A recent ransomware attack on Canadian contractor Bird Construction has once again highlighted the need for cybersecurity measures in the industry.
Canadian media reports late last month said that the Ontario-based government contracting company was the victim of an incident that resulted in the encryption of company files. The incident caused no major impacts and the affected files were quickly restored, a company spokesperson said.
Nevertheless, the issue raised red flags about national security interests because the contractor is a provider of construction services for major federal and provincial projects including defense facilities and police stations. In the U.S., the Department of Defense launched a Cybersecurity Maturity Model Certification program in January to help ensure contractors on government projects have the necessary cybersecurity practices in place to protect the controlled unclassified information to which they are privy.
In addition, experts say, other data such as employee social security numbers, building plans and construction time frames is easily exploitable and can have serious legal and/or financial ramifications for an organization. A head-in-the-sand approach to the possibility of cyberthreats is no longer prudent, they say.
Here, Johann Dettweiler, director of operations for Fairfax, Virginia-based compliance management firm TalaTek, talks about the importance of cybersecurity measures and what contractors can do protect themselves.
CONSTRUCTION DIVE: Why is cybersecurity so important for construction companies?
JOHANN DETTWEILER: It’s important to note that cybersecurity is important for everyone from Fortune 500 companies to individuals working in a home office. One of the main reasons organizations don’t consider cybersecurity is they tend to think of their data as something other than a company asset. Construction companies in particular have a lot of physical assets from materials to vehicles to personnel that something as non-substantive as data can easily be overlooked as an asset to protect.
However, all data is an asset and should be protected. Whether it is the private data of an organization’s workforce, such as social security numbers or private human resources (HR) information or the company’s proprietary data, such as building plans or construction time frames, if this data were to be exploited, it could have serious legal and/or financial ramifications for an organization.
The idea of cybersecurity is taking the necessary steps and exercising due diligence and care to ensure data that is owned and processed by an organization is considered and necessary steps are taken to ensure some level of protection. The loss of either a client's or employee’s sensitive information could result in legal fees and/or punitive damages, as all entities that collect and process this data are required to exercise some form of measures to protect it from unauthorized disclosure. These types of damages are fairly easy to quantify and can hurt an organization’s bottom line.
There are also non-quantifiable damages that organizations can suffer, such as loss of client trust and competitive advantage. These types of damages are harder to put a price tag on, but definitely have a substantive impact on an organization’s overall profitability.
Do most of them take it seriously?
DETTWEILER: It’s not that most construction companies don’t take cybersecurity seriously. In today’s climate, given all of the constant news reports about breaches and data loss, every organization understands the importance of cybersecurity. However, cybersecurity is difficult and it adds to the cost of running an operation.
Most construction firms are so focused on the bottom line and the physical deliverables that many aren’t even aware of the various types of sensitive data they possess. A lot of leaders don’t understand their data has worth because its intangible and it doesn’t have a direct impact on a company’s profitability until there is a breach and then it may be too late to think about cybersecurity.
Cybersecurity also has a built in Catch 22, in that when it’s done well and functioning as intended, nothing happens. It’s very hard for leaders to understand that implementing cybersecurity, and thus incurring those costs, before a breach happens will always be less costly than the alternative – incurring the legal and regulatory ramifications of a data breach.
To say cybersecurity is not taken seriously would be a misnomer. Decision makers of construction firms often don’t understand the value of their data making it hard for them to make business decisions regarding the appropriate expenditures for cybersecurity protection.
"A lot of leaders don’t understand their data has worth because its intangible and it doesn’t have a direct impact on a company’s profitability until there is a breach."
TalaTek compliance management firm
What are the top three steps company leaders should take to protect themselves?
DETTWEILER: The most important step leaders should take is to evaluate their networks and understand what types of data is processed. The need to be aware of all the data on their network, and how much of that data is sensitive in nature and what needs to be protected. They also need to understand what types of legal and regulatory requirements are mandated to protect their data.
The second step leaders should take is to perform a risk assessment to understand the risks to their data. Leaders should know what risks they face with their networks and their data. By understanding these risks, leaders can make informed decisions regarding the levels of protection required to demonstrate they take security seriously and have implemented due diligence and care. These risks can stem from many areas, including regulatory requirements, insider threats, physical and environment factors and nation state attacks.
Finally, leaders need to be able to evaluate their personnel and the capabilities of their organization and reach out to security professionals if they are struggling to understand their needs and requirements. The cybersecurity realm is highly complex — there are many legal and regulatory requirements that leaders of organizations of all industries face and construction is no exception. Working with cybersecurity professionals can make navigating this realm much simpler and help to free up leaders and decision makers to focus on the profitability of the company and doing what they do best — construction.