As the construction industry brings more of its processes and even equipment online, the number of potential exploitation points for hackers and data thieves has grown. Keeping your customer data, proprietary secrets or other confidential information out of the hands of cybercriminals is an essential component of a modernized construction operation.
Construction Executive writes that in spite of the heavy use of IT infrastructure in construction, the industry doesn’t see itself as a particularly juicy target for hackers, which, somewhat ironically, only increases the likelihood of them being targeted. The potential ramifications of a data breach can be severe, and could impact everything from the company’s reputation to its market valuation, and subject companies to the inevitable costly measures required to recover from a breach.
And it’s a problem gaining prominence in the industry. Alexander Head, chief research officer at SecurityScorecard recently told Construction Dive that the rise of connected devices is making construction companies ever more vulnerable to attack.
"The focus of malicious actors on the construction industry is expected to increase significantly within the coming years as construction firms begin standardizing the integration of 'smart' devices and IoT devices such as thermostats, water heaters, and power systems. These new IoT devices will create a larger attack surface that previously did not exist,” he said.
Cyber Attackers can gain access to sensitive systems in a number of ways.
Cyber Attackers can gain access to sensitive systems in a number of ways. Malware is malicious software which disguises itself as something harmless and aims to trick users into clicking it, at which point the software can harm the host system or reveal sensitive information. Keyloggers are programs installed that track and record every keystroke and can be used to find user logins and passwords, credit card or bank information and more. Spear phishing attacks use deceptive emails targeting specific users within an organization containing a link to malware or other malicious software. If the user clicks it, the program is initiated.
One of the most rudimentary ways to safeguard operations against such intrusions is to offer employees comprehensive training on how to detect and avoid such attempts. It should be common knowledge to anyone with system access that you should never click a link in an email from an unknown source, or open a piece of software that’s not familiar.
Of course, deception is how these attacks propagate, using email addresses that often mirror ones within the organization to attempt to trick users. If an employee receives a suspicious email or file, rather than opening or clicking it, there should be someone within the organization to forward the email to who can identify such threats and verify if a link or file is safe to open.
Another best practice is to keep all software current and install patches as they’re released, particularly security patches. Cyber attackers exploit vulnerabilities in systems left wide open by outdated software. Passwords should be changed regularly and difficult if not impossible to guess. Passwords like “password” or “12345” are shockingly common, and provide virtually no safeguard against attacks. Passwords should contain alphanumeric characters, special characters ($, %, #, etc.) to thwart attempts by software that can easily crack simple passwords.
Any third parties with access to your company’s system should use the same rigorous standards. The best in-house cybersecurity training in the world won’t stop an attacker from breaching a system through a third party if they’re careless with your passwords or stored data.
A company’s sensitive information should be cloistered off in silos specific to each device or storage system containing it.
A company’s sensitive information should be cloistered off in silos specific to each device or storage system containing it. That way, if one device is breached it doesn’t give the intruder access to the entire system. Some companies, according to Construction Dive, even keep the most critical data on an offline server, cutting off any outside access to potential hackers.
When it comes to cybersecurity, the hard truth is that as long as there is interconnectivity, there will be breaches, either by sophisticated state-funded hacker groups or rogue individual mischief makers and thieves. In order to avoid a breach, security methods must achieve a 100% success rate, while a hacker only has to be successful once to cause potentially severe damage to a company. Even a single breach can permanently ding a company’s reputation and harm its perception of trustworthiness, so locking down security procedures is critical as we move forward in the information age.