Blog > Best Practices 5 Cybersecurity Best Practices for Construction

Tuesday, Aug 20, 2019

BY: Dan Hoban

During our construction webinar on August 14, we discussed the challenges that current construction companies are facing today with cybersecurity, as well as the top three risks on a jobsite, such as people, productivity and network availability. Below are some key takeaways from our webinar that highlights five best practices that you can implement today to keep your construction site secure from today’s cyber threats!

1. Host employee awareness training

A lot of companies overlook this step, however, this is extremely important. In fact, 30 percent of reported security breaches were caused by human error. The vast majority of organizations say they are too busy and don’t necessarily see the value and they let it slip. Another huge group of folks say that they did it once or twice and then they forgot or again they let it slip. And I think the third challenge a lot of folks have is they just use the same training over and over again. So, they’re using the same power point time and time again. And it really loses its effectiveness. You need to have a formal security awareness program and you have to be clear with employees about their technology Acceptable Use, Acceptable Access or there should be written policies around this because a lot of folks just like to blame the person, but they don’t really understand they haven’t set that person with the proper policies procedures and training protocols.

2. Create and implement a security policy

I see that folks generally skip over this part. Sometimes it’s easy to go to the flashier thing and just start buying technology and looking at dashboards and that really kind of sets you up for failure in the long run because you don’t necessarily have that foundation or the framework that you need to use that technology. A good example is organizations that go out and get a SIEM tool and want visibility into the data, but more often than not, they’re set up for failure because the tool is very complex and hard to maintain. The other thing too, the output is alerts. And if you don’t know what to do with that alert or why it was generated, you’re generally behind the eight ball and you can’t make the most effective use of that technology. So, putting together policies that will allow you to better use those technologies. You also have a playbook and a procedure when that alert is issued you understand why and you know what to do.

3. Segment the networks

This goes back to a lot of the things that we mentioned earlier about the people aspect of things and maybe the uniqueness of the construction industry in the fact that there’s a lot of players coming and going in. So, the first thing that you should do to protect yourself maybe against third party BYOB is to segment your network. And it’s something that’s often overlooked because the construction job site network is generally pretty small, and it is pretty simplistic configurations are generally simple and it’s easy to let this piece slip.

Our recommendation is to use some other type of network segmentation to put your corporate assets on one side of the network. Cell phone guest access, you should put that on the other network. There are a few reasons. One, is the obvious security concern of folks accessing network or corporate owned network resources from the outside, but the other piece is that it makes monitoring a lot easier because you now know what your corporate assets are. You can baseline your activity a little bit more and you can better monitor for things that jump over that fence. A connection to the outside world from a corporate owned resource is easier to find if it’s segmented than if it’s just kind of jumbled in with a lot of other network or devices that are being added and dropped from the network on a daily basis.

4. Have an IT expert dedicated to security

A lot of folks especially in the construction industry have a smaller I.T. organization and they basically treat I.T. as security as a pet project. It’s something people do on the side. It’s a project that maybe they work on when they have time. Basically, they try to demote security to a hobby task and security is not a hobby. It’s a full-time thing. And the mistake that folks have is once they get busy which in the construction industry is all the time. You need to have one to two individual experts where security is their main focus need to understand security trends and threats. They should know how to prevent and mitigate threats on their network.

5. Monitor and respond to security events on your network 24x7x365

This is something that one person cannot do. The IT security expert that we discussed is responsible for managing the relationship and strategy with the security vendor who should be monitoring your network 24x7x365. You may need a partner or a team of experts monitoring and responding to events on your network around the clock.

And this is even more true in the construction industry because there’s a difference between the office which works a regular nine to five, than the job sites that are working in the middle of the night. So you need to have security experts that are monitoring their activity because frankly something could happen to the middle of the night that can impact that network and impact the job that’s happening and you can’t necessarily just wait till 9:00 in the morning to when your security folks show up.

If you’re interested in listening to the full webinar, click here!