Austin Construction News • AUG 2019
Page 5
Top cybersecurity concerns for the construction industry
The facts about OSHA 10 & 30 hour cards
Denis G. Ducran, Senior Counsel Peckar & Abramson Houston, TX
Joann Natarajan Compliance Assistance Specialist OSHA Austin, TX
M
odern technology has made many things more convenient, from email in your pocket to looking at who is ringing your doorbell by glancing at your phone. But constant connectivity has also opened us up to attacks and as such, it is more important than ever to be vigilant and prepared. Because the construction industry is not always at the forefront of adopting new forms of technology, particular emphasis must be placed on cybersecurity and data privacy. Below are some of the top concerns for the construction industry related to cybersecurity and data privacy and why ongoing training is essential. The Internet of Things In today’s world, we are hard-pressed to find devices which are not “smart” or connected to the internet. Every time you ask Siri a question or start the car from an app on your phone, you are using the internet. Baby monitors, HVAC systems, home security, smart lightbulbs, the list that makes up the internet of things goes on and on. All of this connectivity is wonderfully convenient, but any time a piece of equipment accesses the internet, it is exposed to hackers. Many people may ask, “what does it matter if hackers gain access to the air conditioner?” Besides the obvious temperature control issues, this can be a point of entry for hackers to gain access to more sensitive computer systems where personal and business information is stored. Many believe that is exactly what happened during Target’s well-publicized data breach. Hackers gained access to Target’s POS system through an HVAC vendor without proper security. As a result, training is essential for contractors and subcontractors who are given access to networks or other portals.
willingly provide thinking that the attacker is a trusted colleague. Spear phishers go after who they believe are likely to have access to and will provide them the information they need.
Jobsite Security Hackers will always seek the path of least resistance. If the front door is locked why not see if the back door will open? With cyber attacks making headlines many companies have invested money in securing their data and implementing best practices regarding cyber security in the home office. But what about on the jobsite? Construction sites are buzzing with activity and oftentimes have computers or devices that connect to networks at the home office. If devices are left unlocked or someone enters a restricted area undetected they now have access to those systems and the money and time invested in securing the home office was for naught. For this reason, dual-factor security is gaining popularity and highly recommended by IT professionals. This type of security requires a secondary device such as a smart phone to log into a computer.
Liability Liability in the event of a cyber attack is a major concern in the construction industry. Who is to blame and who should bear any losses? Whether it is the owner/developer, the contractor or the subcontractor the fingers will be pointing. Going even one step further, what will insurance cover in the event of a cyber attack or data breach? It will be very important moving into the future that cyber security and data privacy concerns are worked into contracts so that everything is clear from the outset. With proper training, hopefully liability will not be the ultimate problem, but it is important to consult with an attorney fluent in these issues when drafting and negotiating contracts. Fortunately, many insurance markets have started to offer cyberinsurance products to protect against some of these risks.
Phishing/Spear phishing While not specific to the construction industry, phishing and spear phishing are major threats that must be protected against. Numerous contractors have been victimized by these scams to the tune of millions of dollars. With potentially hundreds of employees, hackers want Personally Identifiable Information (PII) or access to company information that can, in some way, get them money. With phishing, attackers are looking for information or login info from the target. This will be a more generic email casting a wide net looking for low-hanging fruit. Spear phishing is more targeted. Attackers engage in social engineering, such as looking at LinkedIn or other websites to find out who your colleagues are, potentially spoof their email addresses and mention colleagues in an email, ultimately hoping that you will provide the information they need to access your system or steal personal information that you
Payments One major cyber security problem many companies face is spoofing – where an email looks like it is coming from a reputable, known source. The email appears to be from a friend, colleague, vendor, etc. when it is actually from a malicious actor. The construction industry deals with many payments from developer to contractor and contractor to subcontractor. Often these are very large sums of money. If an outside actor finds out about a regularly scheduled wire transfer they can send an email shortly before or at the time a payment is due asking the company to change the routing information. At that point, if undetected, the money is being handed to the attacker instead of its intended recipient. This can create substantial financial loss, and in the worst case, causes companies to go out of business.
Government Requirements Anyone working on public projects or government contracts will need to not only be aware of cybersecurity issues to protect public infrastructure, but also will need to understand government requirements related to cybersecurity. Depending on the project, contractors will need to adhere to different standards about cybersecurity and data protection. The construction industry faces daily challenges due to the complexities of cyber security, information integrity and data privacy. Increased awareness and ongoing training will assist the construction industry avoid incidents before they occur. Denis G. Ducran is Senior Counsel in Peckar & Abramson’s Houston office. A board-certified construction lawyer and registered architect, he focuses primarily on construction industry transactions, litigation, arbitration and risk management. He may be reached at: dducran@pecklaw. com.
M
any general contractors ask their subcontractors to obtain OSHA cards for their workers. This often refers to OSHA’s 10-hour and 30-hour safety courses. Unfortunately, there has been an increase in fraudulent activity related to these courses over the past several years. Knowing the facts can help workers avoid fraudulent trainers and courses. FACT: Only OSHA-authorized trainers may teach 10- and 30-hour safety courses and issue OSHA student course completion cards. These trainers are authorized by an OSHA Education Center to teach OSHA 10 and 30 hour courses. The 10-hour safety course covers general safety and health hazards for entrylevel workers. The 30-hour safety course provides a greater variety of safety subjects and in-depth, industry-specific training and is intended for supervisors and workers with safety and health responsibility. While fraudulent actors may advertise OSHA 10-hour training, only OSHA-authorized trainers can issue course completion cards at the end of the training.
FACT: OSHA does not require completion of these courses, but may require other training for workers that encounter certain workplace hazards. Although some states, cities, and job creators have mandated Outreach Training Program courses as a prerequisite to employment, OSHA does not require the training. In other cases, jobs may include workplace hazards that require training to meet OSHA standards, such as training on common chemical hazards encountered in the workplace, or operator training for specific powered industrial trucks on the jobsite. Be sure to check your local requirements and consult the relevant OSHA regulations.
FACT: OSHA publishes a public list of authorized trainers at: https://www.osha. gov/dte/outreach/outreach_trainers. html to help workers find legitimate training and avoid fraud. The list provides trainer names and contact information, and denotes which course each trainer is authorized to teach (i.e., construction, general industry, maritime, disaster site worker). Courses are also available in Spanish and online from the appropriate authorized trainer. FACT: Taking the course does NOT guarantee employment. While OSHA believes this training is an important first step towards workplace safety, beware of advertisements “guaranteeing” jobs after taking the course.
FACT: The OSHA 10 hour card belongs to the worker that attended the course. The employer is not allowed to keep worker’s cards, even though the employer may have paid for the worker to attend an OSHA 10 or 30 hour class. Keep these facts in mind when searching for courses and trainers to ensure proper safety training and avoid fraudulent courses. If you come across any fraudulent actors, please contact the Department of Labor’s Office of Inspector General at https://www.oig.dol.gov/ contact.htm For more information, visit the Outreach Training Program website at: https://www.osha.gov/dte/outreach/ natarajan.joann@dol.gov 512-374-0271 x232