Skip to Content



Cybersecurity: Don't let your company be the next victim

December 4, 2015 Article 3 min read
Authors:
Laura Claeys

When it comes to cybersecurity breaches, most people think of creditcard hacks at retail stores or data dumps of personal information andpasswords. However, the construction industry isn’t immune from thisthreat. The industry may not be an obvious target, but it’s a target nonethe less. The fact is – if you have data online, if your staff access theInternet from any device, you are at risk for a cybersecurity attack.

A cybersecurity breach could originate with an email virus, lost or stolenlaptops, a subcontractor’s unsecure network, accessing company dataover an unsecured wireless connection, or even a disgruntled employee.

A recent example involved a construction company receiving a fraudulent email, which looked nearly identical to the CFO’s email address, directing the controller to wire cash to an account. Due to excellent communication between the two individuals, the fraud was prevented, but it could havebecome a serious incident. The hacker used the CFO’s name and created an email address that was one letter different from their official email address. Don’t think this can’t happen to you? It can.

For construction companies, the cybersecurity access points andvulnerabilities are numerous. Every day, on numerous jobsites, yourproject foremen are uploading and downloading data from tablets andmobile devices. Various stockholders and subcontractors are accessingproject details and reporting on activities. Your purchasing department is buying office supplies, job site materials, and equipment orders. Accounts receivable and billing departments may be emailing invoices and sensitive documents to general contractors or owners. Human resources isprocessing payroll and loading sensitive employee data to the network.

What’s at risk?

The obvious answer is your financial information,intellectual property, trade secrets, and personal information of staff(Social Security numbers, etc.). Another liability? Safety. Hackers couldsteal building plans or data could be corrupted leading to deadly errorson jobsites. For construction companies, cybersecurity isn’t just a threat to your bottom line, an attack could endanger lives.

Awareness of cybersecurity threats is step one. Preparation is step two. The following are four actions you should take to protect your organization and mitigate risk:

  • Establish a culture of communication
    If individuals receive emails, documents, or requests that don’t seemright – encourage them to speak up before acting. Time and again,breaches are often the cause of human error because someoneassumed the request was legitimate and never questioned anything.
  • Create a policy for incident response
    You may have traditional response policies for handling inclementweather or safety issues on jobsites, and you should plan forcybersecurity threats the same way. Start with an inventory ofsensitive and at risk data and identify where it is stored. Then, designa counterattack plan detailing how you will respond to variousbreaches. What steps will you take? Who should be notified first?A comprehensive plan is important to ensure a streamlined andcoordinated plan of response. A cybersecurity breach is more than anIT issue, and your incident response team may include others such aslegal, compliance, or public relations.
  • Communicate your plan
    An incident response plan is only effective if everyone knows their rolesand duties. Clearly define your chain of command and procedures forreporting incidents. Everyone, from the CFO to a jobsite worker, shouldknow who to identify in the event of a suspected breach.
  • Educate and train your staff
    Cybersecurity training is just as important as safety training. Educatestaff on securing devices, security measures for network authorizationand access protocols, and how to identify and recognize breaches.This training should be more than a one-time event. Keep the entireorganization up to date with annual cybersecurity training. It’s quickand could save a tremendous amount of aggravation and preventlosses in the future.

Related Thinking

October 3, 2022

How CEOs and their teams can prepare for 2023's newest cyberthreats

Article 4 min read
September 28, 2022

Think cybersecurity is an IT responsibility? Think again

Article 5 min read
September 27, 2022

Six considerations to strengthen your cybersecurity program right now

Article 4 min read