Cybersecurity for the Construction Industry

Warren Buffett, Chairman and CEO of Berkshire Hathaway, issued his annual letter to shareholders at the end of February. He included one dire warning about a threat over which he admits he has no control: “That threat to Berkshire is also the major threat our citizenry faces: a ‘successful’ (as defined by the aggressor) cyber, biological, nuclear or chemical attack on the United States. That is a risk Berkshire shares with all of American business.”

A cyberattack, and cybersecurity measures aimed at fending off, mitigating, and responding to an attack, should not be a concern just for Fortune 500 companies, health care providers, retailers that handle consumer information, and financial institutions. Every business, including contractors, architects, suppliers, and others in the construction industry, must be aware of and take measures to address cybersecurity.

The cyberattacks that most often make the news involve hacks that expose personal information of customers like credit card and bank account information. However, potential victims of cyberattacks include any business connected to the internet. In fact, contractors have a wide array of information that would be attractive to cyber-criminals, including:

• Employee information. Your systems have payroll and other personal financial information of employees. With exposure of that information, the employer has obligations under state and federal law to inform the affected personnel.
• Construction data. This data can include owner’s plans and specifications, Davis-Bacon Act data which will include subcontractor employee data, and other confidential or proprietary data of the owner, designer, or a supplier. You may have a contractual obligation to keep that data secure. In addition, construction plans may include security system information, which can be used for a later, more traditional attack on the physical assets of the business.
• Valuable company data. Your systems likely have various intellectual property, trade secrets, company financial information, and other confidential company data that could be used by a competitor.

Cyberattacks are unpredictable and take many forms, ranging from email “phishing” schemes to sophisticated hacking or denial of service attacks. However, planning for cybersecurity can mitigate the threat. Taking the following steps will help to stave off or stop the attack and guide the response:

• Establish Incident Response Plans. Prepare a plan for responding to an incident. The plan should address both stopping an ongoing attack, securing data from further breach, and notification procedures for personnel or partners whose data was compromised.
• Define Key Responders. The personnel tasked with responding to the attack must know their role and action steps. While identifying a team leader is essential, the leader needs to be able to rely on other previously identified personnel to assist.
• Establish Lines of Communication. In responding to a cyberattack and its aftermath, communication is key. Communication has both internal and external elements. Internally, employees and department heads must know when a situation needs to be escalated and to whom the report must be made for the best response. Externally, the company must establish lines of communication in the initial response when it identifies a breach (to network providers, outsourced IT personnel, banks, and law firms), and in follow-up response (to government regulators and affected internal or outside personnel).
• Ready and Train Employees. All employees should receive training, at the appropriate level, on how to respond and lines of communication. Internal IT personnel may receive detailed training about the latest cybersecurity measures and programs. Management may receive training from law firms and law enforcement about threats and legal remedies. All personnel should receive training on the “simple” points: password security, being wary of opening attachments to email from unknown or unlikely sources, and being able to spot a phishing email.

Ultimately, responding to a cyberattack can be a daunting process that will involve a concerted response from a team of management, employees, and likely outside professionals. Planning for an attack (even up to running a simulated attack) and identifying the team that will respond may not prevent an attack or breach, but will pay dividends in mitigating the damage. But, the first step requires that the construction industry realize that it has the same vulnerability as any other industry.