Think Your Construction Company Won’t Be a Victim of Cybercrime?


How Can You Prevent Your Construction Company From Being a Victim of Cybercrime?

If cybersecurity isn’t on your mind, maybe it should be. As construction businesses become more connected via the Internet, they are increasingly being victimized by cyberattacks because they are not thinking about it. We’ll tell you what you need to know about cybercrime in the construction industry today, and what steps you should take to keep your data secure.

Accept The Fact That Your Company Is a Target

Your construction business is more connected today than it was in the past. You use internet-connected solutions and remote-access systems such as Building Information Modeling (BIM) (this is how the Target was breached), telematics and project management software. These and other internet-based software solutions create opportunities for hackers to launch a cyberattack against your business and potentially your clients.

Construction firms have access to a wealth of information that’s desirable to hackers. Data including intellectual property, proprietary assets, building specifications, architectural drawings and financial accounts (your as well as your clients) are all prime targets for hackers.

These are just a few of the ways that your construction company’s data can be breached:

  • Phishing and spear-phishing scams
  • Unlocked and misplaced employee laptops and mobile devices with access to unsecured company data.
  • Unauthorized access to the company networks (both yours as well as your clients)
  • Breached data and websites
  • Insider cyber theft or employees accidentally posting confidential information
  • Access to data shared with third parties (regardless if it is authorized or not)

Email Scams Are A Major Threat

Hackers are using phishing and spear-phishing email scams to access banking and employee information such as Social Security numbers and payroll account data. They target both general, subcontractors, and the trusted relationship you have with your clients.

Phishing has become a serious problem all over the world, and that’s because it works so well. There are two types of phishing and spear phishing. These are the primary ways that hackers infiltrate your IT network and a breach happens.

Cyber thieves can get sensitive information from unsuspecting employees, such as login credentials. Though the two can be used separately, they are often used together. First, a spoofed email tricks the user into visiting a spoofed website. There, the user is asked to enter their login information or their financial information. Either way, the end goal is to steal from your employee and ultimately any information that can be leveraged for additional attacks.

Spear phishing targets a specific individual, business or organization. Hackers spoof the “From:” in the email field to make it look like it’s coming from a trustworthy source (like your CEO or CFO). They pose as these individuals and request personal information on employees like Social Security numbers, corporate banking account information, or login credentials to ultimately get money from you or your clients.

Even Large Companies Get Tricked

A few years ago, Turner Construction was the victim of a spear-phishing scam. An employee was tricked into sending tax information for employees to a fraudulent email account. It included full names, Social Security numbers, states of employment and residences as well as tax withholding data. All of Turner’s employees were affected.

Baltimore-based Whiting-Turner Contracting, another top construction management and general contracting company, was also hit with a data breach. An outside vendor that prepared their W-2 and 1095 tax forms was targeted (this is part of a growing sector of attacks via the trusted Supply Chain relationship). Suddenly, their employees were reporting fraudulent tax filings being made in their names.

In addition to employee information, personal information regarding employees’ children and beneficiaries who received healthcare insurance coverage through Whiting-Turner was compromised.

Your Construction Company Isn’t Immune To Cyberattacks

Construction companies are vulnerable to phishing and spear-phishing attacks due to the high turnover nature of the industry. With multiple jobs, job sites, and workers it’s challenging to set up uniform company training to educate employees about cybersecurity.

Plus the number of vendors and subcontractors used in the construction industry, and the changing nature contracting adds to the risk of someone accidentally leaking confidential information. All of this makes you a bigger and easier target for cybercriminals.

How Can You Protect Your Construction Company From Data Breaches?

There’s no way to totally prevent your network and data from being hacked with the high turnover rate and a lack of education and awareness in the industry. But you can put a proactive plan in place to protect your IT assets. Here are 8 steps that you should take:

1. Designate A Cybersecurity Chief On Your Staff.

Appoint a staff member to be your point of contact to lay down the law about secure IT best practices. They should also be the liaison with your in-house IT team or Managed IT Service Provider. They must understand and help to enforce the regulations and security policies that you want your employees to comply with.

2. Have Your Managed IT Service Company Implement a Layered Defense.

You can no longer rely on just one or two security mechanisms. Today, Cyber threats are too sophisticated and designed to circumvent many of the counter measures that many companies install today. If your antivirus or anti-spam solutions fail, you’ll have nothing left to protect your data because the firewall your DSL provider gave you is really a firewall in name only. Your Managed IT provider should do the following:

  • Segment networks with a modern subscription-based firewall (that way it is always up to date to defend against the threats). Network segmentation categorizes IT assets and data and restricts access to them.
  • Use measures to detect IT compromises. They should be using solutions like Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs), along with a centralized managed antivirus/malware solution to help you detect IT security events in their early stages.
  • If Remote Access is needed make sure a VPN is used (preferably it is an integrated component of the firewall). A Virtual Private Network encrypts data channels so your users can securely access your IT infrastructure via the Internet. Most business grade VPN solutions will have centralized user management so they can accommodate the high staff turnover rate.
  • Secure and encrypt your wireless connections. Your company Wi-Fi must be separate from your guest Wi-Fi or public networks. Your construction company’s internal wireless must also be protected with at least WPA2 encryption. FYI: Much of the staff will not need access to the “corporate” network, so “guest” wireless access will be fine them.
  • Implement Mobile Device Management. This will wipe data from a device if it’s lost or stolen. You will also need to consider different rules for personal vs. corporate owned devices and what you can and cannot do to a personal device.

3. Develop a Backup & Disaster Recovery Plan With Your Managed IT Provider.

You must have a backup copy of your data if it’s stolen, accidentally deleted or have fallen victim to ransomware. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored and who has access to the backups. And make sure your backup systems are encrypted.

Your backups need to follow the Backup Rule of 3-2-1. The data is stored in 3 locations, in 2 different physical locations and one of those locations is in the cloud. If the backup device is physically connected your computer, it is NOT a backup, it’s a copy. Backups need to be performed at least daily (preferable they are performed hourly and tested daily). Your Managed IT provider should set the backups to occur automatically.

Your Managed IT provider must also test your backups regularly for recoverability to ensure they are valid and can do what you are counting on them to do and save your company. This is fundamental to reduce risk, improve your security and ensure your ability to restore your data if it’s locked down with ransomware, or if it’s lost for whatever reason.

4. Regularly Train Your Users on IT Security.

Your IT company needs to provide Security Awareness Training for your employees. As you saw with the Turner Construction case, your staff can have a significant impact on your cybersecurity; either they know enough to keep your IT assets secure, or they don’t. If not, they present a serious threat to your security.

Security Awareness Training will help your employees know how to recognize phishing and spear-phishing emails and steps to avoid falling victim to them. They’ll learn how to handle security incidents when they occur and what to do. If your workers are informed about what to watch for, how to block IT theft attempts, and where they can turn for help, this alone is worth the investment.

And, make sure that they are trained often. People must be reminded often about cyber threats and the dangers of them. Plus, there are always new threats, so it’s essential to stay up-to-date and be aware. Ongoing training and testing reduce the instance of human error that increases your IT security risks.

5. Keep Your Systems and Software Current.

Software developers are diligent about releasing patches for new security threats. Make sure your Managed IT Service provider install them as soon as they’re released (after they have been tested of course). If you don’t, your company will be vulnerable. Your Managed IT Service provider should have a process for testing and deploying updates. It is also very important to apply updates for 3rd party software (most of the recent breaches have been the result of unpatched systems along via 3rd party applications).

This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t immediately receive security patches leave you exposed.

Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft and 3rd party support may soon disappear. Over time, the security and reliability of Windows 7 will make your computers vulnerable and unreliable (due to the age of the hardware):

  • Your computers could be infected by malware because they are not being patched;
  • Eventually your antivirus protection won’t be updated;
  • Your online banking transaction protection may expire;
  • Your financial data could be exposed to theft; and
  • Your insurance company and or regulatory body (for example the Payment Card Industry – PCI – i.e. the Credit Card Companies) will not protect you in case of fraud.

6. Enforce Access Policies on Mobile/Personal Devices and Restrict Access to the Network.

With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets and laptops present significant security challenges. They’re exposed to external threats, infections, and hackers; and when they’re connected to your internal network, can compromise your companies security.

Establish security policies for the use of such devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies. Ask your Managed IT Services provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.

Also, know who has access to data, and enforce a “need-to-know” policy. Restrict access to only those who need it to do their jobs. Employ Role-Based Access Controls With Secure Logins. Limiting your employees’ authorization with role-based access controls prevents the potential to network based intrusions and suspicious activities.

Define user permissions based on the access needed for their particular job. For example, your receptionist probably does not need access to your construction company’s financial data.

7. Enforce Strict Password Policies.

Weak passwords are one of your weakest links. Have your users create long passwords (more than 14 characters) that are complex. And never use the same passwords for different purposes. If one gets cracked, then a hacker can use it to access information in other places. Have your Managed IP Services provider install a business grade Password Manager and restrict the use of browser-based system (i.e. NEVER save password in the web browser). Using a business grade password manager to enforce the use of strong passwords, it will suggest, capture and secure them at the same time – thus making it very painless to use.

It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters. And don’t use words in your passwords, only letters, numbers and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an L, or including a & #@or %.

Also, consider using a password manager like LastPass or 1Password, where you can create and store strong passwords for your different accounts (personal and business and the business can retrieve/revoke their passwords if necessary).

8. Protect Your Construction Company with Cybersecurity Insurance.

Because cybercriminals are relentless, and the sophisticated threats they are using constantly are evolving, construction companies are purchasing cybersecurity insurance. Contact your insurance agent to learn more about this and how it will protect you. You will also have to do your part to ensure your coverage obligations are met.

And, make sure that your third-party vendors’ IT systems are protected as well. Remember what happened with Whiting-Turners’ tax preparation company. Make sure they are also implementing at least these 8 steps to protect themselves from IT threats.

Most cybersecurity experts will tell you that it’s not a matter of “if” your construction company will be targeted, but “when” and how bad your will be hit. Even the best-protected networks can be breached, it is really about mitigating the risks. It’s important to also have a response plan in place in the event of a cyberattack. At Where To Start We

Did you find this article helpful? If so, check out others in Our Blog.


Contact Info

Stay Connected