Construction currently stands as a leading industry for cyber security, according to a SecurityScorecard Report. While that may come as some surprise, the answer is that it’s currently not considered a terribly lucrative market for cyber criminals. In the next several years, we can expect this figure to change dramatically. Construction companies are increasingly adopting technology solutions to increase productivity and stretch margins, and as that dependence on technological solutions increases so will the target vectors. Despite the risk, technological adoption is a necessary step to remain competitive.
What can firms do to mitigate that risk?
First, firms must be willing to make the necessary IT personnel investments. Returns are not gained without initial investment. IT staff, however small, must exist so that IT-related work can be a priority. With the introduction of technological assets to a company, their management becomes an important task. Consider things like iPads, field AR and VR devices and laptops. These various devices could have access to project management data, financial data, and personnel data. IT staff must ensure these devices are tracked and updated. If a firm doesn’t have IT staff to think about managing risk by inventorying devices and requiring passwords, imagine what an attacker could gain access to by finding a company iPad with a passcode of “1234” left on a job site or airplane. All parties in the firm have their priorities, and IT needs theirs to be the proactive, not reactive, management of company assets to mitigate risk.
What is the profile of an attacker?
Attackers are a bit of an enigma until the potential profiles are hypothesized. Consider for a second, that a competitor finds that iPad, notices recognizable construction-related apps, and curiously gains access to project lists, sub lists, and project financials. In less admirable hands, that information could fuel competitive action. The weakest link however, often comes from within the company. At a certain scale of company, regardless of how strong in values and culture a company may be, disgruntled employees are inevitable. If an IT staff doesn’t manage things like proper access to resources, it wouldn’t be terribly difficult for a slightly tech-educated employee to completely disrupt a firm’s digital operations by deleting project data or modifying data to corrupt processes. Imagine if an estimating employee was able to delete all estimating files for a department, or a BIM modeler could delete all BIM models for a project?
What can firms do to educate employees?
In addition to the proper investment in IT resources, firms need to educate their employees on proper security. Employees need to understand the impacts of sharing. For example, making a Box folder with a BIM model public, would allow easier access by other departments, but if the project is a secure government project, the BIM model could then show up in Google results. Also, consider something as simple as passwords. Perhaps staff has gained the notion that creating passwords by mixing letters and numbers, for example, is more secure – something like “P4SSW0RD”? While this is harder for a human to guess, it’s still quite easily solved by a computer, randomly guessing passwords at a very fast rate.
(This comic by XKCD, infamous in the technology community, aptly describes the commonly-held misconceptions about password security.)
The only true measure of “safety” of a password is its length, so employees need to be educated to use groups of words as passwords, known as “pass phrases”, rather than passwords.
To stay competitive, avoiding the productivity benefits of technology is simply not an option. Firms need to invest in IT and education to safely and effectively reap the benefits of technology and stay competitive in an increasingly cutthroat market.
About the Author
Graham Leslie is the JBKnowledge Research & Development Team Lead (JBKLabs), which is dedicated to disrupting and accelerating the architecture, engineering, and construction industries by building solutions with emerging technology. Graham is a computer scientist with particular research interests in mixed reality and reality scanning. JBKLabs is available for advisory, research, and custom software development services. Learn more at jbknowledge.com/labs.