If cybersecurity isn’t on your mind, maybe it should be. As construction businesses become more connected via the Internet, they are increasingly being victimized by cyberattacks because they are not thinking about it. We’ll tell you what you need to know about cybercrime in the construction industry today, and what steps you should take to keep your data secure.
Your construction business is more connected today than it was in the past. You use internet-connected solutions and remote-access systems such as Building Information Modeling (BIM) (this is how the Target was breached), telematics and project management software. These and other internet-based software solutions create opportunities for hackers to launch a cyberattack against your business and potentially your clients.
Construction firms have access to a wealth of information that’s desirable to hackers. Data including intellectual property, proprietary assets, building specifications, architectural drawings and financial accounts (your as well as your clients) are all prime targets for hackers.
These are just a few of the ways that your construction company’s data can be breached:
Hackers are using phishing and spear-phishing email scams to access banking and employee information such as Social Security numbers and payroll account data. They target both general, subcontractors, and the trusted relationship you have with your clients.
Phishing has become a serious problem all over the world, and that’s because it works so well. There are two types of phishing and spear phishing. These are the primary ways that hackers infiltrate your IT network and a breach happens.
Cyber thieves can get sensitive information from unsuspecting employees, such as login credentials. Though the two can be used separately, they are often used together. First, a spoofed email tricks the user into visiting a spoofed website. There, the user is asked to enter their login information or their financial information. Either way, the end goal is to steal from your employee and ultimately any information that can be leveraged for additional attacks.
Spear phishing targets a specific individual, business or organization. Hackers spoof the “From:” in the email field to make it look like it’s coming from a trustworthy source (like your CEO or CFO). They pose as these individuals and request personal information on employees like Social Security numbers, corporate banking account information, or login credentials to ultimately get money from you or your clients.
A few years ago, Turner Construction was the victim of a spear-phishing scam. An employee was tricked into sending tax information for employees to a fraudulent email account. It included full names, Social Security numbers, states of employment and residences as well as tax withholding data. All of Turner’s employees were affected.
Baltimore-based Whiting-Turner Contracting, another top construction management and general contracting company, was also hit with a data breach. An outside vendor that prepared their W-2 and 1095 tax forms was targeted (this is part of a growing sector of attacks via the trusted Supply Chain relationship). Suddenly, their employees were reporting fraudulent tax filings being made in their names.
In addition to employee information, personal information regarding employees’ children and beneficiaries who received healthcare insurance coverage through Whiting-Turner was compromised.
Construction companies are vulnerable to phishing and spear-phishing attacks due to the high turnover nature of the industry. With multiple jobs, job sites, and workers it’s challenging to set up uniform company training to educate employees about cybersecurity.
Plus the number of vendors and subcontractors used in the construction industry, and the changing nature contracting adds to the risk of someone accidentally leaking confidential information. All of this makes you a bigger and easier target for cybercriminals.
There’s no way to totally prevent your network and data from being hacked with the high turnover rate and a lack of education and awareness in the industry. But you can put a proactive plan in place to protect your IT assets. Here are 8 steps that you should take:
Appoint a staff member to be your point of contact to lay down the law about secure IT best practices. They should also be the liaison with your in-house IT team or Managed IT Service Provider. They must understand and help to enforce the regulations and security policies that you want your employees to comply with.
You can no longer rely on just one or two security mechanisms. Today, Cyber threats are too sophisticated and designed to circumvent many of the counter measures that many companies install today. If your antivirus or anti-spam solutions fail, you’ll have nothing left to protect your data because the firewall your DSL provider gave you is really a firewall in name only. Your Managed IT provider should do the following:
You must have a backup copy of your data if it’s stolen, accidentally deleted or have fallen victim to ransomware. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored and who has access to the backups. And make sure your backup systems are encrypted.
Your backups need to follow the Backup Rule of 3-2-1. The data is stored in 3 locations, in 2 different physical locations and one of those locations is in the cloud. If the backup device is physically connected your computer, it is NOT a backup, it’s a copy. Backups need to be performed at least daily (preferable they are performed hourly and tested daily). Your Managed IT provider should set the backups to occur automatically.
Your Managed IT provider must also test your backups regularly for recoverability to ensure they are valid and can do what you are counting on them to do and save your company. This is fundamental to reduce risk, improve your security and ensure your ability to restore your data if it’s locked down with ransomware, or if it’s lost for whatever reason.
Your IT company needs to provide Security Awareness Training for your employees. As you saw with the Turner Construction case, your staff can have a significant impact on your cybersecurity; either they know enough to keep your IT assets secure, or they don’t. If not, they present a serious threat to your security.
Security Awareness Training will help your employees know how to recognize phishing and spear-phishing emails and steps to avoid falling victim to them. They’ll learn how to handle security incidents when they occur and what to do. If your workers are informed about what to watch for, how to block IT theft attempts, and where they can turn for help, this alone is worth the investment.
And, make sure that they are trained often. People must be reminded often about cyber threats and the dangers of them. Plus, there are always new threats, so it’s essential to stay up-to-date and be aware. Ongoing training and testing reduce the instance of human error that increases your IT security risks.
Software developers are diligent about releasing patches for new security threats. Make sure your Managed IT Service provider install them as soon as they’re released (after they have been tested of course). If you don’t, your company will be vulnerable. Your Managed IT Service provider should have a process for testing and deploying updates. It is also very important to apply updates for 3rd party software (most of the recent breaches have been the result of unpatched systems along via 3rd party applications).
This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t immediately receive security patches leave you exposed.
Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft and 3rd party support may soon disappear. Over time, the security and reliability of Windows 7 will make your computers vulnerable and unreliable (due to the age of the hardware):
With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets and laptops present significant security challenges. They’re exposed to external threats, infections, and hackers; and when they’re connected to your internal network, can compromise your companies security.
Establish security policies for the use of such devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies. Ask your Managed IT Services provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.
Also, know who has access to data, and enforce a “need-to-know” policy. Restrict access to only those who need it to do their jobs. Employ Role-Based Access Controls With Secure Logins. Limiting your employees’ authorization with role-based access controls prevents the potential to network based intrusions and suspicious activities.
Define user permissions based on the access needed for their particular job. For example, your receptionist probably does not need access to your construction company’s financial data.
Weak passwords are one of your weakest links. Have your users create long passwords (more than 14 characters) that are complex. And never use the same passwords for different purposes. If one gets cracked, then a hacker can use it to access information in other places. Have your Managed IP Services provider install a business grade Password Manager and restrict the use of browser-based system (i.e. NEVER save password in the web browser). Using a business grade password manager to enforce the use of strong passwords, it will suggest, capture and secure them at the same time – thus making it very painless to use.
It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters. And don’t use words in your passwords, only letters, numbers and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an L, or including a & #@or %.
Also, consider using a password manager like LastPass or 1Password, where you can create and store strong passwords for your different accounts (personal and business and the business can retrieve/revoke their passwords if necessary).
Because cybercriminals are relentless, and the sophisticated threats they are using constantly are evolving, construction companies are purchasing cybersecurity insurance. Contact your insurance agent to learn more about this and how it will protect you. You will also have to do your part to ensure your coverage obligations are met.
And, make sure that your third-party vendors’ IT systems are protected as well. Remember what happened with Whiting-Turners’ tax preparation company. Make sure they are also implementing at least these 8 steps to protect themselves from IT threats.
Most cybersecurity experts will tell you that it’s not a matter of “if” your construction company will be targeted, but “when” and how bad your will be hit. Even the best-protected networks can be breached, it is really about mitigating the risks. It’s important to also have a response plan in place in the event of a cyberattack.
Did you find this article helpful? If so, check out others in Our Blog.