Five years ago, a cyberattack on Target led to the breach of almost 100 million people’s names, addresses and credit card information; the full scale of the attack, or its aftermath, haven’t been confirmed by Target. But one thing, at least, is certain: this was very bad for four parties: bad for business—Target’s reputation took a massive hit, they paid a $20 million settlement, and over $200 million in legal fees; bad for Target’s then-CEO, who was fired in the wake of the hack; bad for people whose information was stolen and possibly fraudulently used; and very, very bad for Fazio Heating and Cooling, LLC, an HVAC subcontractor from Pennsylvania doing work for Target, through whose system hackers entered and then gained control of “secure” data. In plain English—a Fazio employee clicked on a phishing email, and the rest is history. I bet having their name forever associated with one of the largest cybersecurity breaches in US history hasn’t helped business. According to Brian Krebs, who runs a blog called Krebs on Security, hackers made their way to Target’s payment data using Fazio’s network credentials. And while it may seem an oddity that Fazio’s portal was ultimately connected to Target’s payment processing system, Krebs says it’s not in fact that unusual, since many companies allow third-party vendors remote access to monitor such things as the temperature in the store, or electricity usage during off-peak hours.
James Benham, founder and CEO of JB Knowledge, a contractor consulting company, says that unfortunately, while the example of Target and Fazio may be the largest such case, breaches such as these and other types are hardly rare in the construction industry. He says that 10% of the companies he advises admit to having been victims of ransom ware like Cryptolocker, which infects machines, encrypts the data, and then holds that data “ransom” until a sum has been paid to the hackers. Even then, some of the data has already by that point been sold off on the dark net to a thriving community of thieves, fraudsters, and WWW pirates.
Benham warns that very often GCs and subcontractors don’t feel they’ve got much of value in terms of data: site plans, building data—what could that be worth? What they often don’t realize is that networks are connected, so a breach into one seemingly unimportant system can lead to a much larger breach elsewhere, as in the Target attack. But there’s another scenario that’s even more unpleasant to imagine: site plans contain incredibly useful information to thieves or, even worse, terrorists. Having knowledge of the locations of all means of access and egress can allow terrorists to enter a building and then seal it off to inflict maximum damage.
Benham says there are three basic things any company can do to get on the road to securing their data. Step one is to acknowledge there’s data worth protecting. “If you don’t recognize that,” he says, “then really nothing else matters. That’s certainly the biggest challenge I see when dealing with construction companies—many simply don’t acknowledge the level of data they have in their possession.”
Step two, according to Benham, is to buy cyber insurance. Don’t wait until you have to pay millions of dollars to a hacker somewhere who is holding all your data hostage to buy insurance for that sort of thing.
And finally, step number three is to grab the low-hanging fruit. “It’s the classic 80/20 rule,” Benham explains. “20% of the work you’ll do will cut out 80% of the risk. There’s still going to be risk there, but if you just do basic fundamental things, rotate passwords, use VPNs, add two-factor authentication, then you’re significantly mitigating the vast majority of low-cost, simple threats that are coming your way.”
Charles Haber, founder of Haber Group, a managed service provider specializing in AEC firms, echoes those precautions and also recommends simple things like changing passwords regularly, and installing firewalls and other security software. Plus, Haber adds, “Typically, jobsite computers are purchased at the beginning of a job and not well managed during the length of the project. Windows computers need to be on Windows 10 and regularly updated. We prefer them to be joined to an Azure Active Directory service for additional security and management. They should be part of the company’s overall computer management plan.”
Finally, it is imperative to educate employees—that can help prevent hackers from getting a foot in the door in the first place. Train them on what to look for to protect themselves and the company. One of Fazio’s employees clicked on a malicious link in a phishing email. That’s all it took. The fate of your company, whether you’re a GC or a subcontractor, can depend on one click. Take the time to train the folks you work with, so you can keep your data, and your company’s future, secure.