Construction Cybersecurity: Stories From the Back Office

When you are asked, “How do you feel about cybersecurity?”  Do any of the following knee jerk responses occur? 

“Ugh.” 

“Ah, I’m not a target.” 

“What does that even mean?  Really.” 

“I’ve got nothing they want.” 

“I’ve not thought about it much.”  

We hear these responses often. And we get it.  There are very few high-profile resources catering to small and medium-sized businesses (SMBs) when it comes to cybersecurity.  What you see coming through the media and being reported on mainly pertains to large, enterprise-level organizations: MGM, Target, 23 and Me. Those are obvious targets.  We’re not seeing reports on B&C Construction in Philadelphia, family owned for three generations, employing 50 people; they’ve been dealing with litigation over a breach for the last 3 years and it has almost cost them their business.   

No. That isn’t a catchy headline.  That’s not the kind of clickbait news outlets are going for, but it is infinitely more relevant to a much larger number of business owners. 

Now, yes, I made up the company mentioned above, but the overall scenario is based on real events.  The cost of even a small breach, in terms of resources, is too great to ignore.  And it isn’t just about money. There is a labor cost – someone, or more likely several people, in your office will have to manage the problem on top of what they are already doing.  There is reputational damage – while this may not make apple news, word will travel to the people that matter.  There is the client trust factor – divulging to a client that you’ve been hacked opens you up to a lot of questions.  All these factors leave you very vulnerable, the very thing a small business cannot afford to be. 

Now, every time I watch a movie that says, based on real events, the skeptic in me immediately wonders how much creative liberty the writers and directors have taken.  Furthermore, Visory has committed to sticking to the facts when it comes to relaying information about cybersecurity, so, I’m not going to leave you with the made-up scenario above.  We’ve compiled a few real-world stories from organizations we’ve worked with directly.  (Note: names and identifying information has been withheld) 

SCENARIO ONE: 

The bank contacted a construction company to report suspicious activity on their account.

Here’s what happened: 

The business manager, a power user with an all-access pass to their data, gave away their credentials via email, because of a phishing scam.  Now, let’s not chastise this business manager. These phishing emails are good…very, very good; this can (and does) happen to the best of us. 

The good news: MFA adds a strong second layer of security 

They caught it right away and put Multi-Factor Authentication (MFA) in place. Great idea. Multi-Factor-Authentication is an added layer of protection.  Typically, a code is sent to your phone via text/SMS before logging in. 

What they didn’t know: Hackers already obtained a way in 

The hacker used the ill-gotten credentials to forward the IT Manager’s emails to themselves, thus gaining access to the company phone provider.  Now they are able to access email and SMS / text messages, rendering MFA useless. 

Why this business was targeted: Construction companies are lucrative targets 

The purpose of the attack was to intercept a large wire transfer. Large wire transfers are a primary reason construction companies are so attractive to cyber criminals. With email and SMS hijacked, they had the means to all the access they needed. Had the bank not caught the suspicious activity, had this attack been carried out, it would have been a very complex problem, requiring numerous resources and costs.   

How to prevent this problem: Good – Better – Best Planning 

Good: Multi-Factor Authentication 

MFA, would have made it much more difficult for the cyber-criminal to access the business manager’s email. 

Better: MFA + Employee Security Awareness Training 

By participating in security awareness training, the business manager would have been more likely to spot the fraudulent email. 

Best: MFA + Security Awareness Training + Next Gen Filtering 

With the addition of next gen mail filtering, the email wouldn’t have ever made it to the business manager’s inbox. 

SCENARIO TWO:  

Construction company praises cyber-aware team but leaves too much room for human error.

  Here’s what happened: 

During our conversation with this client, the subject of cybersecurity came up and the controller confidently explains her team is incredibly cyber-aware, very security conscious, very adept at thwarting phishing attempts.  We were very impressed and wondered how they know this, how they track it. Well, they forwarded the controller every. single. piece. of suspicious looking email. 

Why this is a problem: Lacking efficiency and effectiveness 

The sheer loyalty and dedication behind this move should be rewarded 10 times out of 10.  However, the lack of efficiency and effectiveness spans a few layers.  And with an SMB, we are always working toward efficient and effective, no?  Always attempting to do more with less. 

First, it is highly unlikely the employees are going to catch every suspicious email, especially if they’ve not had training in how to do so (see employee security awareness training above).  Second, it is unlikely the controller is going to be able to dissect and research every one of the emails they do send to the depth that is necessary and with accuracy.  Third, the amount of time this takes could be a full-time job in and of itself. 

How you prevent this problem:  Email filtering 

A next gen, robust email filtering program, one that gets smarter over time, was made for this very situation.  Efficiency is one of the main reasons to invest in this type of technology; it removes emails and removes garbage, so you don’t ever have to pay attention to it or waste your time. 

SCENARIO THREE: 

Everyone’s worst nightmare when dismissing an employee. 

Here’s What Happened: 

We had a client who had scaled back their business and therefore decided to cancel their hosting service and bring everything on premises.  In fact, they only had one employee – the controller – accessing their accounting data at this point and the cost didn’t seem justifiable.  Completely understandable. 

About 18 months later, the controller was dismissed…um…abruptly.  Now whether said controller was disgruntled or misinformed, I’m not sure, but the controller proceeded to wipe their company computer clean.  Clean.  As in all the accounting data, clean. 

How this became a bigger problem: Corrupt backup data 

The business manager came in and said, “That is okay.  We have a backup.” While they did put a backup solution in place, there was either a gap in understanding how that set up worked or how to manage it.  All backup data was corrupt.  In fact, the most recent back up information they could access was 18 months old.  Is your heart in your throat?  Well, it gets worse.  They had an audit coming up in one month. 

How to prevent this: Robust backup & regular testing 

The turnover of a critical employee doesn’t have to upend your business.  You need a proper back up system and you need to test the recoverability of that backup system on a regular, scheduled cadence.   

It is increasingly difficult to write about or discuss cyber protection in a way that doesn’t create fear because the resulting effects of a cyber-attack are difficult.  While we mainly hear of a ransom attack where the company may or may not have paid the ransom, we do not hear about the resulting fall out; the resulting layers of time, stress and financial burden.  However, that is not our goal. Fear is not a place from which to make good decisions.  We simply want you to see a bit of yourself, your business in these stories.  We want you to start asking yourself, how would we handle that situation?  Are we covered if something like that occurred?  We want this to be your sign to start getting educated if you aren’t already; that is the place you want to start.  

1. Get to know the greatest risks to your industry 

2. Understand the risk tolerance of your organization 

3. Learn how to protect yourself and your employees. 

We’ve got a few pieces that cover the very most fundamental aspects of a cyber-attack.  If this information is brand new to you or if you want to see where you stand in terms of knowledge, start here. 

If you’d like to see where you currently stand as it relates to cybersecurity, take our short quiz here. 

If you’d like to have a conversation and ask a few questions, we’d be happy to help.  Whether or not you start with us, it is imperative you start looking at what you need to protect yourself, your organization and your employees.