LIKELY TARGETS Common cybersecurity threats in the construction industry include the following: • Data breaches: Client information, financial information, intellectual property and project designs are all at risk. Cybercriminals hack systems, use malware or engineer attacks that take advantage of social norms. • Supply chains: Every entity in supply chains can be a potential point of entry for cybercriminals. Once in, they can disrupt operations, find sensitive information or take advantage of networks. • IoT devices: Drones, sensors and wearable technology sometimes lack security and can be exploited by cybercriminals to manipulate data or gain unauthorized network access. • Ransomware: Encryption is easier than decryption, and even if files can be recovered, it takes time. Cybercriminals use software to encrypt important files and demand a ransom to decrypt them. Noncompliance can cause missed deadlines, and that interferes with getting paid for work. • Physical attacks: In addition to the risks any site has of unauthorized access, theft and vandalism, cybercriminals can also choose to access control systems or target HVAC. THE SHORT LIST OF CYBERSECURITY MEASURES The following list presents a starting point for companies within the construction industry. You can do more than the following, but you should not do less. • Follow cybersecurity regulations and standards. The NIST Cybersecurity Framework or the General Data Protection Regulation (GDPR) can help you set up the policies and practices for an effective and comprehensive cybersecurity program. • Think about possible security risks that may have been created when digital solutions have been implemented. • Schedule regular and robust data backups. That way, you can restore essential data when necessary. • Protect equipment and materials by using a physical security system for construction sites. Include access controls, perimeter fencing and surveillance cameras. • Work with vendors and subcontractors to reduce risks by talking about prevention and including cybersecurity standards and clauses about data protection in contracts. • Safeguard confidential information and trade secrets by using data breach prevention strategies. Encryption protocols, firewalls and intrusion detection systems may deter unauthorized access and malware attacks. • Provide robust phishing simulations to train rain employees. They should understand why data protection matters, know how to create strong passwords and recognize a phishing attack. Cyber insurance carriers may offer employee training as part of your insurance policy. • Use multifactor authentications for all accounts and webmail, especially those involving remote access. • Make social engineering fraud more difficult to carry out by having strict dual controls with callback requirements. This can prevent cybercriminals from modifying accounts and changing invoices. • Ensure the company can locate and wipe equipment that is lost or stolen by using endpoint detection and response (EDR) and mobile device management (MDM). • When software is installed or updated, including with patches, use software sandboxing so that the work will be done in a controlled environment. Also, monitor systems regularly for signs that a breach has occurred. • Back up critical systems and databases. Look for proven and protected systems that have been tested and are segmented and protected. • Write an incident response plan for your business, test it and update it once a year. The plan should include a list of resources and tasks, strategies to use ahead of time and ideas for public relations scenarios. The days when cybersecurity was only a concern for larger corporations are over. Every business is a potential target. Developing a cybersecurity defense plan is crucial to business continuity. Sadly, it’s not a question of if but of when and how bad. 34
RkJQdWJsaXNoZXIy MTg3NDExNQ==