is stored in three locations, in two different physical locations, and one of those locations is in the cloud. Backup to both an external drive in your office and a remote, secure, online data center that your Ottawa IT service company provides. If the backup device is physically connected to your computer, it is NOT a backup, it’s a copy. Backups need to be performed at least daily (preferably they are performed hourly and tested daily). Your managed IT provider can set your backups to occur automatically.

Your managed IT provider must also test your backups regularly for recoverability to ensure they are valid and can do what you are counting on them to do – save your company. This is fundamental to reducing risk, improving security, and ensuring your ability to restore your data if it’s locked down with ransomware or lost for whatever reason.

4. Regularly Train Your Users on IT Security: Your managed IT services company can provide security awareness training for your employees. As you saw with the Turner Construction case, your staff can have a significant impact on your cybersecurity; either they know enough to keep your IT assets secure or they don’t. If not, they present a serious threat to your IT security. Security awareness training will help your employees learn how to recognize phishing and spear-phishing emails, as well as which steps to take to avoid falling victim to them.

They’ll also learn how to handle security incidents when they occur. If your workers are informed about what to watch for, how to block IT theft attempts, and where they can turn for help, this alone is worth the investment. It’s crucial to make sure that they are retrained regularly. People must be reminded often about cyber threats and the dangers they present. Plus, there are always new threats, so it’s essential to stay up-to-date and be aware. Ongoing training and testing reduce the instance of human error that increases your risk of a breach.

5. Keep Your Systems and Software Current: Software developers are diligent about releasing patches for new security threats. Make sure your managed IT services provider installs them as soon as they’re released (after they have been tested, of course). If they don’t, your company will be vulnerable. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. Your managed IT services provider should have a process for testing and deploying updates. It is also very important to apply updates for third-party software (most of the recent breaches have been the result of unpatched systems via third-party applications).

This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t immediately receive security patches leave you exposed. In addition, replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7.

All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft and third-party support may soon disappear as well. Over time, the security and reliability of Windows 7 will make your computers vulnerable and unreliable (due to the age of the hardware):

  • Your computers could be infected by malware because they are not being patched;
  • Eventually, your antivirus protection won’t be updated;
  • Your online banking transaction protection may expire;
  • Your financial data could be exposed to theft; and
  • Your insurance company and/or regulatory body (for example the Payment Card Industry – PCI – i.e. the Credit Card Companies) will not protect you in case of fraud.

6. Enforce Access Policies on Mobile/Personal Devices and Restrict Access to the Network: With BYOD (Bring Your Own Device), mobile devices like smartphones, tablets, and laptops present significant security challenges. They’re exposed to external threats, infections, and hackers; and when they’re connected to your internal network, can compromise your company’s security.

Establish security policies for the use of mobile such devices on your network. They should be password-protected so only authorized persons can use them. Also, know who has access to your data, and enforce a “need-to-know” policy. Restrict access to data to only those who need it to do their jobs. Employ role-based access controls With secure logins. Limiting your employees’ authorization with role-based access controls prevents the potential for network based intrusions and suspicious activities.

7. Enforce Strict Password Policies: Weak passwords are one of your weakest links. Have your employees create long passwords (more than 14 characters) that are complex and never use the same passwords for different purposes. If one gets cracked, then a hacker can use it to access information in other places. Have your managed IT services provider install a business-grade password manager and restrict the use of browser-based password systems (i.e. NEVER save passwords in the web browser). When using a business-grade password manager to enforce the use of strong passwords, it will suggest, capture, and secure them at the same time – thus making it very painless to use.

It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters. And don’t use words in your passwords – only letters, numbers, and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an I or including symbols like & #@or %.

8. Protect Your Construction Company with Cybersecurity Insurance: Because cybercriminals are relentless and the threats they’re using are constantly evolving, construction companies are purchasing cybersecurity insurance. Contact your insurance agent to learn more about this and how it will protect you. You will also have to do your part to ensure your coverage obligations are met.

Make sure that your third-party vendors’ IT systems are protected as well. Remember what happened with Whiting-Turners’ tax preparation company? Find out if they are also implementing at least these 8 steps to protect themselves from cybersecurity threats.

Found this article helpful? Visit our blog for more posts. We recommend you start with these:

How To Develop A Solid Disaster Recovery Plan

The Benefit of Managed IT Services For Large-Scale Construction Firms

4 Strategies For Super Strong Passwords

  1. https://riskandinsurance.com/case-cyber-coverage-construction-industry/

 

Ernie Sherman

I have a strong passion for helping Ottawa Businesses, Entrepreneurs and professionals to become more productive and successful while allowing them to feel at ease and secure when it comes to their Information Technology needs. As the President of Fuelled Networks since 1998, I specialize in providing no-nonsense flawless and prompt technical support to Ottawa businesses, with in-depth consulting on Fortinet, Microsoft, Microsoft Cloud Stack and security. I strive to help businesses to succeed and take great pride in building long-lasting positive relationships and taking on a strong leadership role within the Ottawa community.

Published On: 16th September 2019 by Ernie Sherman.