Building a Secure Foundation: Cyber Strategies for Construction Firms

By Hassan Khan and Carl Oliveri of Grassi
Originally published September 30, 2024

Every day we hear about another malicious hack where perpetrators are utilizing brute force tactics to attack the construction industry. What makes the construction industry more vulnerable is that a contractor’s office does not end at four walls, it is those four walls plus job sites. And it is very rare that there is only one contractor on a job site at a time, creating another level of complexity when discussing cyber security protocols for the construction industry.

The construction industry must deploy a multi-faceted approach to mitigate against brute force attacks amongst other schemes. Here are some effective strategies:

Internal Cyber Security Protocols:

• Regularly review and update company-wide cyber security protocols.
• Conduct regular cybersecurity training sessions to educate employees about common threats like phishing and social engineering.
• Promote a culture of security awareness, encouraging employees to report suspicious activities.

Data Governance and Security:

• Categorize data based on sensitivity and prioritize protecting the most valuable information.
• Encrypt sensitive data in transit and at rest to protect it from unauthorized access.
• Implement strict data-sharing protocols on projects to ensure secure communication and data transfer.

Access Management:

• Implement strict access controls to ensure that only authorized personnel have access to sensitive information and systems.
• Use multi-factor authentication (MFA) to add an extra layer of security.
• Use privilege access management to limit access to sensitive data.

Regular Software Updates and Patching:

• Keep all software, including operating systems and applications, up to date with the latest security patches.
• Regularly review and update security protocols to address new vulnerabilities.

Network Security:

• To protect the network from unauthorized access, implement firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
• Segment the network to limit the spread of malware and other threats.

Vendor and Supply Chain Security:

• Assess the cybersecurity practices of vendors and contractors to ensure they meet your security standards.
• Include cybersecurity requirements in contracts and regularly audit third-party security measures.

Backup and Recovery:

• Regularly back up critical data and systems to ensure they can be restored during a cyber incident.
• Test backup and recovery procedures to ensure they work effectively.

Cybersecurity Culture:

• Foster a cybersecurity-aware culture across the organization.
• Encourage employees to report suspicious activities and potential threats.

Partnership with Cybersecurity Experts:

• Collaborate with cybersecurity experts to enhance systems, firewalls, and access points.
• Conduct thorough risk assessments to identify and mitigate vulnerabilities.

Incident Response Plan:

• Develop and maintain a comprehensive incident response plan to quickly address and mitigate the impact of cyber incidents.
• Conduct regular drills and simulations to prepare the team for potential cyberattacks.

Cyber Insurance:

• Consider investing in cyber insurance to help mitigate financial losses in a cyberattack.

By implementing these strategies, construction companies can significantly reduce their exposure to cyber risks and enhance their overall cybersecurity posture.

Hassan Khan is a Technology Consulting Partner at Grassi where he leads the Technology Advisory Practice. His practice areas include implementation of technology risk management frameworks, development of tailored regulatory compliance frameworks focused on GDPR, CCPA, GLBA, PCI, HIPAA and FERPA, IT platform/systems/infrastructure review, product strategy and innovation, as well as IT due diligence and crisis management. He can be reached at hkhan@grassiadvisors.com or 212.223.5021.

Carl Oliveri is the Construction Practice Leader and a partner at Grassi. He possesses over 25 years of experience advising owners and executives within the construction industry, particularly in regards to project-centric and companywide financial modeling, operational strategy development, financial statement attest services and income tax method analysis. Oliveri is a participant on the NASBP CPA Advisory Council. He can be reached at coliveri@grassiadvisors.com or 212.223.5047.