Small and midsized construction companies sometimes feel that because so much of their work takes place on the worksite away from computers, cybersecurity doesn’t need to be a top priority. Instead, they rely on their size and relatively low profile to keep them safe. This is a cybersecurity strategy known as, “security through obscurity.”

Decision makers in construction are surprised when we tell them that their industry is one of the top 4 most targeted by cyber criminals, right after healthcare, financial services, and technology firms.

The reason is that even small construction companies retain all sorts of valuable data from sensitive blueprints and schematics to customer billing information, invoicing data, supply chain information, building security information, and much more.

Based on our 20 years helping construction companies, here are a few easy steps construction companies can take to stop cyber criminals.

Deploy Multi-Factor Authentication Across Your Entire Network

Multi-factor authentication (MFA) is one of the strongest security controls that a business can implement. In case you haven’t heard of it yet, multi-factor authentication is when you replace a simple password with two (or more) forms of proof (authentication) to verify user’s access. Sending a temporary one-time password or code to a user’s cellphone is the most common type of MFA.

According to Microsoft, the simple act of implementing two-factor authentication can prevent up to 99% of cybersecurity attacks.

Start Your MFA Journey with Microsoft 365
It’s always best to start an MFA migration with a single application, rather than trying to implement it across an entire network at one time. Starting small helps you get your staff used to the new sign-in process, control costs, and helps you find any issues that would hinder a wider roll-out.

Microsoft 365 is the most popular productivity suite in the country, with over 800,000 businesses and millions of active users in the USA. That makes it a great place to start your MFA deployment. Better still, getting started with MFA on Microsoft is relatively straightforward. If you have in-house IT expertise, a good place to start is with these online instructions from Microsoft.

Choose Your Second Factor Carefully
The second factor you want to employ across your network is an important decision that will have a lasting security impact.

Most businesses are familiar with one-time passwords sent to a cellular device. This is the lowest cost and most convenient form of MFA, though in some construction scenarios it may not be practical to have staff checking their cell phones to login into a network. Hardware MFA like FOBs and USB sticks are far more secure, though are probably only useful on critical infrastructure. Biometrics information, like fingerprints and voice activation, are also slowly becoming more popular as well.

Beware of Deprecated or Legacy Protocols
MFA is about as close to a silver bullet for cybersecurity as any business is going to get, but that doesn’t mean it’s 100% effective. Cyber criminals have adapted to the widespread deployment of MFA and have found sneaky ways to subvert it by leveraging legacy email protocols such as IMAP4, POP3, or SMTP. Those legacy protocols were not designed with MFA in mind and often don’t support MFA, exposing them to attackers.

While Microsoft has known about this issue for many years and taken recent steps to disable these legacy authentication protocols, you should have your security team check to make sure they won’t undermine your MFA solution.

Secure Information and Operational Technology Separately

Most people use the term information technology (IT) as a umbrella term for all technology. The truth is it doesn’t accurately describe the technology that construction companies use in their daily work. Allow us to clarify.

• Information Technology
  These systems, which include servers, PCs, and laptops, process data and control the flow of information in your company.
• Operational Technology
  These systems monitor events, processes, and instruct the machine that drives physical processes at your jobsite.

Operational technology is an important part of the “digital transformation” and “industry 4.0” models that are helping companies simplify management and operations while boosting the efficiency of staff working onsite. Both these trends have accelerated at rapid speed over the last decade and will expand at a compound annual growth rate of 6.5% from 2022 to 2027.

This distinction is important because operational technology also has very different security needs then information technology. In the past, we’ve explored how to secure building control systems, a popular form of operational technology in the construction and commercial real estate industry.

Here are some of the guidelines for keeping your operational technology as safe as you IT.

Create a Map of Your Network
Construction companies should start to see that all their IT vulnerabilities, known in aggregate as an “attack surface,” includes not just IT, but their OT, mobile devices, and cloud computing applications. Building a model to document the entire network helps you define rules and configurations to secure OT, then ensure those protections are maintained properly.

Patch and Update Firmware Regularly
Construction companies sometimes grow risk averse when it comes to their equipment and technology. If a system or process is working fine, then there’s no need to rock the boat, right? When it comes to security, it’s important that you be willing to take devices offline from time to time for routine checkups and maintenance.

Deploy Next-Generation Threat Detection
Traditional antivirus software works by looking for a recognized pattern in incoming files for malware. Businesses who want reliable cybersecurity readiness shouldn’t rely on these systems, like Malware Bytes and Windows defender. Next-generation antivirus uses artificial intelligence, behavioral analysis to not just find known threats, but identify and isolate suspicious programs and behavior.

Security Cameras Maintenance
Strong physical security is an important aspect of any jobsite. While security camera maintenance might not seem like a top priority, modern cameras systems are connected to the Internet (along with harsh weather conditions), which makes them a popular targets for hackers.

As Internet of Things devices (IoT) become more mainstream in the construction industry, now is the time to start thing about security holistically. Every endpoint from cell phones and PCs, to the digital controllers in your construction equipment, are potential entry points for cyber criminals. To keep your business safe you should start treating them as such.

20 Years of IT Services for Ohio’s Construction Industry

We help construction companies in Columbus, Cleveland, Cincinnati, and other areas of Ohio get a decisive grip on their cybersecurity needs. If you want stable, secure technology that helps your firm build more efficiently, reach out any time. We look forward to speaking with you!