The construction industry is driving technology and innovation on the jobsite to become more efficient, profitable, and to combat the ongoing worker shortage. Today, construction equipment is equipped with on-board computers, sensors, GPS, and more. Crews must work with dozens of companies from the design phase with architects, engineers, and sub-consultants, to the build phase which includes numerous subcontractors, requiring them to share sensitive data in real-time. Yet, with all this technology and data, there is no universal industry best practice for cybersecurity in construction, like how healthcare has HIPAA compliancy. So how do you minimize the cybersecurity risks at your construction company without effecting productivity?
First off, know your challenges.
Top 3 Cybersecurity Risks in Construction:
- Mobile Workforce – Construction has a fluid environment that changes daily and most a construction company’s employees are in the field and their office is a jobsite trailer, so IT needs to fortify that trailer just like it would any office. With so many field employees, most employees use laptops, tablets, and smartphones, all of which leave the safety of the main office. You need to require all users to enter a password to access these devices and you should be able to remove access to any company data or have the ability to wipe all company data off the device remotely.
- File Sharing Outside the Company’s Network – Since construction is a team sport that takes dozens of companies to complete a project, confidential data (bids, blueprints, financials, employee records) must remain secure, yet accessible.
- Mix of Users – Construction brings together people from all walks of life including different education levels, locations, languages, and more. Unlike most corporate offices, you cannot classify every employee at a construction company as an office or field worker. Add in the volatility of turnover and the reliance on subcontractors, the constant change in staff makes it difficult to consistently train everyone.
With all these inherent risks for construction-industry companies, a good IT firm can help minimize the risks.
- Strong Security Suite – Construction companies must fortify their networks, and one of the best ways to do that is with Firewall-as-a-Service (FWaaS) because it provides you the latest in network security hardware paired with an online management tool to provide updates immediately without a large capital outlay. A good IT firm may also recommend SIEM (Security Information Events Management) and SOC (Security Operations Center) services that store and parse the firewall logs and alert your IT firm of any anomalies that need to be reviewed.
- Separate Wi-Fi – Many general contractors provide Wi-Fi at their jobsites for their subcontractors, architects, and engineers to utilize while in the field. Put them on a second internet connection to limit your exposure to any viruses or ransomware that is unwittingly on their devices. (And to prevent them from slowing down your employees’ connection too.)
- Advanced Email & Web Filtering – Besides blocking content that is inappropriate for work, web and email filtering can prevent employees from accessing potentially harmful websites. When you add Advanced Threat Detection (ATD) to your email, it scans all email attachments and links and if it finds anything harmful, it stops the email before it hits anyone’s inbox so no one can accidentally open an attachment with ransomware. And it is affordable at $2-3 a user per month, which is a lot cheaper than mitigating a single ransomware attack.
- Secure File Sharing – With so many people accessing data, you need a strong file structure with user permission controls, whether you’re sharing files on a central server or in a construction management software. To make it easier, create groups with users that need common permissions like the accounting department, the industrial division, and for teams on specific projects. Also, remove employees immediately when they leave the company because a former employee can do irreversible damage if given access to your data.
- Policies & Training – Construction is not an industry that is short on training. Mix in cybersecurity training like how to detect a malicious email and best practices to keep your data safe. You also need to create protocols for things like money transfers and data requests because hackers will spoof a CEO’s email and request the CFO to wire millions of dollars abroad or have HR email them all their employee records. (Yes, these instances have happened; they happen much more than we’d like to know.) You can take your training a step further and use a phishing and spoof simulation service that sends out safe emails to see who acts on them and gives you a report on who still needs training and about the success of your training.
The most valuable thing you can do to minimize your risk is to partner with a good IT team that knows cybersecurity and understands your industry.