OP-ED: Cybersecurity risks and best practices for construction firms

November 2018

Kristen G. Hilton, CIPP/US
Published in the Daily Journal of Commerce, Oregon November 2018

Businesses of all sizes and in all industries are increasingly more connected and reliant on technology. This includes the construction industry. Contractors and other industry professionals are doing more of their work online or on programs with internet-connected capabilities, which make them more vulnerable to data breaches than ever before. Construction professionals who understand cybersecurity risks and the best practices to reduce those risks will be better able to protect themselves, their business relationships and their bottom lines.

Construction businesses possess or have access to high volumes of information stored electronically. These businesses also tend to be smaller, with less resources devoted to cybersecurity. Additionally, much of the work takes place off-site and, increasingly, via mobile devices. These factors make the construction industry particularly vulnerable to cyberattacks.

The types of valuable personal, confidential and proprietary information collected by construction firms include:

Personal information

Employee information could include social security numbers, bank accounts for payroll and health care information. Also, employee tax information and W-2 forms are a favorite target of hackers.

Proprietary business information

This includes architectural designs created by the business, confidential contracts, project/bid data, and the firm's own intellectual property.

Confidential client / customer information

Nonpublic drawings and building plans can include locations of secure areas. This information also could be drone videos that have digital images and maps of a site. Construction firms may have important data about ongoing and completed projects, including critical infrastructure facilities such as hospitals and government buildings. Seemingly innocuous information such as schedules of when homeowners will be out of town could also be subject to exploitation.

Financial information

This includes bank information and data belonging to the business. These are popular targets of hackers who spoof emails to look like they are from management, in which they request emergency wire transfers. The firm likely also has banking information for subcontractors, vendors and clients, all of which need to be secured.

Hackers may target construction firms that work on high-profile projects because they are interested in corporate espionage. In those situations, a business may experience a data breach without knowing it and without any immediate impact on its own operations.

Construction firms are also likely to be targeted by DDoS (distributed denial of service) attacks or ransomware. In a DDoS attack, a computer server is intentionally overloaded with requests until it shuts down the target's website or network system. Ransomware is a type of malware that locks a user out of his or her machine or network and demands money in exchange for access to data. In 2017, a server used by USA Hoist Company Inc. to host vendor and employee information experienced a ransomware attack. As a result, the company lost access to data and had to go through an onerous and expensive data breach notification process.

With all of this in mind, consider the following steps to build a more secure business.

Know what data one's business has, where it is stored and who can access it

Oregon law requires that businesses take reasonable safeguards to protect the security, confidentiality and integrity of personal information. Customer payment information should be accessible only to designated personnel. Likewise, employee social security numbers and tax and health information should be stored separately from the main network. If a job is for a high-profile client, consider restricting file permissions and using a code name for that project. Also, if data is shared with subcontractors or other vendors, execute hold harmless agreements to provide protections should those entities experience a data breach.

Add protections and take precautions

Having the latest security software, web browser and operating system is vital. Ensure software updates are installed on computers in the office and on all laptops, tablets and cellphones used for work. Confirm that the operating system's firewall is enabled and up-to-date. If there is no in-house IT personnel, hire an expert to review the network and systems and make recommended changes.

Because most work is done remotely from job sites, special attention needs to be paid to mobile device security. Avoid unsecured, free, public Wi-Fi; instead, invest in unlimited data plans to stay connected. If public Wi-Fi is the only option, use virtual private networks (VPN) to access the company network remotely. Use encrypted messaging, such as the encrypted chat app Signal, to exchange information about a project, such as building plans or reports. Make sure any information obtained via text is transferred to the company network (or other designated location) and then deleted from the mobile device.

Train employees

According to the 2018 Verizon Data Breach Investigation Report, 92.4 percent of malware is delivered via email. Employees should be trained on how to identify and report scam emails. They should also know that all email requests for payment or for sensitive documents (such as W-2 forms) must be confirmed in person or over the phone. Train upon hiring and then give yearly refreshers.

Prepare for the worst

It's not a matter of if a cyber incident will occur, but when and how much it will cost. Every business needs an Incident Response Plan that sets out what to do in the event of a data breach, including steps to comply with Oregon's data breach notification law. The Incident Response Plan should designate an internal point person or team, and specify a protocol for employees to follow if they experience any cyber incident. Copies of the Incident Response Plan should be printed out and easily accessible, and the plan should be updated annually.

Construction businesses should also consider a backup and disaster recovery solution for data stored locally. If a ransomware attack occurs in the middle of a construction project, the impacts could be devastating. The ability to recover files quickly through an off-site backup will minimize interruption.

Consider cyber insurance

Some insurance companies have created products designed specifically for the construction industry. Cyber insurance coverage in limited amounts may be obtained for as little as $1,500 per year for smaller businesses. Insurance may not cover all costs associated with a cyber incident, but it will defray some expenses.

Kristen Hilton is a partner at Sussman Shank LLP and a Certified Information Privacy Professional for the U.S. (CIPP/US). She focuses on complex civil litigation and employment matters. Contact her at 503-243-1654 or khilton@sussmanshank.com.

Associated File: DJC Cybersecurity Article - November 2018

Related Practice Areas


Return to Articles