Recently, an article in Engineering News Record, one of the “go-to” trade publications for those in commercial construction, featured an eight-page, in-depth overview of how cybercriminals are finding ways to sabotage our industry.
Aside from phishing scams, more cases are emerging and are far more alarming, including ransomware, wire fraud, and, even, controlling equipment used on-site in the construction process to cause harm.
Last year, a study commissioned by Bromium, a company that protects brand, data and people using virtualization-based security, estimated that the cybercrime economy has grown to $1.5 trillion dollars annually. According to Gregory Webb, CEO of Bromium, “The platform criminality model…means enterprises and governments alike are going to see more sophisticated, costly and disruptive attacks as The Web of Profit continues to gain momentum.”
No doubt, the last 10 years have changed the construction business dramatically as technological innovation, integration and budgets have grown, enabling projects to be fast-tracked while yielding greater productivity, efficiency and safety. In many cases, IT support was simply a contract job to provide key implementation and maintenance. Not anymore.
Today, we have a director of IT, Chris Martin, whose recommendations and technology budget weigh in on every high level meeting and planning session at MYCON. According to Martin, “As our digital transformation advances so does our exposure. Wire fraud is a major threat because cybercriminals have found ways to infiltrate a company, often through its weakest link. A firm can offer a gold standard of protection but that may not be the same for sub-contractors and other suppliers.”
From hacked emails to replayed email chains to phishing emails looking for credentials and weaponized Microsoft Office documents, there is an endless maneuvering of the cybercriminal, many from foreign countries, to find your most vulnerable point of entry. Today’s gold standard includes mandated employee training with daily and weekly cyber-security reminders, establishing multiple layers of security, providing enhanced security staffing and monitoring and security event planning.
Moreover, cybercriminal activities are not just targeted at a company’s main office, field personnel equipped with laptops, tablets, cellphones and other digital communications are just as vulnerable. TDIndustries’ IT support manager Steven Wong describes a hierarchy of layered security that begins with firewalls, spam filters, anti-virus programs to email warning labels, end user training, and geo-blocking for preventing logins from non-authorized countries. “Our next phase is to implement multifactor authentication,” says Wong.
Given the volume of potential vulnerabilities, Wong explains that “allocating resources and time are critical so that we can properly set up the technology requirements at the beginning of a project, and determining the level of restrictions that all parties are willing to accept and work together to minimize risks is key.”
Chris Martin agrees that collaboration and resource allocation are keys to ensuring cyber safety. “A customer-centric mentality is important,” says Martin. “Our IT team focuses on what each customer is trying to achieve in order to find a solution that balances security with business needs.”
One of the general contractors that has been at the forefront of embracing new technologies is Rogers O’Brien (RO) Construction. Like every firm in our peer group, RO takes data privacy and protection security seriously.
RO uses an holistic approach to cybersecurity, according to Michael Shepherd, RO’s chief technology officer. The firm begins with education for every employee about phishing emails and targeted social engineering calls that might aim to get a password or invoice re-routed. They partner with some of the best IAM providers who continuously monitor user logins to detect suspicious login behavior or atypical network behavior for a user or their login.
Says Shepherd, “We have a clear process on pushing updates and security patches to our servers and end user devices and make sure that every device is protected with a security agent that can work in-band and out-of-band, protecting entry points into our network.”
Just as important is RO’s response plan, according to Shepherd. “If we experience a security event, we have a detailed response plan, and we’re ready to move quickly to minimize any damage.”
For large general contractors, it takes a lot of money to be cyber safe and to support that effort diligently. For many smaller and mid-sized firms, investing hundreds of thousands of dollars to develop these security systems is simply unaffordable. But by establishing security protocols, smaller firms can benefit.
According to Philip Siems, principal and director of IT at Merriman Anderson Architects, “Remember that security is only as good as the weakest link, and that often implies the user. User training must be a priority. Security hardware, software and services for the most part can only stop what is known, and, in most instances, the outcomes of attacks will be decided by users’ decisions. We secure our users and devices with many policies, require multiple factors of authentication on all accounts, and every avenue of communication is encrypted and behind at least one firewall and two or more layers of filtering and scanning.”
Siems recommends that every company operate their security with a layered approach along with routine backups, frequent audits, and operating all systems on the policy of least privilege where an employee has access only to what he or she needs to perform his or her job.
“Cybercrime is on the rise worldwide,” says Siems, “Any company can be a target both intentionally and unintentionally as the payoffs are only growing.”
Clearly, security is not optional in our industry, and, with the wave of new technologies that we are embracing, the best defense is a well-informed and continuously trained workforce.
More importantly, we’re not just talking systems vulnerability or financial vulnerability, we’re talking people vulnerability – our people on the project teams at our jobsites whose lives can be affected.
The more we automate our industry, the more we can damage the world – not just by losing time and money but by losing lives, and that’s a serious concern for every team member who has ever worked on a project – large or small.
Putting cyber safety and cyber security in the driver’s seat is incumbent on us all.
Charles Myers is president and CEO of MYCON General Contractors, a former co-chair of the Industrial and Office Local Product Council for the North Texas District Council of the ULI, and serves on Landmark Bank’s Texas Regional Board as a director. He can be reached at [email protected].