Why Cybersecurity is Important in the Construction Industry

Why Does Cybersecurity Matter in Construction?

The dramatic shift to cloud technologies in the past several years combined with the shift to remote work has created a golden age for cyber criminals. Lockdowns permanently changed how we conduct business, how we connect to applications and go through our daily work. Cyber threats are increasingly more dangerous and threat actors continue to take advantage of current events and changing circumstances.

Most people have a high level of confidence that financial institutions are well fortified and protected, and rightly so. But as the war raging in Ukraine has taught us—no sectors of the U.S. or world economies are safe from cyber warfare.

"The integrity of critical infrastructure is certainly in scope of a malicious actor attempting to cause harm. Construction companies should look to embed security by design principles as part of their requirements definition stage for any structure components that are to be connected to the internet."

- Ryan Johnson, Director of Cybersecurity at Trimble

Unfortunately, threat actors target the trillion dollar construction industry because it's a known laggard where cybersecurity is concerned. And these worst-case-scenario cyberattacks are a rising concern in the construction industry.

"The integrity of critical infrastructure is certainly in scope of a malicious actor attempting to cause harm," said Ryan Johnson, director of cybersecurity at Trimble. "Construction companies should look to embed security by design principles as part of their requirements definition stage for any structure components that are to be connected to the internet."

At Trimble, the security of e-Builder Enterprise is a primary concern and we’ve taken a number of steps recently to fortify our capital improvement planning solution.

Cybersecurity Risks in Construction: Ransomware

First, it’s important to understand the changes in the way that cyberattacks are carried out, what they target and what we see ongoing. Threat actors typically exploit those who are most susceptible. Malware is rampant, and phishing attacks are more common than ever.

Ransomware attacks have skyrocketed and within the first six months of 2021, the monetary volume had eclipsed the entire volume of 2020's full-year total of $304.6 million. The cost of a ransomware breach has reached $4.6 million dollars—a figure that includes escalation notifications, lost business, and response costs. The figure however, does not include the cost of the ransom itself.

What's even more alarming is that ransomware spikes across key verticals have increased dramatically.
There was a:

• 917% increase in attacks against government organizations
• 615% increase against educational institutions
• 594% increase against healthcare institutions
• 264% increase against retailers.

The move to remote work due to the COVID-19 Pandemic directly increased the average total cost of a data breach by $1.07 million. Personally identifiable information (PII), was the most common type of customer record lost, included in 44% of breaches—and customer PII was also the most costly record type.

Cybersecurity Risks in Construction: Reusing the Same Password

At one time or another, you’ve probably wondered what's so important about e- Builder Enterprise's data and why anyone would want to steal that data. It's just construction information at the end of the day, right?

Let’s look at the situation from a different lens…

Despite the fact that everyone knows they shouldn’t reuse passwords, it’s estimated that 59% of people use the same password everywhere, and hackers thrive on this knowledge. They know that all they need to do is steal your go-to password to gain instant access to many other sensitive applications. They'd be able to login to your financial applications, government systems for government clients, transportation, even critical utilities.

e-Builder Enterprise claims an immense amount of traffic, averaging 1 million logins a day—and at any given time, we have over 350 terabytes of data on our servers. Additionally, we have over $900 billion of budget information in our system (as of 2021).

But rest assured, we’re on guard and continually reviewing our systems to ensure they meet the high cybersecurity standards required by government entities and other valued organizations across industries.

10 Cybersecurity Prevention Strategies & Ways e-Builder Secures Your Data

We've made many changes to fortify our products and subsequently, your data. For starters, we’ve beefed up the front door, your log-in, because password security and compromised credentials are the most commonly used attack vectors.

HERE’S A LIST OF SOME RECENT IMPROVEMENTS TO THE CYBERSECURITY OF E-BUILDER:

1. We've expanded the password policies we offer and removed options for short passwords and added options for longer ones.
2. We make sure that users aren’t using common passwords like 123456 or Qwerty.
3. We’ve implemented support for multi-factor authentication to serve as an extra layer of protection.
4. We’ve improved the security questions—making them more random and difficult to help prevent anyone from falling victim to social engineering attacks.
5. Somewhat related to password policies, we’ve also begun protecting against malicious threats reusing the same login hundreds of times by limiting the number of concurrent sessions—this lowers the attack vector because it limits the use of even compromised credentials.
6. We improved our access delegation feature set.
7. We extended our logging—especially for tech support users.
8. We thoroughly reviewed the type of data we have in our system and removed fields with personally identifiable information.
9. We reduced the number of places with personal information—and anonymized any sensitive data in all lower environments.
10.  We updated our encryption algorithms and extended them to encrypt all connections where data is sent and where data may be stored.

Improved Employee Training to Keep Your Data Safe

In addition to making our product more secure, we have also taken many steps to make sure our employees are more knowledgeable about cybersecurity and have strengthened several of our processes.

• Since compromised credentials and vector phishing are the most common under attack, we’ve added additional employee training around security specific issues to increase their knowledge of best practices, including how to develop for security and how to test for security. Even product and UX employees have gone through training to ensure our enhancements and designs are implementing best practices for security.
• When developers and others log in to our application, we require them to enable multi-factor authentication (MFA) turned on, regardless of the account configuration.
• All internally used third party tools, such as Salesforce or Slack must have MFA enabled as well.
• We've overhauled permission rights so that everyone has access to only what they need to do their jobs, limiting rights to sensitive assets, which in turn limits the impact of potential breaches.
• While we’ve made the product changes to allow configuring stricter policies per account, we’ve taken that a step further and mandated all tech user’s to have both the strictest password policies AND MFA enabled regardless of the account’s they log into.
• We’ve also improved our processes internally to ensure every single change is thoroughly documented and approved through our change control process. Even simple data fixes must go through this process.
• We've increased our system monitoring and alerts so that we are notified of any anomalies, and we've improved our response and recovery procedures so that we can manage incidents faster and more safely.
• Lastly, we have an internal Trimble security operations team that provides an additional layer of security. Every single asset we have is monitored.

Increased Government Security with FedRAMP

For those working on federal government projects, we’ve taken the steps to gain FedRAMP certification and our e-Builder Enterprise Government Edition was recently named as a FedRAMP Authorized solution. Trimble’s e-Builder Enterprise is now available on the FedRAMP Marketplace.

FedRAMP is a standardized approach to security assessment, authorization, and continuous monitoring for federal government-authorized cloud products and service programs at the low, moderate, and high-risk impact levels, according to the government website. The FedRAMP program addresses the security of commercial cloud service providers and helps government officials manage risk in a cloud-based environment.

To gain the In-Process designation, we completed a Readiness Assessment by a Third-Party Assessment Organization (3PAO) and the establishment of an authorizing partner in the US Department of Energy that confirmed we have incorporated built-in, federally-approved levels of security controls and compliance features not offered by public clouds.

FedRAMP leverages National Institute of Standards and Technology (NIST) standards and guidelines to provide standardized security requirements for cloud services; a conformity assessment program; standardized authorization packages and contract language; and a repository for authorization packages Federal, state, and local governments will benefit from this additional level of security, which is federally mandated.

Your Data is Protected with e-Builder

Cybersecurity is a concern to all industries, including construction. We are by no means finished, and realize we still have a lot left to do. Improving cybersecurity, especially in the construction industry, will be a continuous effort.

By implementing all these cybersecurity measures – more than 25, if you’ve been counting – you should better understand just how important cyber security is at Trimble and for our trusted owner solution, e-Builder Enterprise. We are on guard, working hard to protect all our systems, and as a result, hope you can now sleep a little better at night, knowing that your data is well protected.