By: Tom Skoog, Cybersecurity & Data Management Practice Leader
Cybersecurity for the construction industry is a growing challenge. The industry is moving towards digital connectivity, not only across the supply chain, but also ‘on site’ as more metrics related to performance, progress, and health & safety are monitored in ‘real time.’ This increase in connectivity increases cyber-risk as the bad guys have additional “doors and windows” to crawl through to access systems and data.
Reducing the Risk
The construction industry is facing increasing cyber-risks based on changes in the environment and delivery options. But it has also been notoriously slow at identifying and addressing its cyber-risk vulnerabilities. Cybercriminals are targeting industries based on where they believe the industry has been slow to implement basic cybersecurity processes and technology.
As a result, the construction industry is facing increasing risks of cyberattacks that could prevent basic business operations such as invoicing customers, paying bills, processing payroll, bidding on work, or a complete lockout from its computer systems.
The following is a list of basic steps that construction companies can take to reduce the risk of a ransomware attack or data breach on their organization.
- Patching – – Either your IT department or your managed service provider should be aggressively applying patches to your workstations and servers. Patches close technical vulnerabilities publishers find in different type of software. The bad guys become aware of these vulnerabilities, and it is a race to see who can get to that vulnerability first, either you by patching it, or the bad guy before you patch it.
- Strong Passwords AND Two-Factor Authentication – – One of the attacks bad guys will launch is if they get into your network, they will copy the password file from Windows or other software packages. If employees have weak passwords, it is easy for attackers to obtain the unencrypted versions of those passwords. To mitigate this risk, everyone should utilize strong passwords, and this should be augmented where possible with two-factor authentication. Administrative IDs and remote users should require two-factor authentication at a minimum.
- Training/Awareness – – Most ransomware attacks occur because attackers trick employees into clicking on a link or a file, or worse, providing their login credentials through phishing emails. This in turn allows the bad guys to get their malicious software into your network. Employees need to be trained about the do’s & don’ts and the red flags to look for in phishing emails. You should consider testing the effectiveness of your training efforts by executing internal phishing email tests to identify those requiring additional training.
- Control Administrative Accounts – – Compromised administrative accounts gives someone full and complete access to the functionality of your systems and network. You should limit the number of people who have administrative capabilities to only those requiring it to perform their job function (IT support personnel). Business users should not have administrative capabilities associated with their user ID. Also, administrative access should always require two-factor authentication.
- Encryption – – The ability to encrypt data on workstations and servers has never been easier and it is a cost-effective measure to further protect your data from theft or modification. Encryption capabilities exist within Microsoft Windows V10.
- Quality Data Backup – – In the event you are impacted by a ransomware attack, you are essentially faced with two options to get your systems back and online. The first option is to pay the ransom and hope they unlock your systems. The second is to format all your systems and restore the systems and data from backups. Your backups should employ the 3, 2, 1 strategy. You maintain three copies of each backup. Two copies are maintained off-site and one of the off-site copies is immutable (cannot be changed) and air/gapped (cannot be accessed by anyone but your IT staff).
- Access Controls – – By limiting “who can do what” in your systems, you reduce the risk of data breach of information. Access control measures exist within all application systems.
- Next Generation Anti-Virus Software – – Most organizations have standard anti-virus software (e.g., Windows Defender) on their workstations and servers. An added detection mechanism would be to purchase and install a next generation anti-virus software tool (e.g., Carbon Black). While standard anti-virus tools look for virus “signatures” that get updated nightly, The next generation tools look at the behavior of your machines (workstations/servers) for anomalistic behaviors within your operating systems (e.g., a system file executes at an abnormal time). This helps detect “zero-day” attacks, meaning the anti-virus software vendors are yet aware of the new virus.
- Monitoring – – You need to be monitoring your various logs, audit files, etc. on a regular basis. If you try to do this internally, it is very manual and time intensive and frankly, not effective. It is recommended that you engage a third party who specializes in monitoring networks for security events. They have the people, processes, and technology to detect potential breaches or attacks and take actions to contain and eradicate those attacks.
- Cyber-Insurance – – Given the significant increase in ransomware attacks in the construction industry, companies are encouraged to insure their operations against a cyberattack. Many of the items discussed in this article will be requirements of several cyber-insurance carriers.
The question your company faces is how many of these processes and procedures are in place and, if some or all are not in place, how long stakeholders are willing to accept the risk of losing access to systems critical to business operations.
If you have any questions about cybersecurity in general, or the items discussed in this article, feel free to contact your Blue & Co representative, or our cybersecurity practice leader, Tom Skoog, at firstname.lastname@example.org.