Securing Information in the Construction Industry
August 27, 2021
By Sebastian Barthelmess
Now is the time to tighten up your security and lock down your environments. The construction industry has historically put more focus on securing physical assets than securing digital assets. But the focus on cyber security in the construction industry is rapidly growing.
According to the Kroll Global Fraud and Risk report, the construction industry was hit hard last year by leaks of internal information, with “45 percent of firms reporting significant effects within the last year”.
Impact on AEC Firms
Construction firms have a lot to lose. Cyber criminals can wreak havoc by stealing intellictual property including design work. They can also compromise equipment security and safety on the job site, and bringing construction to a screaching hault.
The Covid-19 pandemic has also impacted security in the construction industry. Many AEC firms have shifted to a remote workforce causing IT departments to scramble to enable remote access to servers, systems, and applications. It's much harder to control security outside of the company Virtual Private Network (VPN). Employees are also using personal devices from home which introduces more risk.
A recent article published by CyberTalk.org presented an interesting twist on attacks targeted on the construction industry. Because construction firms frequently operate on a predictable schedule, ransomware attack groups can calculate the best times at which to launch an attack.
The Statistics are Staggering
Ransomeware attacks have skyrocketed over the past year. The FBI defines ransomeware as a form of malicious software that targets critical data and systems for the purpose of extortion. The attacker then demands a ransom payment to get the information back.
Recent examples of ransomware attacks have been all over the news including the Colonial Pipeline in late April 2021. Attackers struck again in May against one of the largest meat processing companies in the world, JBS Foods.
- Ransomware attacks up 62% last year (304 million attacks in 2020).
- In 2021 alone, 68.5% of businesses were victimized by ransomware.
- Attacks on IoT devices tripled in the first half of 2019.
- Microsoft IIS and Remote Desktop Protocol (RDP) servers singled out in attacks. Kaspersky reported 377.5 million brute-force attacks targeting RDP (up almost 10x in some countries!).
- Phishing attacks account for 80% of reported security incidents and ransomeware attacks.
I am not going to take the Cloud vs on-premise arguments on today - that's a topic for a future blog! But these breaches do effect both environments. The complexities and sophistication of the threats and attackers have become increasingly advanced and refined. All companies need to take a firm stance and prepare themselves regarding security.
These statistics highlight that the threat is real and it is not going away any time soon. The good news is that there are steps you can take now to minimize risks and avoid becoming another statistic!
What You Can Do to Protect Your Information
The FBI has released some basic guidance in their report "How to Protect Your Networks from Ransomeware". Here's a brief rundown:
- Expire and roll your passwords - define some minimum requirements for length and complexity – remember that a long phrase is exponentially harder to hack but easier to remember than a short cryptic password.
- Backup your data - make a Disaster Recovery plan. Order some inexpensive Network Attached Storage (NAS) drivers if you are budget constrained. This is a great habit to form anyway, but trust me if you get hit with ransomware – this is your ONLY defense to get back your data on your own and without negotiations.
- Update ALL your software - yes, this means your operating systems, server applications, desktop applications, AND mobile apps. Although this can be disruptive and time-consuming, a large percentage of software patches and updates are security related. CSO Magazine cites that 60% of breaches could have been avoided if software patches were installed.
- Enable Two-factor (2FA) / Multi-Factor (MFA) authentication - this is SO important to help protect against even a poor password, by adding an extra check of “is it really you” – you are adding significant protection to your accounts.
- Shutdown external RDP, and use alternatives like Windows Virtual Desktop or VPN. NOTE: If you need cross-platform or something faster, there are newer protocols like NX or Fluid which can purportedly run 60fps which is a fraction of the bandwidth of VNC or RDP.
In addition to FBI guidance, there's also common sense actions that your firm can take. Educating employees on best practices for handling email is key. Training employees not to click or open emails from anyone they do not know or from someone they would not normally receive email from is a starting point.
What is NEWFORMA Doing About Security?
Newforma takes security seriously and we have a dedicated team focused solely on that purpose. We take a holistic, system-wide approach beginning with our employees and processes, right down to the source control and individual lines of code in both our on-premises and cloud products.
Newforma Project Centers users should lock down your Newforma Info Exchange environment – there is no disadvantage to doing so! It will get you to Federal compliant security levels with just a few steps. But don’t worry if you get in over your head or don’t feel comfortable with the configuration. Reach out to our services team and they can walk you through the process or apply the changes for you.
A great way to begin tightening your security is by following our Security Best Practices for customers via our extensive Knowledge Base located on Newforma's Customer Community.