It wasn’t all that long ago that data security was something that most of us took for granted. The idea of someone stealing your money, compromising your identity or hijacking your files was reserved to physical crimes like burglaries, muggings or larceny. However, as the world around us has digitized and we’re more reliant on technology for every aspect of our lives, data security has become a priority — both in our personal lives and in our businesses.
In a recent podcast on the topic with cybersecurity expert Bryce Austin, principal of TCE Strategy, he broke down some of the risks lurking in the shadows. “The internet has shrunk the world to the head of a pin, and as soon as you take a device – any device, be it one of these new Internet of Things smart speakers you put in your home, a new thermostat, a new piece of construction equipment, there are people on the internet that would like to do you harm or steal your money,” he said.
Austin shared what companies can do to protect themselves and why the cloud — when using the appropriate safeguards — can provide companies with more peace of mind.
The New Norm
The positives of the world being shrunk down for us — expanded access to the world, communication, information-sharing, virtual experiences and real-time business, business and commerce — far outweigh the negatives, Austin said. However, the new connectivity we have with the world also means more access that nefarious actors have to you and/or the places you work. And if we let our guard down or allow unprotected pathways to unwanted interactions, we run the risk of being taken advantage of.
And for cyber criminals it’s big business. In 2018, $1.5 trillion was lost in cybersecurity expenses, in extortion or theft from hacks or lost productivity as a result of breaches, Austin noted. He pointed to estimates by Forbes magazine that the next three to five years could see losses exceed $6 trillion. And prosecuting these crimes is difficult since they often are initiated from nations with little to no recourse or in some cases, directed by government agencies as political maneuvers.
Some recent high-profile cases of these cyber-security breaches that caused damage to businesses (and people) include the recent Equifax breach that compromised the personal information of more than 143 million Americans, the hack of Sony’s data following the release of the controversial comedy, “The Interview,” which angered North Korean officials for its portrayal of an assassination attempt of leader Kim Jong-un, and a hack of multiple companies that did business with Ukraine (allegedly by Russian agents). In the latter example, one of the Ukraine’s online applications companies that is used to pay taxes in Ukraine was hacked. Large corporations like shipping company Maersk, pharmaceutical provider Merck and law firm DLA Piper were among those affected.
Contractors that rely on heaps of data to facilitate complex construction projects are among the many businesses that can often be targets of cyber criminals. Multiple projects, using many different applications and hundreds, if not thousands of workers entering data can provide plenty of potential doors of opportunity for cyber criminals to knock on. So, how do contractors ensure these doors stay locked? Austin said protection begins with knowing what the tactics are.
Three Common Threats
Here is a look a three common cybersecurity threats Austin noted in the podcast:
Ransomware: In this attack, a breach occurs when you or someone at your organization clicks on a link or file in an email, or hackers are able to crack your password. Once they’re in, they unleash a program that essentially hijacks your computer and data until you agree to pay a fee. Austin said he has worked with companies that were put in difficult positions where their operations are effectively shut down and they have to decide whether to remain closed or pay the ransom – sometimes in excess of $100,000.
Phishing: By far the most widely used, phishing is essentially looking for people or habits that criminals can take advantage of. In these cases, victims might get an email, text or even call alerting them of a reported virus, locked account or other “problem” with a software application or credit card they use. Many times, these attempts will target folks that don’t even use the application, device or account in question — hence the phishing designation. The offenders request access to a system, ask for a card number or other personal information, or try and get the victim to visit a site where they can skim their data. Of course, it’s not true, and most legitimate providers and retailers rely on more legitimate ways to alert users of problems, but many folks fall for this anyway. In other cases, someone will call an elderly person and tell them their son or daughter has been injured or imprisoned and need an immediate $5,000 or $10,000 to help them out and ask for the money online or via wire transfers.
Austin notes there is a new approach called “spear-phishing” which is much more targeted, where scammers do online research to build a profile to use to make the scam more believable. They may also appeal to folks’ likes and interests by offering up bogus special deals (front row tickets to concerts of folks’ favorite bands, exclusive peaks of movies, etc.) to get people to share information or credit card numbers.
Wire Transfers: Wire transfers are another area that have given thieves access to companies and individuals. And it’s one that has particular interest in construction, where multiple bills, invoices and payments permeate the daily work. In these scams, criminals might send phony invoices or call requesting immediate payment for items in order to avoid default. Once the money is transferred, it’s gone forever (and thieves could have a new back door into your payment processes). Austin strongly recommended a policy where wire transfers are forbidden without a specific phone call being made to someone you are on a first-name basis with to authorize it. No emails — ever to authorize wire transfers or change bank account numbers.
Protecting Yourself and the Company
Thankfully, there are solid ways to protect against these threats. Most companies doing legitimate business have safeguards in place to protect its clients from cybersecurity hacks and legions of cybersecurity experts are further helping companies by staying on top of the latest schemes and exposing weaknesses in organizations before the criminals do.
With most businesses moving to the cloud — including leading construction companies — the weaknesses of yesterday have been replaced with stronger security and protective measures that generally make storing of data and working in the cloud safer than with on-premise software, manual processes like pen and paper and hardware that consistently needs updating. These ways of working are actually more vulnerable and perhaps less monitored than they were previously, leaving the door open for older, but proven means of exploitation. Austin notes that as long as there are strong security measures and proper web-use strategies in place, the cloud can be a huge benefit for companies. Just make sure the software and technology vendors you’re using in the cloud are providing the same levels of high security on their end as well.
Watch this on demand webinar on mobile device and cybersecurity management: Best Practices for a Smart BYOD Strategy.
So, what are some of the steps contractors can take to maximize their cybersecurity efforts? Here’s a look at some keys:
- Deploy Multifactor Authentication — Wherever you can, put multifactor authentication in place where multiple steps or devices are needed when logging in from new devices—this makes it significantly harder for cybercriminals to get into your systems and the odds are most will move on to the next target.
- Demand strong usernames and passwords — The more complex the usernames and passwords are, the harder they’ll be for scammers to figure out. And, require passwords be changed routinely so that it makes it even tougher.
- Backup Files — Austin suggests people and companies back up their files in multiple places. Having files accessible in the cloud is essential should local devices or servers go down, but the opposite is also true. If there is a breach with a cloud provider or something goes wrong, have critical files routinely backed up on devices like flash drives, external hard drives or servers.
- Provide Consistent Training and Updates — One of the biggest issues is that most people don’t know about new threats until they’re affected by them. Austin noted each company should have at least one designated person to stay on top of the latest threats and train employees thoroughly on how to spot and avoid them.
“In the construction industry, I don’t see as many companies taking advantage of cybersecurity expertise or seeking outside training or help,” Austin said. “I’d like to encourage companies to consider having a cybersecurity coach and a technology coach to be successful in this space because it is a complex, ever-changing landscape.”