A/E/C (Architecture/Engineering/Construction) firms often have a difficult task protecting their data across their teams, and keeping prying eyes from being able to access it. Because the industry has so many companies collaborating and working on a single project from joint ventures, vendors, and subcontractors, accessibility is a must; yet confidential and proprietary data need to be protected. Here are 9 suggestions on how can you protect your data while still being able to securely share it.
- Restricted File Access – One of your first lines of defense is actually in the design of your file and folder security structure on your company file server. You want to make sure people in your firm can only access the files and folders that they need access to. Most companies set these permissions up by departments (e.g. accounting, marketing, engineering) for easy employee onboarding and offboarding. This design process is known as File Access Management, and there are services and software available to help make this easier and more efficient, especially for large build industry companies.
- Encrypted File Sharing – Now, a lot of the A/E/C firms share files with clients, subcontractors, and even vendors. They often use file-sharing applications like Dropbox, MS OneDrive, Anchor, etc. to share files outside of their organization. We suggest that when you do share these files across the public internet that you always send them securely, and make sure the share has an expiration date that determines how long someone can have access to the file or folder.
- Consistent Updates – Another key aspect of securing your data is being proactive and doing things such as keeping your operating systems & common applications up-to-date. This means that you should make sure you are consistently applying the latest security patches and critical updates that vendors release. These patches and updates will fix weaknesses and exploits that cyber attackers take advantage of to try and get access to your data.
- Robust Filtering – You can further fortify your network from outside attacks with web filtering and spam filtering tools. The spam filtering tools today are so robust that they can test and validate that attachments are not malicious before they hit your inbox. These email tools also give you the ability to send an email securely (by encrypting them) from Outlook and can even automatically send an email securely if it detects a credit card number, social security number, or even a confidential code word. Now add in the use of web filtering and you will further ensure your employees do not access inappropriate or potentially harmful websites that can infect your network.
- Cyberattack Protection – Also, A/E/C firms can be a sizable target for cyber attackers because of the volume of money passed through the company, number of employee records, and confidential information stored on servers. Ransomware can be especially disastrous for A/E/C firms because they usually attack large amounts of your data files by encrypting them, and then holding the encryption key hostage (if you want to unencrypt your files, you’ll have to pay the ransom!!!). Unfortunately, as fast as the security vendors come up with ways to stop and prevent the newest Ransomware attacks from happening, the malicious Ransomware creators find new ways to succeed just as fast.
So what do you do when a Ransomware attack happens to your company? It is best practice to isolate the affected machine(s) from the network ASAP! Then restore data from the latest backup instead of paying the ransom. What to do if you don’t have good backups? I guess you’ll have to pay the ransom to get your data back, which can run thousands of dollars, and even then pray that the key they give you works! The lesson here is to follow best practices for backing up your data and making sure you have good backups by having them validated on a regular schedule.
- Proactive Hardware Management – It may surprise you that the majority of data loss is not caused by cyberattacks or even natural disasters, but around 78% of data losses are from a hardware or system malfunction (Source: Kroll Ontrack Data Recovery). This means the most likely reason you will lose any data is when a server, workstation, or other key piece of hardware that holds your data crashes. To mitigate this risk of data loss, we suggest a proactive approach to replacing hardware before it likely fails, known as Hardware Lifecycle Management. We especially recommend following industry best practices for this with Servers, PCs, Laptops, and core network equipment. A good IT firm will work with you to build and follow a Hardware Lifecycle Management policy for your company.
- Employee Termination Processes – As soon as an employee quits or is released, make sure to have all of his accounts disabled. Don’t forget to disable their VPN (Virtual Private Network) access on their workstations and mobile devices. You should also be able to wipe the company data on an employee’s smartphone in case it is lost or stolen.
- Lock Mobile Devices – One of the most effective ways to secure mobile devices is requiring a passcode to access the phone or tablet. This 3-second step does not impair productivity and ensures your data is protected if the device is in the wrong hands, even if their intent is not malicious. Requiring a passcode at login is much more effective than only asking for a username and password for specific applications.
- Ongoing Training – Finally, proper training of your employees goes a long way. Train them to know what your company policies are for protecting your data, and what they need to do to follow them. Take time to teach them things like what email attachments they should NOT open, never to share their passwords with anyone, and what to do when they make a mistake and break policy. Good training and open communications will help you prevent or immediately stop problems from happening throughout your business.
If you have any additional or specific questions about securing your A/E/C firm’s data while not impairing your employee’s productivity, contact me.