Not all that long ago, it seemed as if the construction industry was immune to the cybersecurity threats that were plaguing other sectors. After all, financial, healthcare and consumer-focused organizations provided far richer targets with access to a wealth of personal data that could be mined by unscrupulous actors. Unfortunately, that’s all changed as cyber threats have become far more pervasive and less dependent on industry – and as hackers have realized that some construction firms were a bit behind the times when it came to implementing the latest threat protection.
In 2022, for example, the construction industry was the second most frequent target of ransomware attacks, according to Nordlocker, placing second only to the manufacturing sector. Among the reasons for the surge is the industry’s vulnerability when it comes to project timelines, and the realization that diverting large contract payments – and accessing the accounts behind them – can be quite lucrative. That puts a target on construction firms.
Additional Requirements for Federal Contractors
What’s more, the Department of Justice unveiled a Civil Cyber-Fraud Initiative in late 2021 that increased prosecutions of cybersecurity violations by parties contracting with the government through complaints filed under the False Claims Act (FCA). This Act dates to the Civil War, where it was used to protect the government against fraud by Army suppliers. Now, the Justice Department is wielding it against government contractors who do not adhere to federal cybersecurity standards and regulations. This can also apply to third parties conducting business with federal contractors who are handling sensitive information.
While regulations are continually evolving, the main standard that contractors should be aware of is the Basic Safeguarding of Covered Contractor Information Systems. Under this, contractors are required to limit access to any systems that store federal government information. They also must mandate multi-factor authentication practices to access the system, have malware identification systems in place, and have a documented cyber incident response plan. There are additional requirements for contractors working with the Department of Defense.
Cybersecurity Best Practices for Construction Firms
With all the attention being paid to the construction industry by both criminals and regulators, it’s essential to get a handle on your organization’s cybersecurity. The most effective method is to work with a local managed IT services provider who is focused on your cybersecurity. They will have professionals in place with access to the latest security software and services to safeguard you, starting with an overarching network security plan that takes your challenges and vulnerabilities into account. Here are some basic pieces of such a plan that your IT support team can implement (although we always advocate for a comprehensive and professionally designed layered plan to provide the best protection).
Install a Firewall
A firewall is your literal first line of defense. While there are many different types of firewalls, they are essential security devices that monitor both incoming and outgoing network traffic and either allow data packets free entry to your network or deny them access. A strong firewall is particularly critical for construction firms that have employees and trades accessing their systems on private devices (cell phones, tablets, and laptops). Since you don’t control these devices, you don’t know whether their anti-virus protection is strong, current, or non-existent. When working properly and kept up to date, the proper type of firewall can help keep hackers out of your systems, but it is only one of several defenses construction firms should have in place.
Anti-Ransomware Software and Email Security
When you work with an MSP, they will have a team of skilled IT experts with access to the latest antivirus and email security software as well as the knowledge to implement a combination of defenses that will work for your business. That’s critical in the construction industry, where we mentioned that the sheer volume of non-employees accessing your network can leave you vulnerable to attacks. Your MSP should have a plan in place to actively monitor your networks and look for signs of anything amiss.
How do you ensure that your staff and trusted subcontractors are the only ones accessing your data? One step in the right direction is Multifactor Authentication (MFA). Instead of just asking users for a username and password, it requires an additional factor (like a cell phone text code or email verification) to access an account. Because it is more challenging for hackers to steal both a username and password combo as well as access to an email account or cell phone, this makes breaking into a protected system much more difficult.
The primary attacks on the construction industry today come in the form of ransomware and phishing attacks, with the latter directed at financial personnel. While a strong firewall and current malware can help prevent some attacks, the weak link in most cyber protection systems is inevitably the person behind the keyboard. Training your employees on how to spot – and avoid – the latest threats can go a long way toward keeping your business safe. Creating a safe environment where your team members feel empowered to question any sketchy email or text requests will help them learn to think before they react.
Backup and Recovery
If the unthinkable does happen, how will your business respond? A good managed IT services team will work with you to put redundant backup systems in place so that damage and downtime are both minimized if your system is attacked, or your data is held for ransom. They should work with you to determine the optimal timing of backups and to keep those backups isolated from the rest of your system. Then, they should have a recovery plan in place to get your team up and running as quickly as possible.
Are you ready to protect your construction business from cyber threats? Reach out to the IT solutions experts at Executech – we have the knowledge and expertise to build a solid foundation for your growth.