Ross

New cybersecurity threats to increasingly remote and interconnected teams can plague every design and construction team. Work-from-home mandates and other side effects of the ongoing pandemic have created more online collaboration, but also more opportunities for gaps in cybersecurity

As teams across these sectors go remote, the attack surface for cyber criminals has dramatically increased, and businesses are more exposed than ever to hacking, malware, ransomware, phishing and other digital tactics. The construction industry is particularly vulnerable, as firms in this field have widely distributed workforces under normal circumstances and regularly use remote devices as standard operating procedure. This also makes them more highly attuned to the risks and in a better position to adapt than other sectors.

Protecting the Digital Workflow

An adage in information security is that a company is only as secure as its weakest link. In the age of COVID-19, this presents major logistical difficulties and cybercriminals know this. While construction and design firms were innovators in terms of remote work due to the large amount of projects happening on sites distributed across metro areas, states and even countries, when most firms’ office staffs started working overwhelmingly from home, security protocols could lag. Every laptop, tablet and mobile phone on which company work happens needs to be considered part of a firm’s digital network, and the Wi-Fi at field offices, home offices or coffee shops where your people may work represent a potential open door to your firm’s data.

Safirstein

Most breaches occur not because the tools fail, but because of human error. Teams need to be trained regularly on protocols and on what to look for in terms of threats. They also need to know what kinds of networks are safe to access. Similarly, in the construction field, there is a high amount of collaboration between firms, so understanding the security posture of each firm needs to be high on every company’s risk matrix.

Cybercriminals have also become more sophisticated. You may not be dealing with a computer virus in the ways people traditionally think of them. A phishing scammer may gain access to your internal accountant’s email and monitor it over the course of weeks to learn the accountant's writing style and how he or she interacts with contacts. That language pattern can then be used to send a real-looking invoice or change order along with a new routing number that the criminal can access.

Owners and facility operators, architects, engineers, general contractors, construction managers, vendors and subcontractors may all be interacting with your data or your digital networks. It’s important to encrypt all devices and have proactive measures in place to handle the collaborative nature of construction work.

Data and Interconnectivity Risks

A major development in recent years has been the rise of smart buildings, cloud storage and the internet of things to create greater efficiencies, better data insights and heightened sustainability. The construction industry has been a part of this, particularly when it comes to fit-outs of existing spaces. Even in ground-up construction, advances in technologies like BIM, virtual reality (VR), augmented reality (AR) and digital twins have added a new world of tools to create safer and more efficient projects. Similarly, safe storage and backup are more important than ever for the data and insights these services provide. The flip side to this is that every new connection or technology is a potential attack point, and bad actors know that information is currency.

For some time, the need for security in industrial control systems (ICS) was poorly understood as network operators clung to the notion that their environments were protected by the air gap separating the organization’s IT network from the ICS network. However, the continued deployment of IT connectivity and communications technologies in ICS environments combined with the recent growth in ICS-specific threats has forced ICS operators to begin taking security seriously. For example, wireless sensors that can be deployed in remote locations to monitor equipment performance can be accessed by hackers. Additionally, many of these technologies are provided by third-party vendors, which means a further expansion of your exposure. You can, for example, have a target breach through an HVAC vendor, and then the hacker can potentially access all of your data in the cloud or gain control of your other systems.

Essential Security Posture

Corporate governance is key to combating this. Now is the time to update security standards for our new remote and connected normal. Make a long-term plan, train your teams regularly. Schedule daily backups of your data. Implement multifactor authentication and use encrypted remote access procedures for all personnel, not just site teams. Restrict your administrative and user privileges. Patch and update your operating systems and applications regularly, and prevent unapproved applications and software from running on all of your network devices. Most importantly, use an experienced IT and cybersecurity consultant to audit your systems regularly.

Be Offensive, Not Defensive – Threat Hunting

To stop cyber criminals or state-sponsored actors before a breach materializes requires you to be proactive and vigilant. A customized plan to target, pursue and eliminate threats on your network is the best tactic to stay out of harm’s way. Traditional endpoint and network security products simply aren't enough to protect the modern enterprise. After all, most of these offerings have just expanded on the same frameworks that hackers have successfully exploited for years. Offensive cybersecurity strategies preemptively identify vulnerabilities and security weaknesses before an attacker exploits them. These strategies actively test the network’s defenses and provide valuable insights into a firm’s cyber security posture.

At the end of the day, construction companies and design firms need to make data security and privacy a priority for all team members. As our industries evolve to embrace new and exciting technologies that open up possibilities and attract a new generation of talent, everyone needs to be aware of the risks. Just as environmental, health and safety hazards are a central concern of work cultures now, we need to include cybersecurity as a pillar of our flexible way of building.

Phillip Ross is an accounting and audit partner at Anchin, Block & Anchin LLP and serves as the leader of the firm’s Architecture and Engineering and Construction Industry groups. Russell Safirstein is partner in charge of Anchin Digital Risk Solutions.