12 minute read
THE CYBER SECURITY IMPERATIVE IN THE CONSTRUCTION INDUSTRY
The Cyber Security Imperative
Raising virtual defenses in the construction industry
It’s time to prioritize cyber security in construction. As digital attacks surge in frequency and severity, contractors of every size will have to shore up their virtual defenses.
Krioukov was among several cyber security specialists to take the stage at ORBA’s 2022 Summit. She was joined by Elliot Steele, Director of Information Technology at Powell Group, and Jason Williams, Senior Officer, Security and Compliance at Aecon Group Inc.
“For every company, it’s essential that IT is operating effectively and efficiently, and cyber security is a key element of being able to deliver that service,” notes Jason Williams.
That may be the case, and yet raising the profile for cyber security among roadbuilders and the construction industry at large remains a challenge. The issue isn’t necessarily a lack of awareness, but lingering assumptions that the construction community isn’t of interest to would-be attackers.
Certainly, as companies continue to embrace new technologies and digitize their operations, they are accumulating a wealth of valuable digital assets. These can range from project blueprints to proprietary plans, personal information to financial data, and any number of sensitive documents that are of monetary value to bad actors. It’s no surprise, then, that the North American construction industry is the third-most targeted industry for ransomware attacks1 in which data and systems are held hostage by hackers. At last count, IBM estimates the cost of responding and recovering from such incidents is averaging at $4 million each2 .
“There are a lot of cyber threats to the construction industry, but ransomware is the biggest,” says Williams. “We’ve seen it globally where companies stop being able to function while they’re trying to recover from a ransomware attack. That’s why an organization’s focus should be to close as many gaps in their cyber defenses as possible to minimize the risk of a potential impact to operations and strengthen their cyber resilience.”
Miscalculated risks aside, there is also the reality that the construction industry hasn’t traditionally been held to the same cyber security standards and expectations as other sectors such as finance, healthcare and public services. As a result, organizations have been slower to invest in cyber security controls and adopt best practices. Nevertheless, Krioukov says, “It’s time to catch up.” ››
Everyone in the crosshairs
No contractor is immune from cyber risks. That includes small to mediumsized contractors who may believe they are small fry compared to their larger partners and so aren’t compelled to prioritize cyber security. In reality, it’s this thinking that makes small to medium-sized firms low-hanging fruit.
“Think about it this way,” offers Krioukov. “If a thief is walking around a village and checking all the doors, they’re not going to bother with a house with 20 secure locks. Instead, they’re going to try the house with an easy latch.” It’s in every company’s best interest to keep that door closed. Research has shown that around 60 per cent of small to medium businesses who experience an attack go out of business within six months due to the damage they incurred and the costs of getting back on track.
“Everyone in the construction industry has a big bullseye on their back. We might not think we have the proverbial ‘codes to the nuclear bomb,’ but the truth is everyone is a source of valuable information,” says John Provenzano, Director of Marketing and Communications with ORBA. “That’s why cyber security is a priority for the industry. It’s also why ORBA is raising the alarm.”
Surveying the risks
Ransomware attacks may dominate the headlines, but they represent a fraction of the cyber risk landscape. “We tend to categorize the risks from low to high. So a low-risk event would be when someone gets into your email system and starts sending out emails to your partners on your behalf,” says Elliot Steele.
This incursion is harmful to a company’s reputation, but can be dealt with. The larger risks take shape when an attacker gains access to a company’s system and begins stealing data, corrupting systems, intercepting payments, scamming contacts, or conducting any number of nefarious “insider” activities.
In addition, in the era of email, cloud computing, and connected systems, no company is a virtual island. As such, construction companies are targets for both the data they possess and the access they may grant.
Therefore, the goal of a cyber strategy isn’t simply to keep the individual company secure, but to hold the line for everyone in their network. “Having strong cyber security practices is mutually beneficial. It’s important we work to protect not only our own organizations, but also our partners. It’s also why we look at how our partners are protecting themselves and make sure they’re being held to the same standards we set for ourselves,” says Williams.
It’s a cliché, but it’s true: when it comes to cyber security, a supply chain is only as strong as its weakest link. That’s why more and more contracts in North America are now being issued with cyber security riders that hold bidders accountable for proving they are cyber mature, be it through industry certification, internal reviews, or SOC (Service Organization Controls) reporting. “We’re even seeing those kinds of stipulations in Ontario where contracts are asking for details on your cyber security in terms of password policies, email security, anti-virus systems, and the like,” Steele adds. “Eventually, we’re going to be at a point where these conditions are required and those that don’t already have them will spend a lot of time and money catching up.”
A Competitive advantage
Being cyber mature isn’t all about protecting finances and reputations. It’s also about instilling the training, controls, and strategies to gain a competitive advantage.
“If you can answer ‘yes’ to all 20 questions on a contract owner’s cyber security questionnaire, but your competitor can only answer five, then you’re going to rank higher,” says Steele. Krioukov, noting, “If you already have those best practices in place, then you can turn this around and advertise that you are taking correct steps to protect your client’s privacy and the information that they trust you with, and that will definitely give you an advantage when bidding.” Cyber security 101
The message couldn’t be clearer: now is no time to leave cyber security on the back-burner. Still, increasing one’s cyber maturity takes more than a few password refreshes and antivirus software. It’s a living, breathing strategy comprised of defined roles, evolving controls, and a company-wide commitment.
The nuts and bolts of a cyber strategy will differ for each company depending on their data and level of exposure. By and large, however, it will include the three key elements — people, technology, and processes.
1. PEOPLE
Employees are often the first line of defense in a cyber attack. Without the proper training and awareness, they are susceptible to phishing attacks or scams that can trick them into revealing passwords or other sensitive information. Employees may also make the company vulnerable by visiting malicious websites using company computers or conducting business with their personal connected devices, which can make it easy for viruses and malicious code to worm their way into connected company systems.
All told, cyber security begins with proper training, password management, device management practices, and other skill-development initiatives aimed at taking the human element out of cyber security risk. “On the people side, it’s all about awareness,” says Williams. “It’s making sure that people know how to identify risky or suspicious behavior and what to do when they spot it.”
2. TECHNOLOGY
There are many tools that can help organizations protect their IT environment and understand the potential risks. These range from perimeter security software e.g. firewalls to anti-virus software, and even more sophisticated artificiallyintelligent risk assessment tools such as endpoint detection and response (EDR) and managed detection and response (MDR) solutions. Importantly, all cyber security technology needs to be properly configured, monitored, and updated (i.e. patch management) to ensure they can safeguard the company against the latest threats.
3. PROCESSES
Every piece of tech introduces an element of risk. As such, it’s critical that processes are in place to ensure those risks are identified and addressed before flicking the switch. That may mean slowing down tech integrations and implementations, but using the extra time to embed cyber security processes (e.g. multi-factor authentication).
In addition, organizations may consider conducting penetration testing (aka “Pen testing”) in which a third-party cyber security firm simulates an attack on the network and uses the results to discover vulnerabilities and potential remedies.
These elements are fundamental to forming a cyber security strategy. That strategy won’t work, however, unless it’s championed from the top.
“You can have all the right pieces in place, but the success of a cyber security strategy boils down to how much of a priority the leadership team and the executives make it for the organization,” says Williams. “Once you get that buy-in from leadership, it trickles down. Everyone begins to understand why cyber security is a priority and how it impacts the organization. Once that’s conveyed, that’s when people get it right.”
A calculated response
Prevention is key, but a company’s response to a cyber incident is no less critical. To that end, it’s important to have a pre-made cyber incident response game plan that outlines who needs to act and exactly what needs to happen the moment a breach occurs.
“Cyber incident response strategies are probably the most overlooked part of cyber security, and yet they are probably the most important — if not equally important — aspect,” says Krioukov.
Cyber incident response plans exist to mitigate damage and keep everyone in the loop. Effective plans will include clearly defined roles and responsibilities when managing affected systems, implementing safeguards, and contacting stakeholders. “Managing the information that goes out to your clients, the public, and your employees is very important and can play a huge role in an incident in terms of preserving your company reputation,” says Krioukov. “When you control the narrative, you can minimize the reputational damage.”
Raising the profile
Addressing cyber security can seem overwhelming and costly. The good news is that while cyber security strategies are complex on paper, there are several simple and free things companies can do today to strengthen their security now.
One quick step is to enable multifactor authentication (MFA) on email and other systems that are accessible online as this will add a second layer of user verification. Another is to take time now to ensure all systems are using the latest security updates. As for the people side of cyber security, there are ample free videos online (e.g. YouTube) that can be used to train employees on identifying and responding to phishing scams and other social engineering hacks. “There are things small to mediumsized companies can do that are inexpensive or free that can really strengthen their security posture, and free resources like these will go a long way in making them more secure,” says Steele.
There is also strength in numbers. As such, it may benefit a company to reach out to industry peers or consultants to gain fresh perspectives on cyber security risks and best practices.
“One thing we suggest is to pick up the ORBA Sourcebook and start the conversation,” says Provenzano. “Find another member or industry partner who has experience with this issue and just start talking. You’ll likely realize that you’re more vulnerable than you actually thought you were, but you’ll also see there are many people and resources out there who can help.”
“Yes, it could cost money,” he adds, “But those costs are nothing compared to what you’ll be paying if you get in trouble.” Of course, road builders are no stranger to adaptation. And with over a century of overcoming the obstacles in its path, ORBA and its cyber security partners are confident members will prevail.
“One of the things that I love about the people in the construction industry is there’s an absolute want to learn and adapt,” says Steele. “That makes sense because they work in a constant environment of change where no two jobs are ever the same. So yes, there’s some work do to, but we’re talking about an industry that’s incredibly adaptive and willing to act.”
Matt Bradford is an industry writer for the Canadian construction industry. He can be reached at mirbradford@gmail.com.
