8 Steps Every Construction Company Should Take To Protect Their Data

Now that your construction business is more connected through the Internet, you must get serious about cybersecurity. Hackers are targeting construction companies. They’re stealing project plans and blueprints, banking and financial data, clients and employees’ confidential information, and proprietary assets. What should you do to protect your construction company from cyber threats? Read on and we’ll tell you.

How Can Hackers Steal Our Data?

These are just a few of the ways that your construction company’s data could be breached:

  • Phishing and spear-phishing scams
  • Unlocked and misplaced employee laptops and mobile devices
  • Unauthorized access to company networks
  • Breached data and websites
  • Insider cyber theft or employees accidentally posting confidential information
  • Access to data shared with third parties

Here are two real-world examples for you:

  1. Turner Construction was hacked when an employee sent confidential employee tax data to a fake email account. They were fooled by a spear-phishing scam where the hacker pretended to be a trustworthy source. Everyone who worked for Turner was affected (and they are one of the largest construction firms with offices in 24 states around the country).
  2. Whiting-Turner Contracting has 31 offices in 18 states. They were hit with a data breach and fraudulent tax filings were being made in their name. The company that prepared their tax forms detected the theft on their system. It’s suspected that information about employees who received health insurance through Whiting-Turner was also compromised.

So, as you can see, construction businesses are not immune to cyber-attacks. Even the biggest contractors can be breached.

How Can We Protect Our Construction Company From Data Breaches?

There’s no way to totally prevent your IT network and data from being hacked. But you can put a proactive plan in place to protect your IT assets. Here are8 steps that you should take:

  1. Designate A Cybersecurity Chief On Your Staff. Appoint a staff member to be your point of contact to lay down the law about secure IT best practices. They should also be the liaison with your outsourced or in-house IT team. They must understand and help to enforce the regulations and security policies that you want your employees to comply with.
  1. Have Your IT Service Company Establish a Layered Defense. You can no longer rely on just one or two security mechanisms. Cyber threats are too sophisticated today, If your antivirus or anti-spam solutions fail, you’ll have nothing left to protect your data. Your IT provider can do the following:
  • Segment your networks with firewalls, Network segmentation categorizes IT assets and data, and restricts access to them.
  • Use measures to detect IT compromises. They should be using solutions like Intrusion Detection Systems (IDSs), Intrusion Prevention Systems (IPSs), along with a managed anti-virus/malware solution to help you detect IT security events in their early stages.
  • Secure remote access with a VPN. A Virtual Private Network encrypts data channels so your users can securely access your IT infrastructure via the Internet.
  • Secure and encrypt your wireless connections. Your company Wi-Fi must be separate from your guest Wi-Fi or public networks. Your construction company’s internal wireless must also be protected with WPA2 encryption.
  • Implement Mobile Device Management. This will wipe data from a device if it’s lost or stolen.
  1. Develop a Backup & Disaster Recovery Plan With Your IT Provider. You must have a backup copy of your data if it’s stolen or accidentally deleted. Develop a policy that specifies what information is backed up, how often it’s backed up, where it’s stored and who has access to the backups. Backup to both an external drive in your office and a remote, secure, online data center that your IT service company provides. Do this daily. Your IT provider can set backups to occur automatically. And make sure your backup systems are encrypted. Your IT provider must also test your backups regularly for recoverability. This is fundamental to your security and your ability to restore your data if it’s locked down with ransomware, or if it’s lost.
  2. Regularly Train Your Users on IT Security. Your IT company can provide Security Awareness Training for your employees. As you saw with the Turner Construction case, your staff can have a significant impact on your cybersecurity – either they know enough to keep your IT assets secure, or they don’t. If not, they present a serious threat to your IT security.

Security Awareness Training will help your employees know how to recognize phishing and spear-phishing emails and avoid them. They’ll learn how to handle security incidents when they occur. If your workers are informed about what to watch for, how to block IT theft attempts, and where they can turn for help, this alone is worth the investment.

And, make sure that they are trained often. People must be reminded often about cyber threats. Plus, there are always new threats, so it’s essential to stay up-to-date. Ongoing training and testing reduce the instance of human error that increases your IT security risks.

  1. Keep Your Systems and Software Current. Software developers are diligent about releasing patches for new security threats. Make sure you install them as soon as they’re released. If you don’t, your IT system will be vulnerable. If possible, set your systems to update automatically. Auto-updates will prevent you from missing critical updates. This is one of the most effective things you can do. It prevents security gaps and will limit system vulnerabilities that hackers find and exploit. Outdated software and operating systems that don’t immediately receive security patches leave you exposed.

Replace all outdated software before the developers end support. For example, Microsoft announced they are stopping mainstream support for Windows 7. All support for Windows 7 will end on January 14, 2020. This means that you won’t get bug fixes or security updates from Microsoft. Over time, the security and reliability of Windows 7 will make your computers vulnerable:

  • Your computers could be infected by malware;
  • Your antivirus won’t be updated;
  • Your online banking transaction protection may expire; and
  • Your financial data could be exposed to theft.
  1. Enforce Access Policies on Mobile Devices and Restrict Access to Data. With BYOD (Bring Your Own Device) use, mobile devices like smartphones, tablets, and laptops present significant security challenges. They’reexposed to external threats, infections, and hackers; and when they’re connected to your network, can compromise your IT security.

Establish security policies for the use of mobile devices on your network. They should be password-protected so only authorized users can use them. Instruct your employees to only use devices that belong to them and have been protected by your security policies.  Ask your IT provider about Mobile Device Management that will wipe data from a device if it’s lost or stolen.

Also, know who has access to your data, and enforce a “need-to-know” policy.  Restrict access to data to only those who need it to do their jobs. Employ Role-Based Access Controls With Secure Logins: Limiting your employees’ authorization with role-based access controls prevents network intrusions and suspicious activities.  Define user permissions based on the access needed for their particular job. For example, your receptionist might not need access to your construction company’s financial data.

  1. Enforce Strict Password Policies. Weak passwords are one of your weakest links. Have your users create long passwords (more than 12 characters) that are complex. And never use the same passwords for different purposes. If one gets cracked, then a hacker can use it to access information in other places.

It’s easy for hackers to crack passwords that contain only letters and numbers. Be sure to add special characters.  And don’t use words in your passwords – only letters, numbers and symbols that don’t mean anything. Think of a phrase that you can remember and use the first letters in words. Consider using a $ instead of an S or a 1 instead of an L, or including a & #@or %. Also, consider using a password manager like Last Pass or Dashlane, where you can create and store strong passwords for your different accounts.

  1. Protect Your Construction Company with Cybersecurity Insurance. Because cybercriminals are relentless and their sophisticated threats are constantly evolving, construction companies are purchasing cybersecurity insurance. Contact your insurance agent to learn more about this and how it will protect you.

And, make sure that your third-party vendors’ IT systems are protected as well.  Remember what happened with Whiting-Turners’ tax preparation company. Make sure they are also implementing these 8 steps to protect them from IT threats.

Want more information? Check out these articles:

12 Ways To Increase Your Business IT Security

Top Ways to Avoid Phishing Scams (Including Spear Phishing)

9 Cybersecurity Terms You Need To Know