Icon (Close Menu)

Logout

Protecting Against Cyber Threats in the Construction Industry

6 min read

Most of us do not immediately consider cyberattacks as being an issue when we think of the construction industry. Like practically all businesses today, construction companies use computers, software, handheld devices and keep data in the cloud, which makes them vulnerable to cyber threats.

However, unlike most industries, construction experiences unique challenges due to the following characteristics:

  • Complex ecosystem: Construction projects involve many different companies working together, often with varying cybersecurity practices. This creates a larger attack surface for hackers to target.
  • Mix of IoT and OT: Construction sites increasingly use internet-connected devices (IoT) for things like building controls and automation (operational technology, or OT). Security for these systems can be weaker than traditional IT systems, making them vulnerable.
  • Mobile workforce: Construction workers are often on the move, using laptops, tablets, and phones on unsecure Wi-Fi networks. This can make them more susceptible to phishing attacks and malware.
  • Data sensitivity: Construction companies handle a lot of valuable data, such as blueprints, financial information, and personally identifiable information (PII). A data breach can be very damaging, and not only financially, but also to a company’s reputation.

We want to highlight four focus areas for best cybersecurity practices:

  1. Shift to endpoint protection
  2. Cloud environments
  3. Password management and two-factor authentication
  4. Fostering a culture of cybersecurity

The Shift to Endpoint Protection

The traditional model of a secure, on-premises network, which protects all devices behind a firewall, is becoming increasingly obsolete. With the increase of remote work, implementing mobile devices into the workflow, as well as the use of Internet of Things (IoT) devices on construction sites, the number of endpoints accessing potentially sensitive data has grown significantly. 

Since most of these devices are not behind a perimeter firewall on a construction jobsite, or while working remotely, this creates a significantly larger attack vector for bad actors. Thus, you need to ensure you are working to implement robust endpoint security measures such as disk encryption, Endpoint Detection and Response (EDR) solutions, as well as Configuration Change Detection and Response (CCDR) agents.

  • EDR is essentially next generation anti-virus software. Antivirus software was reactive, whereas EDR is proactive. Traditional antivirus software is installed directly on a device or server to protect it from malicious programs. An EDR system, on the other hand, is software that detects and halts cyberthreats while providing visibility and control over all devices on a network.
  • CCDR agents provide continuous monitoring and intelligent alerting for configuration changes across diverse systems and applications. It enables IT professionals to identify misconfigurations, maintain compliance, and prevent operational disruptions caused by configuration-related risks. These changes can come from changes made by employees, or from outside bad actors. Having software in place to immediately detect configuration changes can help stop an attacker before any damage has been done.

Cloud Environments

The construction industry has made the shift to relying on cloud-based solutions for project management, collaboration, and data storage, just like many industries. However, misconfiguring these cloud environments can leave sensitive information vulnerable. 

Once access to any of these systems has been achieved, the attacker will not only have access to your company’s critical project information, financial data, and intellectual property, but they can then leverage your systems to attempt to exploit any other partner, vendor, or client that you may interact with through that system.

Misconfigured cloud environments can lead to several issues, both in security and functionality. Here are some of the biggest problems:

  • Security breaches. This is a major one. If your cloud settings are wrong, it can be like leaving your front door wide open. Hackers can exploit these weaknesses to steal data, install malware, or launch other attacks.
  • Data leaks. Sensitive information like financial records or customer data can be accidentally exposed if cloud storage is misconfigured.
  • Unauthorized access. Improper permissions settings can give users access to data or systems they shouldn’t have. This could be accidental or intentional (by a malicious insider).
  • Service disruptions. Cloud misconfigurations can also lead to outages and downtime for your applications and services. This can cost you money and damage your company’s reputation.
  • Increased costs. You might end up paying for resources you’re not using due to misconfigurations. For instance, incorrectly setting up storage can lead to unnecessary charges.

These problems can be caused by a few things, like human error (forgetting to change default settings), a lack of proper training, or the complexity of managing cloud environments.

Password Management and 2FA

Paramount to ensuring your data and systems are protected is implementing password management software, and requiring two-factor authentication (2FA, also known as multifactor authentication, MFA) for accessing each system. A recent study released by Bitwarden that involved a survey of 800 top level IT professionals in the UK as well as the US showed that 90% of employees admit to reusing the same password across different services and platforms. 

A password management system will not only create a unique, strong password for each login, but will also remember and autofill it for the user each time. No more writing down all your login credentials or reusing the same four usernames because you can’t remember more. 

The sharing of passwords is necessary for most companies so that workers can collaborate and use shared accounts, but how many of these passwords are shared tends to be highly risky. 41% of people reportedly send each other account passwords through emails, and 38% use shared online documents that contain the passwords. These modes of password sharing can be easily intercepted by malicious actors, and they can put a company’s sensitive data and IP at risk. Utilizing a password management system assists companies with secure password sharing between employees, as well as with removing users who should no longer have access to certain software.

If 2FA is activated on every system, then even if an employee’s credentials were stolen in a breach, you can ensure that access to your cloud data is protected because the hacker will not have access to the 2FA credentials. There are several authentication apps to choose from when implementing 2FA/MFA. 

Fostering a Culture of Cybersecurity

Perhaps the most crucial element in fighting cyber threats is cultivating a strong cybersecurity culture within your organization. All industries need to prioritize cybersecurity awareness training for every single employee, from executives to field workers. 

Consistent training (and the occasional testing of that knowledge) should equip employees with the knowledge and skills to identify and respond to potential phishing attempts, understand best practices for password management, and report suspicious activities.

Continuous improvement of cybersecurity is crucial; however, this extends beyond end user training. To ensure organizational resilience against cyber threats, your organization should be writing and formalizing processes such as: 

  • Backup strategy and recovery planning
    • Do you test your backups’ integrity to ensure it is usable data?
    • Are your backups current and accessible? 
    • Are your backups stored separately? (i.e., If your backup data resides on-premises, are your backups in the cloud, or if they are in the cloud, are they backed up to alternative cloud provider?)
    • What is the expected time to restore from a backup?
  • Business continuity planning
    • Begin strategizing about “What is our plan to keep our business moving in the event one of our core IT dependencies or data sets go down?” 
    • What alternative solutions do we have that can ensure our business does not lose money in the event of an outage (breach, tornado, etc.)?
  • Disaster recovery plans
    • When discussing disaster recovery planning, take note that this is a culmination of multiple plans on what the formal steps will be when a core IT dependency goes down. 
    • Start documenting plans for everything from how to handle a force majeure event to what do you do if there is a power outage, or your internet service provider is down. 

***

Construction professionals should discuss cyber hygiene practices with every other company they partner with to ensure security is in place across all systems. Creating redundant backup systems, disaster recovery and business continuity plans, along with establishing a proactive security culture will help build a stronger business foundation. Just as OSHA dictates best practices for construction industry safety measures and procedures, it is a best practice to acknowledge the ever-evolving cybersecurity landscape and implement systems to safeguard critical assets to ensure operational continuity. 

 

Send this to a friend