Education: Your first line of defence against cyber attacks
As the construction industry adopts new technologies and dives deeper into digitization, sensitive data needs to be protected from the increasing sophistication of cyber criminals. This includes documents, personal information, building models, and much more.
With 80 per cent of all breaches starting with an email, cyber-attacks are becoming more costly and more common for businesses of all sizes.
John Frainetti, Director of Cybersecurity at Graham, says it’s time for a culture shift. “The construction industry has been excellent at creating a culture around health and safety,” says Frainetti. “We need to extend this to digital or cyber safety.”
“The construction industry has been excellent at creating a culture around health and safety. We need to extend this to digital or cyber safety.”
John Frainetti, Director of Cybersecurity, Graham
Frainetti suggests the industry start making analogies to safety. By using the same language adopted for physical safety risk assessments, such as near misses, leading indicators and hazard identification, the industry will begin to recognize how vital cyber safety is to the well being of a company and its workers.
In his 12 years at Graham, five of those as its Cybersecurity Director, Frainetti has been focused on cybersecurity strategy – from awareness, protect-detect-respond tactics, compliance, education and risk management.
Frainetti says the key to cyber risk management is education and awareness. Businesses and their people are not always aware of the cyber threats that exist in the construction space, not only against their own company but also through the vendors they use.
He created a cybersecurity checklist to help contractors prepare for their bids. While not an exhaustive list, he hopes it can be used as a springboard for discussion on where companies need to begin shifting their efforts in order to protect themselves.
It includes items to consider, such as multi-factor authentication, password protocols, incident reporting, data encryption, security patching, intrusion testing, and training. “If owners, partners, or other organizations haven’t started asking you questions like these yet, they will soon,” says Frainetti.
There are many pathways that can open a company to cyber risk along the construction ecosystem. Projects involve owners, developers, general contractors, trade contractors, suppliers, and other third-party providers. With every new digital connection, the range of potential attack points from cyber criminals increases.
Sharing knowledge is key as all stakeholders share the same threat. Businesses should also implement strong internal controls, such as setting strong passwords, training employees on how to identify, avoid and report malicious activity, and creating a response plan in case something happens – and if necessary, invest in IT services/solutions to help.
Frainetti recognizes the challenges for the small and medium-sized contractor to implement these cyber safeguards, but businesses of all sizes are being targeted by criminals and the consequences of an attack can be very harmful, from impacting cash flow and intellectual property to damaging your reputation and relationships along the supply chain.
His advice: share. “Don’t be afraid to share information and to ask for help. There is a lot of good information out there on best practices to follow that can help small businesses.”
Helpful resources
Cyber security for construction businesses, National Cyber Security Centre, United Kingdom
- Provides guidance to help small to medium-sized construction businesses protect themselves from cyber attacks.
Canadian Cyber Threat Exchange (CCTX)
- Shares cyber threat information across business sectors.
Canadian Centre for Cyber Security
- A unified source of expert advice, guidance, services, and support on cyber security for Canadians.