Illustration by Dalbert Vilarino
Cybersecurity is becoming a more central concern for the construction industry.
As the world becomes more interconnected through mobile technology and networked cloud computing, companies in every industry have been forced to tighten up security measures to protect their customers’ data as well as any other forms of sensitive company information.
The construction industry is no different. As it continues to embrace new technology – from data analytics to artificial intelligence, to tools continuing to help the industry advance in its overall digital transformation – it leaves itself increasingly vulnerable to the risks and threats that come with operating in a more digital ecosystem.
To combat heightened threats of cyberattacks, construction firms need to stay vigilant and current in their security measures. Here are some strategies and tactics industry experts recommend.
Issue an SSO mandate to employees
When it comes to cybersecurity, no company has to go it alone. As the cybersecurity industry has grown, so have companies that specialise in measures to help organisations keep their operations secure.
As a result, construction firms shouldn’t be afraid to work with a third party on their cybersecurity, in addition to hiring internal leaders and teams to oversee the effort.
Cybersecurity is perhaps more sensitive in construction thanks to the number of sub-contractors working alongside a general contractor on any project. For a larger construction project, there could be hundreds of sub-contractors interacting with its technology and data. This leaves these projects more vulnerable to potential cybersecurity attacks.
L. Russell Dalton, associate vice president, digital practice and technology building information modelling (BIM) for contractor AECOM, oversees the construction firm’s internal projects. He said the company ‘collaborates with a host of sub-contractors and trade contractors all across the United States on our projects, and security is of the utmost importance’.
AECOM also uses single sign on (SSO) through a virtual private network (VPN) to stay secure against cyberthreats, and the company requires that all its employees have SSO enabled on any technology they use.
‘We have our SSO mandate internally that you don’t have separate sign-ons for everything’, Dalton said. ‘So, we use VPN for single sign-on and it combines our authorisations on what we are allowed to get into. Also, in order to stay Defense Federal Acquisition Regulation Supplement (DFARS) compliant for our federal government contracts we utilise a VDI (virtual desktop environment) secure services domain.’
Dalton said the DFARS requirement became more relevant in November 2020 for areas in the company’s federal contracts with the government where they have access to classified information. ‘We run a secure services domain in a VDI environment that keeps everything behind the firewall – encrypted PCs. It’s really a controlled SCIF [Sensitive Compartmented Information Facility] in a virtual world.’
In addition to using SSO and VPN, Dalton strongly recommends that construction firms keep all data behind a firewall or use a secure cloud solution.
Use vendors that are SOC 2 compliant encrypted
Dalton said if construction firms are working on highly secure projects, they should work in an SOC 2-compliant encrypted world. In other words, select technology wisely. ‘In order to get SOC 2 compliant, you’d have to have a year as a vendor of a cloud-based system or an FTP touch system’, Dalton said.
Wherever the warehouse data is, technology vendors must have years of history and a proven track record before they can get the application for the SOC 2 compliancy.
If construction firms are working with a DFARS requirement with any government contracts, Dalton recommended that they visit the federal risk registry – the FedRAMP marketplace, which is an official website of the United States government – to verify that the vendor meets that standard. On the website, Dalton said companies can find a full listing of all common data environment applications and vendors that are FedRAMP authorised, as well as a listing of vendors that are in process.
Cloud computing provider Amazon Web Services, for instance, has 420 authorisations that are FedRAMP authorised. ‘And when we run against a project and the client says, ‘We want to use product X, and it is a FedRAMP force requirement, we have to go out to this location and make sure that it is’, Dalton said.
Train your staff
Michael Bonelli, project architect with Michael Pagnotta Architecture & Construction, said the No. 1 most important task when it comes to cybersecurity in the construction industry is to train employees to be aware of the nature of threats and the tactics commonly used by hackers.
- Be on guard against odd emails from unknown senders with unusual attachments
- Always scan email attachments before opening them with a virus scanning tool
- Regularly keep computers and other technology updated with the latest operating system
Bonelli, like Dalton, also advised construction firms to ‘install a firewall on your network and keep track of any unusual activity trying to breach your installed protection. Scan the list of IPs connected to your network and inspect for anything unusual’, he said.
Furthermore, Bonelli said construction firms should have multiple backup sources to ensure if there is a loss of files that the company can recover them efficiently to keep business operating properly. This includes backups in the cloud as well as physical hard drive backups onsite.
As technology continues to become more integrated into the industry – and as more workers embrace the post-pandemic normal of remote and hybrid work – it’s crucial that construction firms maintain a critical eye on cybersecurity and on keeping their data and operations secure. These tips are a good place to start but remember that as the industry evolves with technology, so will those trying to penetrate and steal sensitive company data.
Maintaining proper cybersecurity measures isn’t a set-it-and-forget-it type of exercise. It’s something that needs to be constantly monitored and updated.