Best practices for cybersecurity in construction

Bryce Austin from TCE Strategy shares some of the top tips and best practices for cybersecurity in construction with Trimble Viewpoint

When it comes to cybersecurity, Bryce Austin has seen it all. He built his consulting firm, TCE Strategy, around helping business clients understand threats and developing strategies to protect their data. Let’s take a look at a few of the top cybersecurity tips and best practices that Austin has shared with Trimble Viewpoint.

Understanding risk and methods of mitigation

Cybersecurity is a vital part of construction risk management. At its heart, cybersecurity is about risk mitigation. Just like other risks, there’s no way to guarantee a data security event will never happen; all we can do is be well prepared if or when it does. According to Austin, there are three risk responses that businesses can choose to engage in:

1. Quantify the risk, and then accept it
2. Mitigate the existing risks to an acceptable level
3. Transfer risks to a third party

These categories are true across most aspects of security—and it’s about being proactive.

“If you can see the freight train coming, it’s much easier to get off the tracks than it is to try to put the pieces back together after you get hit,” Austin said.

Focus on stopping ‘Phishing’

Phishing is one of the first steps cyber criminals will take in attempting a breach of your data.

First and foremost, Austin said, is knowing where to focus. Phishing is a great place to start, because so many aspects of cybersecurity—from breaches to ransomware—begin with phishing. It’s critical that teams and their third party partners understand what to look for.

“Cybersecurity experts might know what phishing is, but do your technology users know?” Austin said. “Do users know it could be text messages? Spam calls pretending to be someone else? Emails? Any user that interacts with technology in the business must be educated about what phishing is, so they know how to prevent it.”

The good news is, there is a common methodology to every breach, a chain of events in which each step is necessary for the hacker to succeed:

1. Phishing—sending fraudulent emails to induce the recipient to reveal important personal information, like credit card numbers or social security numbers.
2. Hopping—a cyberattack targeting a company’s third-party vendors in an attempt to hack that company’s data.
3. Scraping—collecting and copying large amounts of data from a website or application for later malicious use.
4. Aggregating—compiling and consolidating massive amounts of data into a single entry for easy transfer.
5. Exfiltrating—an unauthorised transfer of sensitive data into the custody of a malicious actor.

Disrupt any of those steps and companies can stop the breach. Or, as Austin says it: “Stop any step, stop any breach. All of these things have to happen in order for a breach to take place. And if you can detect and disrupt any one of these five, you will stop the breach. That’s an important take-home message.”

3 construction cloud security tips

Cyber criminals will look for areas to exploit, but if strong safeguards are in place, they’ll likely move on to another target.

Austin suggests thinking of ‘the cloud’ as the internet – a way for you to get computing services from other companies delivered essentially to your door. Cloud services offered by Microsoft, Google, and Amazon (the big players in the space) vary but all have essential security features.

Moving maintenance onto cloud platforms alleviates one element of stress. However, personal computers still have a critical part to play in the cybersecurity of your company, but it’s about the behaviour as well: the password you choose, or whether or not you set up additional security measures.

Those measures include things like multi-factor authentication (MFA), which is a way to utilise multiple personal features to secure a device or program.

There are three types of information to confirm your identity with a computer:

1. Something you know, like a username
2. Something you have, like your car key or your smartphone, and
3. Something you are, like a facial recognition scan or a fingerprint.

Cloud Tip #1: Secure administrator portal credentials

“If you have a cloud service of any sort, it’s very important that you secure the administrator credentials to that port very, very strongly,” Austin said. Using MFA (and other security that your company chooses to adopt) should be built into existing security protocols, or added if it doesn’t already exist.

Cloud Tip #2: Patch your cloud environment regularly

Cloud systems require maintenance, although it is markedly different from on-premise care and maintenance.

“Now, there are a lot of things happening in the cloud that are a huge net benefit to you as a consumer, you as a company,” Austin said. “I’m a fan of the cloud, but users must be aware that the level of ‘care and feeding’ goes up more often than it goes down. There’s a strong consideration for outsourcing your cloud hosting.”

Remember our earlier methods of risk mitigation? Austin recommends finding the right vendor to whom you can hand-off data security responsibilities.

“Someone needs to be responsible for patching your cloud environment. If you partner with the right third-party, they will take on that particular responsibility, so that you don’t have to,” Austin said. Regular backups are essential to ensure business continuity should a breach occur.

Cloud Tip #3: Introduce multi-factor authentication (MFA)

Multi-factor authentication is one of the best ways to thwart cyber attacks.

Ransomware is one of the primary means cybercriminals use against businesses like construction. When it comes to protecting against ransomware, Austin recommends doing the following:

• Patch firewalls that host your VPN once a month
• MFA on all email accounts
• MFA on your VPN
• Identical local admin accounts
• Geo-filtering all internet traffic and emails

Of all of these measures, Austin dwells on MFA for VPNs, saying it is imperative: “It’s the closest thing to a silver bullet we have in the cybersecurity industry right now.”

While it’s never ideal to have to respond to ransomware, Austin suggests that most companies should have a pre-negotiated incident response team contracted so you have help if it happens.

Data defence and response advice

Enterprise companies with mature, experienced in-house incident response teams should consider the following:

• Offline backups

-Regularly test and monitor offline backups

-Understand and document the process to restore backups

• Have at least 35% free drive space on all network drives

-Some types of ransomware tools take up a lot of hard drive space. When the backup hard drive is full, the system will not be able to encrypt the data. So if you have very little free drive space and end up the victim of a ransomware incident, most of your data isn’t going to be recoverable even if you do pay the ransom.

• If you use an incident response company, make sure terms are pre-negotiated

-Agree on terms before the incident, because afterward you’ll have no leverage for contract negotiation

• Notify your insurance company as soon as the incident occurs

-Most notification requirements have very tight timelines, sometimes within 24 hours

Suss out your providers

“You need to choose your cloud providers wisely,” Austin said. “Some cloud providers take cybersecurity much more seriously than others. Make a list of your cloud providers so you understand who to call for which concern. And you need to have multi factor authentication on any administrator accounts that run your cloud services.”

Austin has four main recommendations when looking at cloud service providers:

1. Ensure Administrator accounts in the cloud are set up with MFA
2. Make a list of your cloud providers and share it with stakeholders
3. Discuss cloud security with your providers regularly
4. Choose your cloud providers wisely!

The role of IT has expanded significantly over the past few years, as construction technology expands. You’re probably already feeling the pressure to modernise but are too busy managing multiple, disconnected solutions. If you’re wanting to work with a connected construction solutions provider that treats your security as its own – come and chat to Viewpoint.