When it comes to cybersecurity breaches, most people think of credit card hacks at retail stores or data dumps of personal information and passwords. However, the construction industry isn’t immune from this threat. The industry may not be an obvious target, but it’s a target none the less. The fact is – if you have data online, if your staff access the Internet from any device, you are at risk for a cybersecurity attack.
A cybersecurity breach could originate with an email virus, lost or stolen laptops, a subcontractor’s unsecure network, accessing company data over an unsecured wireless connection, or even a disgruntled employee.
A recent example involved a construction company receiving a fraudulent email, which looked nearly identical to the CFO’s email address, directing the controller to wire cash to an account. Due to excellent communication between the two individuals, the fraud was prevented, but it could have become a serious incident. The hacker used the CFO’s name and created an email address that was one letter different from their official email address. Don’t think this can’t happen to you? It can.
For construction companies, the cybersecurity access points and vulnerabilities are numerous. Every day, on numerous jobsites, your project foremen are uploading and downloading data from tablets and mobile devices. Various stockholders and subcontractors are accessing project details and reporting on activities. Your purchasing department is buying office supplies, job site materials, and equipment orders. Accounts receivable and billing departments may be emailing invoices and sensitive documents to general contractors or owners. Human resources is processing payroll and loading sensitive employee data to the network.
What’s at risk?
The obvious answer is your financial information, intellectual property, trade secrets, and personal information of staff (Social Security numbers, etc.). Another liability? Safety. Hackers could steal building plans or data could be corrupted leading to deadly errors on jobsites. For construction companies, cybersecurity isn’t just a threat to your bottom line, an attack could endanger lives.
Awareness of cybersecurity threats is step one. Preparation is step two. The following are four actions you should take to protect your organization and mitigate risk:
- Establish a culture of communication
If individuals receive emails, documents, or requests that don’t seem right – encourage them to speak up before acting. Time and again, breaches are often the cause of human error because someone assumed the request was legitimate and never questioned anything.
- Create a policy for incident response
You may have traditional response policies for handling inclement weather or safety issues on jobsites, and you should plan for cybersecurity threats the same way. Start with an inventory of sensitive and at risk data and identify where it is stored. Then, design a counterattack plan detailing how you will respond to various breaches. What steps will you take? Who should be notified first? A comprehensive plan is important to ensure a streamlined and coordinated plan of response. A cybersecurity breach is more than an IT issue, and your incident response team may include others such as legal, compliance, or public relations.
- Communicate your plan
An incident response plan is only effective if everyone knows their roles and duties. Clearly define your chain of command and procedures for reporting incidents. Everyone, from the CFO to a jobsite worker, should know who to identify in the event of a suspected breach.
- Educate and train your staff
Cybersecurity training is just as important as safety training. Educate staff on securing devices, security measures for network authorization and access protocols, and how to identify and recognize breaches. This training should be more than a one-time event. Keep the entire organization up to date with annual cybersecurity training. It’s quick and could save a tremendous amount of aggravation and prevent losses in the future.