Much of the discussion about the new normal for the architecture, engineering and construction industries focuses on how to keep the workforce protected from potentially deadly pathogens and the resultant economic fallout of the pandemic. These, of course, are top priorities for any firm and project owner right now, but there is another area that merits a great deal of attention that directly impacts the health of your construction and design business: new cybersecurity threats to our increasingly remote and interconnected teams.
As teams across these sectors go remote, the attack surface for cybercriminals has dramatically increased, and businesses are more exposed than ever to hacking, malware, ransomware, phishing and other digital tactics. The construction industry is particularly vulnerable, as firms in this field have widely distributed workforces under normal circumstances and regularly use remote devices as standard operating procedure. This also makes them more highly-attuned to the risks and in a better position to adapt than other sectors.
Protecting the Digital Workflow
An adage in information security is that a company is only as secure as its weakest link. In the age of COVID-19, this presents major logistical difficulties, and cybercriminals know this. While construction and design firms were innovators in terms of remote work due to the large amount of projects happening on sites distributed across metro areas, states and even countries, when most firms’ office staffs started working overwhelmingly from home, security protocols were likely lagging. Every laptop, tablet and mobile phone on which company work happens needs to be considered part of a firm’s digital network, and the wi-fi at field offices, home offices or coffee shops where your people may work represent a potential open door to your firm’s data.
Most breaches occur not because the tools fail but because of human error. Teams need to be trained regularly on protocols and what to look for in terms of threats. They also must know what kinds of networks are safe to access. Similarly, in construction, there is a high amount of collaboration between firms, so understanding the security posture of each firm must be high on every company’s risk matrix.
Cybercriminals have also become more sophisticated. You may not be dealing with a computer virus in the ways we traditionally think. A phishing scammer may gain access to your internal accountant’s email and monitor it over the course of weeks to learn their writing style and how they interact with contacts. That language pattern can then be used to send a real-looking invoice or change order along with a new routing number that the criminal can access.
Owners and facility operators, architects, engineers, general contractors, construction managers, vendors and subcontractors may all be interacting with your data or your digital networks. It’s important to encrypt all devices and have proactive measures in place to handle the collaborative nature of construction work.
Data & Interconnectivity Risks
A major development in recent years has been the rise of smart buildings, cloud storage and the Internet of Things to create greater efficiencies, better data insights and heightened sustainability. The construction industry has been a part of this, particularly when it comes to fit-outs of existing spaces. Even in ground-up construction, advances in technologies — like building image modeling (BIM), virtual reality (VR), augmented reality (AR) and digital twins — have added a new world of tools to create safer and more efficient projects. Similarly, safe storage and backup are more important than ever for the data and insights these services provide. The flip side to this is that every new connection or technology is a potential attack point, and bad actors know that information is currency.
For some time, the need for security in industrial control systems (ICS) was poorly understood as network operators clung to the notion that their environments were protected by the air gap separating the organization’s IT network from the ICS network. However, the continued deployment of IT connectivity and communications technologies in ICS environments, combined with the recent growth in ICS-specific threats, has forced ICS operators to begin taking security seriously. For example, wireless sensors that can be deployed in remote locations to monitor equipment performance can be accessed by hackers. Additionally, many of these technologies are provided by third-party vendors, which means a further expansion of your exposure. You can, for example, have a target breach through an HVAC vendor, and then the hacker can potentially access all of your data in the cloud or gain control of your other systems.
Essential Security Posture
Corporate governance is key to combating this. Now is the time to update security standards for our new remote and connected normal. Make a long-term plan, and train your teams regularly. Schedule daily backups of your data. Implement multifactor authentication, and use encrypted remote access procedures for all personnel, not just site teams. Restrict your administrative and user privileges. Patch and update your operating systems and applications regularly, and prevent unapproved applications and software from running on all of your network devices. And importantly, use an experienced IT and cybersecurity consultant to audit your systems regularly.
Be Offensive, Not Defensive
To stop cyber criminals or state-sponsored actors before a breach materializes requires you to be proactive and vigilant. A customized plan to target, pursue and eliminate threats on your network is the best tactic to stay out of harm’s way. Traditional endpoint and network security products simply aren’t enough to protect the modern enterprise. After all, most of these offerings have just expanded on the same frameworks that hackers have successfully exploited for years. Offensive cybersecurity strategies preemptively identify vulnerabilities and security weaknesses before an attacker exploits them. These strategies actively test the network’s defenses and provide valuable insights into a firm’s cyber security posture.
At the end of the day, construction and design firms need to make data security and privacy a priority for all team members. As our industries evolve to embrace new and exciting technologies that open up possibilities and attract a new generation of talent, everyone needs to be aware of the risks.
Phillip Ross ispartner and leader of the Architecture & Engineering Industry Group and Construction Industry Group, and Russell Safirstein is partner in charge of Digital Risk Solutions at Anchin, Block & Anchin.