It seems that hardly a day goes by without a cyberattack making headlines. And if you think your company isn’t a likely target, think again. Increasing reliance on cloud computing and mobile devices makes the construction industry particularly vulnerable to data breaches.
Consider the many ways construction companies are using the Internet today:
- Cloud computing to provide remote access to payroll, billing, estimating, procurement, scheduling and project management systems,
- Ability to view and edit plans, specifications and other construction data online, and
- GPS tracking systems to prevent theft and monitor usage of equipment, vehicles and other valuable assets.
While such Internet use increases efficiency and collaboration, it also increases cybersecurity risks. Hackers who gain access to these systems may be able to steal sensitive company or employee financial information. Or they might obtain valuable competitive intelligence.
They may also have the ability to interfere with a contractor’s operations or even endanger the safety of people on-site by destroying data, altering plans or accessing a building’s security systems. Some GPS systems allow users to shut off vehicles or equipment remotely or otherwise tamper with their operation.
Prevention is key
To prevent cyberattacks and mitigate the impact of any breaches that do occur, construction companies should have a strong cybersecurity program. Here are the steps to implementing a program:
- Take inventory of your network, systems, hardware, software and data, identify connection points and map out the flow of data.
- Conduct a risk assessment to pinpoint areas of vulnerability, including any bring-your-own-device (BYOD) policies and any third parties (such as vendors or service providers) with access to your network.
- Implement internal controls and protections, such as strong passwords and other authentication procedures, encryption, firewalls, limited physical access to hardware, and segregation of duties.
- Develop an incident response plan that establishes communication protocols and details the roles and responsibilities of management, employees and outside consultants in the event of a breach.
- Provide training to everyone who has access to the company’s information systems, handles sensitive information or plays a role in the company’s incident response plan.
Once you’ve implemented your plan, you’re not finished. You must constantly monitor your information systems for unusual activity using antivirus and antimalware software, intrusion prevention systems and other measures to ensure that breaches are detected as quickly as possible.
Closing the gaps
The level of cybersecurity you need depends on your company’s particular risk profile. An IT consultant can help by examining your information systems and identifying any potential security gaps.