Leveraging Cybersecurity as a Market Advantage
By Patrick Nord, Paul Cormier, and Jay Snyder
Engineering and construction firms need every edge they can get in their competitive business environment. Let us provide context for the growing risk of cyberthreats and share stories of contractors who have successfully pursued cybersecurity as an advantage in their market.
Let us take a moment to understand the magnitude of the threat. By Accenture’s count, the total cost of cybercrime per company increased from $11.7 million in 2017 to $13 million in 2018—an increase of 12%. According to the Internet Crime Complaint Center (IC3), financial losses associated with cyberattacks reached $2.7 billion in 2018, with the most devastating threats including investment scams, business email compromises and romance fraud.
As the number and types of cyberattacks continue to proliferate worldwide, the impacts of these crimes are being felt by everyone from individual consumers to global corporations. Unlike five to 10 years ago, when most cyberattacks targeted large organizations, financial institutions and computer networks, cybercriminals now target smaller organizations in industries that wouldn’t have traditionally been on their radar. The emergence of cloud computing and the Internet of Things (IoT), notably, can unknowingly expose companies across all industries to threats that they didn’t worry about when their IT infrastructure was housed within their office. In this article, we will explore the key reasons E&C must pay attention to cybersecurity, advise which steps to take to establish a good cybersecurity front, and show how three different firms are practicing improved security measures as an advantage when positioning in their market.
The Threats Are Vast and Expanding
As mentioned, the hacking industry is vast, expanding, and growing at a ferocious pace. A veritable playground, the web provides resources, data, and information that are even used by hackers and other cybercriminals to set up research and development (R&D) departments. The threat is real, organized, incentivized, and adept at pouncing on low-hanging fruit.
Specific to E&C companies, the threat is exacerbated by the industry’s increased use of technology. Ten to 15 years ago, it wasn’t unusual to see companies running their businesses with only landline analog phone forms (do you remember “Goldenrod”?), pencils, and an occasional spreadsheet (usually housed on a single computer hard drive). Except for “dumpster divers” seeking sensitive data that was disposed of without being shredded and the internal/ employee threat, these methods were considered safe.
As E&C firms adopted enterprise solutions, cloud-based applications, mobile devices, and smartphones, this sense of security diminished. Concurrently, cybercriminals realized they didn’t need an elaborate plan to disrupt well-respected companies like Target, Yahoo! or Equifax; they could prey on smaller entities and their supply chain that often neglect to maintain the most up-to-date cybersecurity infrastructures and policies. Industries already under direct attack like healthcare, energy/utilities, and state/local governments, to name just a few, have a new avenue to vulnerabilities, E&C firms, and the built environment’s supply chain.
From our perspective, E&C is particularly vulnerable to cybersecurity threats because of the industry’s general lack of awareness or a sense of urgency around this risk. Put simply, most E&C companies lack the experience needed to identify, prioritize, and mitigate cyber threats because, in the past, the risks weren’t prevalent, and cybersecurity experts weren’t focused on the industry. As a result, the typical construction firm’s IT staff provides support and expertise more along the lines of a “help desk”—a group that keeps employees online and that prepares technology equipment for deployment to the field. These folks are not trained on cybersecurity, nor do they have the resources they need to be able to identify and address these risks.
Here’s the good news: E&C firms that do make cybersecurity a priority have a definitive leg up on their competitors that choose to ignore it until a catastrophe occurs. By implementing policies, processes, and resources to address this issue, companies can position themselves as both forward-thinking and proactive. To illustrate the value of prioritizing cybersecurity for E&C firms, here are three stories about firms that were impacted by cyberthreats and turned these events into an opportunity to dramatically improve their business security and lower their risk, readying them to position cybersecurity as a market advantage.
To this point, by simply ensuring that all operating systems, software, and third-party applications are up to date and running on the latest software versions, E&C firms will have taken the first precautionary step needed to ward off the latest threats.
After falling prey to a Megacortex ransomware attack in 2019, one solar installer was left to sort out all its files—a process that took weeks to recover from. Originating through phishing emails, the attack was devasting for the firm. “All of our files were encrypted,” the company’s owner said. Fortunately, the firm had already completed a cybersecurity vulnerability assessment prior to the attack and was already starting to work on the items of the highest priority.
Since the attack, the company has been taking proactive steps to combat any future breaches.
“We’ve probably done 20 things already to make things better,” said the owner. For instance, it improved its password policy; refined its account accessibility privileges (limiting them only to those users who need access to certain accounts); and began using the Barracuda email filtering program.
The solar installer now also takes a more calculated approach to work with new business partners, knowing that its vulnerabilities are not just limited to space within its four walls. “We collaborate electronically and share sensitive data, so we want to work with partners that have good processes and programs in place,” he said. “We’ve invested in a sophisticated IT practice and we now have a road map that supports our digital transformation.”
The De Facto Standard
For one commercial contractor, combatting cyberthreats has meant disconnecting an employee’s laptop from the corporate network in order to address a ransomware or phishing threat (usually by reformatting the laptop). Fortunately, these quick moves have kept the company from experiencing an enterprise-wide cyberattack.
“We’ve had employees click on unsavory links or websites and inadvertently download ransomware,” said the company’s president.
To minimize these occurrences, the company has developed internal policies outlining how to react when there is a potential breach. First, it identifies the breach and where it originated from, then it figures out the impact. Finally, it notifies all responsible parties about the impact to its business units and works to remediate the breach.
Its president sees these procedures and processes as extremely important in today’s E&C environment. “Going forward, it’s going to be the de facto standard,” he said. “We’re all going to need to have stated—and understood—cybersecurity policies, systems, and services in place.”
If We Don‘t Have a Good Answer, We Can’t Bid
For one large general contractor that works nationally, regular training, monitoring, awareness, and protocols ensure that attacks do not create major disruptions. “We had an ‘ethical’ hacker on our website just last week, asking for a bounty,” a company manager pointed out. “It’s not that unusual, but we have the systems in place to manage it.”
With about 17 active cybersecurity projects on its to-do list, the company hopes to tackle all of them within the next 18 months. Some of the initiatives include updating all equipment firmware and all software programs. The company also plans to take a “long hard look” at its password policy and how users are authenticated. “We’re also starting a phishing campaign,” the manager said, “where we do ‘fake’ phishing attempts that test our users.”
When asked whether its serious approach will give the general contractor a more competitive position in the marketplace, he said, “People want to know how we’re protecting information, and if we don’t have a good answer, we can’t bid.”
Employee training is also critical. Consider that all staff members should know not only how to handle sensitive data but also how to recognize potential threats (i.e., phishing emails) before they turn into major problems. This applies to everyone in the organization—from the CEO to the summer intern—all of whom must be onboard and complying with the firm’s security policies.
Finally, these business and personnel best practices must be shared. Call it “Cybersecurity in the Workplace.” Fix the tools, address personal behavior, and require commitment from the supply chain. Prequalification criteria need to include cybersecurity
What Goes Into a Good Cybersecurity Defense?
In January, the U.S. Department of Defense (DoD) released version 1.0 of the Cybersecurity Maturity Model Certification (CMMC) framework, which will require DoD contractors and subcontractors to obtain third-party certification of their cybersecurity maturity.
The DoD created the CMMC to combat malicious cyberattacks in the DoD’s supply chain, as such attacks threatened economic security and national security. We will likely see similar moves taken in the private sector—yet another reason why E&C firms need to shore up their cybersecurity approaches sooner rather than later.
Cybersecurity defenses have become competitive differentiators in the market. Fortunately, all contractors can employ measures to stand apart from their competition with clients. Examples of measures that significantly improve contractors’ posture and propel their reputation as a market leader in cybersecurity include:
- Multifactor Authentication: This is a security system that requires multiple different credentials before verifying a user’s identity
- Mobile Device Management (MDM): Security software that contractors can use to monitor, manage, and secure the mobile devices used by employees.
- Good Cybersecurity Hygiene: Installing patches, running updates, enforcing password discipline, and employee training.
- Due Diligence of Third Parties: Your business partners’ cybersecurity measures directly impact your company. For example, GCs should always vet the cyber preparedness of the subcontractors they work with.
Getting a Leg Up
Whether instituting multifactor authentication, patching software systems, implementing mobile device management policies, or working with third-party cybersecurity consultancies, a growing number of E&C firms are now taking cybersecurity seriously and giving it priority. With cyberattacks inflicting catastrophic damage—and with states like California enacting new data protection laws—companies of all sizes should view cybersecurity not as a burden, but as a differentiator.
To get you started, companies that want to improve their cybersecurity stance, the first step is to identify and understand their current vulnerabilities. They need to take a good, hard look at where they are, where they should be, and how to get there. An independent set of expert eyes can be invaluable at this point, as the vulnerabilities aren’t readily obvious to an untrained eye. It is critical to embrace these experts as part of the IT team and not create conflict between the current group and the specialty consultant.
Next, put a plan in place that includes training your team; completing a cybersecurity readiness assessment; and talking to team members, subcontractors, and business partners about the potential risks.
Today, as COVID-19 continues to disrupt business and everyday life, creating a new and uncertain operating environment, cybercriminals are working hard to turn the crisis into an opportunity. There has been a proliferation of malicious sites preying on individuals searching for information about the virus, seeking financial assistance from public and private programs, exploiting virtual meeting spaces, and invading corporate systems from work-from-home offices.
Interestingly, the best practices for addressing COVID-19 are the same actions needed to combat cybersecurity threats on a corporate level:
- Transparency – The more that is known, the better-prepared everyone can be.
- Testing – Baseline assessments are critical for knowing current vulnerabilities or uncovering existing breaches.
- Hygiene – Managing updates, patches, password protection and policies provides frontline defenses.
- Accountability – Hold the company fully accountable for its behavior and hold other businesses to the same standard
As you work through these steps, keep in mind just how quickly a single cybersecurity incident can bring a company to its knees. For example, what would happen if your accounting system were hijacked for a week? Alternatively, what if sensitive client data was stolen by cybercriminals? These are painful and extremely expensive events that cause prolonged reputational damage, but proactive E&C firms can effectively avoid these negative impacts while also positioning themselves as cybersecurity-conscious organizations and teams in our connected world. Those that move quickly and succeed at establishing a strong program will not only meet projects’ growing cybersecurity requirements but also be poised and positioned as the benchmark clients use to assess the adequacy of others.