Why YOUR Construction Company Needs a Good Cybersecurity Strategy

Technology growth has meant that data security has become a higher priority—both in our personal lives and in our businesses. It wasn’t all that long ago that data security was something that most of us took for granted. But technology has opened new doors of opportunity for bad actors to take advantage if proper safeguards aren't in place.

Cybersecurity expert Bryce Austin, principal of TCE Strategy, has provided Trimble Viewpoint customers with a bevy of helpful tips over the years. With Cybersecurity Awareness Month now upon us, let’s take a look at the best cybersecurity tips for contractors from Austin and others.

The new norm of connectivity we have with the world also means more access that nefarious actors have to you and the places you live and work. And if we let our guard down or allow unprotected pathways to unwanted interactions, we run the risk of being taken advantage of.

At its heart, cybersecurity is about risk mitigation. Just like other risks, there’s no way to guarantee a data security event will never happen; all we can do is be well prepared if or when it does. According to Austin, there are three risk responses that businesses can choose to engage in:

1. Quantify the risk, and then accept it
2. Mitigate the existing risks to an acceptable level
3. Transfer risks to a third party

These categories are true across most aspects of security—and it’s about being proactive.

“If you can see the freight train coming, it's much easier to get off the tracks than it is to try to put the pieces back together after you get hit,” Austin said.

And for cyber criminals, that freight train is big business. In 2021, the global cost of cybercrime was a staggering $6 trillion—a figure larger than the economies of every country in the world except for the U.S. and China. That figure is expected to grow to $10.5 trillion by 2025, which in terms of monetary cost is larger than that of natural disasters and other black swan economic disruptions like COVID-19 or the Great Recession. 

So far this year, some of the world’s biggest companies—Apple, Meta, Samsung, Twitter, Microsoft, and others—have suffered costly and embarrassing breaches, but construction businesses have historically been targets as well. Contractors that rely on heaps of data to facilitate complex construction projects are among the many businesses that can often be targets of cyber criminals. Multiple projects, using many different applications and hundreds, if not thousands of workers entering data can provide plenty of potential doors of opportunity for cyber criminals to knock on. So, how do contractors ensure these doors stay locked?

First and foremost is knowing where to focus. Phishing is a great place to start, because so many aspects of cybersecurity—from breaches to ransomware—begin with phishing. It’s critical that teams and their third party partners understand what to look for.

By far the most widely used, phishing is essentially looking for people or habits that criminals can take advantage of. In these cases, victims might get an email, text or even call alerting them of a reported virus, locked account or other “problem” with a software application or credit card they use. 

“Cybersecurity experts might know what phishing is, but do your technology users know?” Austin said. “Do users know it could be text messages? Spam calls pretending to be someone else? Emails? Any user that interacts with technology in the business must be educated about what phishing is, so they know how to prevent it.”

The good news is, there is a common methodology to every breach, a chain of events in which each step is necessary for the hacker to succeed:

1. Phishing—sending fraudulent emails to induce the recipient to reveal important personal information, like credit card numbers or social security numbers.
2. Hopping—a cyberattack targeting a company’s third-party vendors in an attempt to hack that company’s data.
3. Scraping—collecting and copying large amounts of data from a website or application for later malicious use.
4. Aggregating—compiling and consolidating massive amounts of data into a single entry for easy transfer.
5. Exfiltrating—an unauthorized transfer of sensitive data into the custody of a malicious actor.

Disrupt any of those steps and companies can stop the breach. Or, as Austin says it: “Stop any step, stop any breach. All of these things have to happen in order for a breach to take place. And if you can detect and disrupt any one of these five, you will stop the breach. That’s an important take-home message.”

Ransomware: In this attack, a breach occurs when you or someone at your organization clicks on a link or file in an email, or hackers are able to crack your password. Once they’re in, they unleash a program that essentially hijacks your computer and data until you agree to pay a fee. 

Ransomware is one of the primary means cybercriminals use against businesses like construction. When it comes to protecting against ransomware, Austin recommends doing the following:

• Patch firewalls that host your VPN once a month
• Multi-Factor Authentication (MFA) on all email accounts
• MFA on your VPN
• Identical local admin accounts
• Geo-filtering all internet traffic and emails

Of all of these measures, Austin dwells on MFA for VPNs, saying it is imperative: “It’s the closest thing to a silver bullet we have in the cybersecurity industry right now.”

Wire Transfers: Wire transfers are another area that have given thieves access to companies and individuals. And it’s one that has particular interest in construction, where multiple bills, invoices and payments permeate the daily work. In these scams, criminals might send phony invoices or call requesting immediate payment for items in order to avoid default. Once the money is transferred, it’s gone forever (and thieves could have a new back door into your payment processes). Austin strongly recommended a policy where wire transfers are forbidden without a specific phone call being made to someone you are on a first-name basis with to authorize it. No emails—ever to authorize wire transfers or change bank account numbers.

So, what are some of the steps contractors can take to maximize their cybersecurity efforts? Here’s a look at some keys:

• Deploy Multifactor Authentication. Wherever you can, put multifactor authentication in place where multiple steps or devices are needed when logging in from new devices—this makes it significantly harder for cybercriminals to get into your systems and the odds are most will move on to the next target.  “Cloud services offer a lot of potential benefits to companies because you don’t have to think about things like server banks anymore,” Austin said. “And now your personal PC has a small part to play in the overall cybersecurity of your company, but it’s about the behavior as well: the password you choose, or whether or not you set up additional security measures.”

• Secure Administrator Portal Credentials. Use strong usernames and passwords—the more complex the usernames and passwords are, the harder they’ll be for scammers to figure out. And, require passwords be changed routinely.

• Backup and Secure Your Files—Especially in the Cloud. People and companies should back up their files in multiple places. Having files accessible in the cloud is essential should local devices or servers go down, but the opposite is also true. If there is a breach with a cloud provider or something goes wrong, have critical files routinely backed up on devices like flash drives, external hard drives or servers.

• Provide Consistent Training and Updates. One of the biggest issues is that most people don’t know about new threats until they’re affected by them. Each company should have at least one designated person to stay on top of the latest threats and train employees thoroughly on how to spot and avoid them.

• Patch Your Cloud Environment Regularly. Cloud systems require maintenance, although it is markedly different from on-premise care and maintenance. Partnering with the right software provider can help with ensuring your cloud environment is up to date. 

• Checking Your Ransomware Defenses. The Colonial Pipeline breach is a story that might be near-and-dear to our readers, because without energy sources like gas and oil, construction projects can’t make any movement. So, how did they get hacked to begin with? They had a Virtual Private Network (VPN), which is a tool used to anonymize a company’s IP address and make it more difficult to tie a specific company to a specific IP address. However:

1. Their VPN was old, and should have been shut down but wasn’t.
2. The admin account should have been deactivated but wasn’t.
3. Finally, they did not use MFA. This mish-mash of factors led to the breach.

• Finally, Choose Your Cloud Providers Wisely! “You need to choose your cloud providers wisely,” Austin said. “Some cloud providers take cybersecurity much more seriously than others. Make a list of your cloud providers so you understand who to call for which concern. And you need to have multi factor authentication on any administrator accounts that run your cloud services.”

“In the construction industry, I don’t see as many companies taking advantage of cybersecurity expertise or seeking outside training or help,” Austin said. “I’d like to encourage companies to consider having a cybersecurity coach and a technology coach to be successful in this space because it is a complex, ever-changing landscape.”

The role of IT has expanded significantly over the past few years, as construction technology expands. You’re probably already feeling the pressure to modernize but are too busy managing multiple, disconnected solutions.

Connected, cloud-based construction software suites like Trimble Construction One have some of the latest data security safeguards in place. By hosting contractors’ data and workflows in the cloud—with daily backups, strict access permissioning, strong firewalls, and more—Trimble Viewpoint takes the IT burden off of contractors, allowing them to focus on their real work.