The Importance of Cybersecurity in Construction

Data security is a topic that is at the forefront of discussion for most businesses today. Not all that long ago, the idea of someone stealing your money, compromising your identity or hijacking your files was reserved to physical crimes like burglaries, muggings or larceny. However, as the world around us has digitized and we’re more reliant on technology for every aspect of our lives, data security has become a priority — both in our personal lives and in our businesses. 

In a recent Viewpoint podcast on the topic with cybersecurity expert Bryce Austin, principal of TCE Strategy, he broke down some of the risks lurking in the shadows. “The internet has shrunk the world to the head of a pin, and as soon as you take a device – any device, be it one of these new Internet of Things smart speakers you put in your home, a new thermostat, a new piece of construction equipment, there are people on the internet that would like to do you harm or steal your money,” he said.

In that podcast, Austin shared what companies can do to protect themselves and why the cloud — when using the appropriate safeguards — can provide companies with more stringent security measures and peace of mind than the data protection methods we’ve relied on in years past. 

The Importance of Vigilance in the Digital Age

Thanks to the Internet, the world has shrunk. The positives — expanded access to the world, communication, information-sharing, virtual experiences and real-time business, business and commerce — far outweigh the negatives, Austin said. However, the new global connectivity also means more access that nefarious actors have to you and/or the places you work. If we let our guard down or allow unprotected pathways to unwanted interactions, we run the risk of being taken advantage of. 

And for cybercriminals, it’s big business. In 2018, $1.5 trillion was lost in cybersecurity expenses, in extortion or theft from hacks or lost productivity as a result of breaches, Austin noted. He pointed to estimates by Forbes magazine that the next three to five years could see losses exceed $6 trillion. And prosecuting these crimes is difficult since they often are initiated from nations with little to no recourse or in some cases, directed by government agencies as political maneuvers. 

Recent high-profile cases of these cyber-security breaches that caused damage to businesses (and people). Just last month, a Seattle tech worker was arrested for perpetrating a massive data breach of credit card provider Capital One that compromised personal information from more than 100 million credit card applications. Other recent incidents include: the Equifax breach that compromised the personal information of more than 143 million Americans; the hack of Sony’s data following the release of the controversial comedy, “The Interview,” which angered North Korean officials for its portrayal of an assassination attempt of leader Kim Jong-un; and a hack of multiple companies that did business with Ukraine (allegedly by Russian agents). In the latter example, one of the Ukraine’s online applications companies that is used to pay taxes in Ukraine was hacked. Large corporations like shipping company Maersk, pharmaceutical provider Merck and law firm DLA Piper were among those affected. 

In the construction industry, contractors rely on heaps of data to facilitate complex construction projects. Because of that, they can often be targets of cyber criminals. Multiple projects, using many different applications and hundreds, if not thousands of workers entering data can provide plenty of potential doors of opportunity for cyber criminals to knock on. So, how do contractors ensure these doors stay locked? Austin said protection begins with knowing what the tactics are.

3 Threats to Be Aware Of

Here is a look at three common cybersecurity threats Austin noted in the podcast:

Ransomware: In this attack, a breach occurs when you or someone at your organization clicks on a link or file in an email, or hackers are able to crack your password. Once they’re in, they unleash a program that essentially hijacks your computer and data until you agree to pay a fee. Austin said he has worked with companies that were put in difficult positions where their operations are effectively shut down and they have to decide whether to remain closed or pay the ransom – sometimes in excess of $100,000. 

Phishing: By far the most widely used, phishing is essentially looking for people or habits that criminals can take advantage of. In these cases, victims might get an email, text or even call alerting them of a reported virus, locked account or other “problem” with a software application or credit card they use. Many times, these attempts will target folks that don’t even use the application, device or account in question — hence the phishing designation. The offenders request access to a system, ask for a card number or other personal information, or try and get the victim to visit a site where they can skim their data. Of course, it’s not true, and most legitimate providers and retailers rely on more legitimate ways to alert users of problems, but many folks fall for this anyway. In other cases, someone will call an elderly person and tell them their son or daughter has been injured or imprisoned and need an immediate $5,000 or $10,000 to help them out and ask for the money online or via wire transfers. 

Austin notes there is a new approach called “spear-phishing” which is much more targeted, where scammers do online research to build a profile to use to make the scam more believable. They may also appeal to folks’ likes and interests by offering up bogus special deals (front row tickets to concerts of folks’ favorite bands, exclusive peaks of movies, etc.) to get people to share information or credit card numbers.

Wire Transfers: Wire transfers are another area that have given thieves access to companies and individuals. And it’s one that has particular interest in construction, where multiple bills, invoices and payments permeate the daily work. In these scams, criminals might send phony invoices or call requesting immediate payment for items in order to avoid default. Once the money is transferred, it’s gone forever (and thieves could have a new back door into your payment processes). Austin strongly recommended a policy where wire transfers are forbidden without a specific phone call being made to someone you are on a first-name basis with to authorize it. No emails — ever to authorize wire transfers or change bank account numbers. 

Enacting Safeguards

Modern technology developments are putting real and reliable safeguards in place to prevent cyberattacks or provide victims with better options for handling them if they do occur. 

With many companies moving operations and business management to the cloud — including leading construction firms — the weaknesses of yesterday have been replaced with stronger security and protective measures that generally make storing of data and working in the cloud safer than with on-premise software, manual processes like pen and paper and hardware that consistently needs updating. 

Older software and processes are proving much more vulnerable to security incidents as its generally up to the companies deploying them to stay on top of all the needed updates, backups and maintenance.  This can often leave the door open for older, but proven means of exploitation. Hosting data in the cloud with reliable vendors ensures that data monitoring and protection is a daily occurrence, handled by technologists trained to spot them. It’s akin to having the same protections of personal credit and identity monitoring — but for your company’s software.

And, there are legions of cybersecurity experts are further helping companies by staying on top of the latest schemes and exposing weaknesses in organizations before the criminals do. 

Watch this on demand webinar on mobile device and cybersecurity management: Best Practices for a Smart BYOD Strategy.

4 Keys to Thwarting Cyber Criminals 

Still, even with the cloud, there are steps contractors should take to maximize their cybersecurity efforts. Here’s a look at some keys:

• Deploy Multifactor Authentication — Wherever you can, put multifactor authentication in place where multiple steps or devices are needed when logging in from new devices—this makes it significantly harder for cybercriminals to get into your systems and the odds are most will move on to the next target.

• Demand strong usernames and passwords — The more complex the usernames and passwords are, the harder they’ll be for scammers to figure out. And, require passwords be changed routinely so that it makes it even tougher.

• Backup Files — Austin suggests people and companies back up their files in multiple places. Having files accessible in the cloud is essential should local devices or servers go down, but the opposite is also true. If there is a breach with a cloud provider or something goes wrong, have critical files routinely backed up on devices like flash drives, external hard drives or servers.

• Provide Consistent Training and Updates — One of the biggest issues is that most people don’t know about new threats until they’re affected by them. Austin noted each company should have at least one designated person to stay on top of the latest threats and train employees thoroughly on how to spot and avoid them.

“In the construction industry, I don’t see as many companies taking advantage of cybersecurity expertise or seeking outside training or help,” Austin said. “I’d like to encourage companies to consider having a cybersecurity coach and a technology coach to be successful in this space because it is a complex, ever-changing landscape.”

Learn more about how Viewpoint is a Trusted Technology Partner for more than 8,000 clients across the globe. Or, contact Viewpoint today to learn how cloud-based construction management software can mitigate data risks while boosting efficiencies and profits.