Nine ways construction companies can modernize and mitigate cyber risks

As digital transformation takes the world by storm, conservative economic sectors such as public transportation, agriculture, and banking and finance have come to rely on technological advances. Despite that fast pace of adoption elsewhere especially around AI, construction stands as one industry where innovation offers tremendous, yet largely unexplored potential.

Technology adoption in this area has been slow because of its fragmentation and complexity. A typical project involves multiple parties, experts, processes, and tools, making it difficult to centralize, integrate, and secure them. Therefore, many of these companies still use manual, paper-based processes that are expensive and tedious to digitize. This creates a tremendous void that the IT and security industry must fill.

The growing role of technology introduces new risks

Despite all the barriers, IT has been gearing up for a rise among construction firms that recognize the benefits, such as increased productivity, better building quality, improved safety, and cost savings for the long-term. Traditionally known for its on-site hustle and paper trails, a significant portion of the construction industry has been undergoing a digital revolution.

The Internet of Things (IoT), GPS, telematics, roofing software, cloud-based project management tools, building information modeling (BIM), and artificial intelligence (AI) – these terms have entered the vocabulary of construction engineers.

If we pair that with vendor dependencies, significant personnel turnover, data sharing outside the organization, and the increasing use of mobile devices and offices, it becomes clear that construction companies are more susceptible to cybercrime than ever before. The 2020 Maze ransomware attacks on French company Bouygues Construction and Canadian firm Bird Construction were the wake-up calls.

The occasionally sloppy software update hygiene can also play into attackers’ hands. It’s common for many construction companies to use legacy IT systems and outdated applications with unpatched security holes that adversaries can exploit at will. To top it off, a lack of adequate cybersecurity awareness, often not a priority across the industry, makes workers highly susceptible to threats like phishing.

Unfortunately, many of these companies still follow the “brick-and-mortar” paradigm while going digital, only to miss out on effective cybersecurity mechanisms like firewalls, automated penetration testing, and intrusion detection systems. We need to correct this disconnect.

How to bridge the cybersecurity gap in construction

Given its complexity and resistance to change in the industry, the road to digital transformation will continue on a bumpy road. Here are the security practices construction firms can leverage to make the most of IT and avoid cyberattacks:

Third-party risk management: Assess the cybersecurity posture of vendors and subcontractors before onboarding. Come up with strict security requirements and periodically review compliance to ensure the entire supply chain is tamper-proof.

IT infrastructure facelift: Upgrade outdated systems and regularly patch software vulnerabilities. Develop a patching schedule and make sure that all devices, from computers to tablets used on-site, are updated promptly.

IoT protection: Implement strong security measures for all IoT devices in use, such as safety sensors, surveillance cameras, GPS trackers, wearables used by workers such as smart helmets, and automatic materials tracking gear. Encryption, strong authentication, and firmware updates are imperative.

Strong password policies: Enforce complex password requirements that include a mix of uppercase and lowercase letters, numbers, and symbols. Make multi-factor authentication (MFA) mandatory at least for privileged user accounts.

Network segmentation: Isolate sensitive data from everyday operations to minimize the damage from a potential breach. Segment the network by creating virtual spaces for administrative functions, project management tools, internet access for guest users, and the organization’s IoT ecosystem.

Secure software engineering: Consider leveraging a Platform as a Service (PaaS) environment such as AWS, Azure or Google Cloud Platform to streamline the development of proprietary business applications. The use of PaaS hosting offers more coding capabilities without adding staff, reduces project duration, and provides turnkey security controls throughout the software development lifecycle.

Data backup and recovery: Maintain up-to-date backups of critical data, including project plans, financial records, and intellectual property. Implement a robust recovery plan that outlines the steps to restore data and resume operations quickly in the event of an attack. Consider storing backups offline or in a secure cloud environment.

Cyber insurance: This precaution offsets financial losses from cyberattacks. It can cover costs associated with data recovery, legal fees, and business interruption.

Comprehensive cybersecurity training: Integrate cybersecurity into the company culture. Invest in regular and engaging security awareness training for all employees so they can identify phishing attempts, understand the importance of strong passwords, and know how to report suspicious activity.

In a way, the construction industry has little choice but to go down the road of dynamic digital transformation. Therefore, now’s the time to build a solid security foundation for the shift. These nine tips can help builders – and most any other type of business – modernize.

David Balaban, owner, Privacy-PC