December 7, 2016

Although the Construction Industry is not top of mind when thinking about the industries that fall victim to most cyber-attacks it is still a critical threat to any business that is connected to the internet. Based on the way a construction company and its associated partners access and share data; Cyber Security should be a component of risk mitigation for every company.

The construction industry is sharing information across multiple platforms and companies throughout the entire project; compounding the risk for all parties. IPD (Integrated Project Delivery), BIM/Revit Models, Estimating Packages, Collaboration Tools and ERP Products are examples of technologies and applications that share information and data that propose risk.

Actions You Must Consider

There are some specific actions that companies should consider to help reduce risk. The list could go on and on, however, these actions need to be taken into consideration for many reasons: It will help identify what needs to be done at a base level, is a scalable approach to moving up the security ladder, and will help to eliminate costly high level security spends that firms find themselves considering.

  1. Limit Access: Only give users access to what they absolutely need. This will help reduce exposure when an account is comprised. It is also one of the easiest and least costly measures to implement.
  2. Password Policy: This is simple yet very important for no other reason than you want to protect accounts and access to systems. Lack of password policy leaves companies and users vulnerable to guessing and cracking passwords.
  3. Maintenance, Cleanup & Audit: Regularly scheduled maintenance with active user accounts in order to identify unused and/or dormant accounts, Patch Management and keeping Antivirus and Malware up to date helps to decrease risk.
  4. Email Protection: This one is critical because email is a major vehicle for communication in the industry which makes it a primary conduit for an event to occur. A commercial grade device or service inspecting all email for SPAM and viruses in addition to virus scanning on the client devices themselves. Doubling your protection here is well advised.
  5. Web Filtering: It is entirely too easy for a user to be redirected to a compromised site; especially those users whose job entails research of any kind. Web filters are purchased as a software or a device.
  6. Professional Network Design & Use of Commercial Grade Devices: Failure to do so increases vulnerabilities and exposures. Many Information Technology Consulting Firms’ staff high level engineers to help create these designs and make hardware recommendations.
  7. Educate Staff & Employees: Employees don’t know what they don’t know. Educating employees creates an awareness that helps to limit costly errors.
  8. Backup: This cannot be stressed enough. A solid backup and replication strategy is your primary safeguard when a comprising event destroys or corrupts data.

Don’t ask IF, ask WHEN you will be hacked:

The PwC, 17th Annual Global CEO Survey stated that 69% of US executives are worried that cyber threats will impact growth. This is one of the few times that it is recommended to be part of the statistic. Be proactive, don’t wait until you’ve had an attack that will surely cost your organization time and money. Meet with your internal IT staff and engage an external IT consultant. Discuss the existing measures that are being taken to address Cyber Security, create a base line of existing conditions. Then, build out the strategic road map to move your organization up the security scale.