The length and cost of a typical construction project can leave a company open to many potential issues of dispute, some of which lead to litigation.

The ever-present possibility of a lawsuit makes it especially important for companies to maintain control of their data, as noted in “Taming the Data Beast: Tips for Managing eDiscovery Challenges in the Construction Industry.” Once contractors have prepared for those challenges and are effectively controlling the data beast, the next step is to make sure data is protected.

The nature of construction means that confidential information is sometimes shared among many parties — including the client, the contractor and a variety of subcontractors. With data in so many different hands, there is a greater possibility of it being mishandled. That’s why it’s important to establish policies both at the construction site and among subcontractors to help maintain a high level of data safety.

At the jobsite

During construction projects, the contractor typically works out of a trailer near the job site. This portable office is often accessed by many workers each day and lacks the privacy and security expected in a conventional office. Because of this, contractors need to take special precautions to ensure their data and their client’s data stays safe:

• Physical security standards. A physical barrier isn’t just necessary to protect building materials or tools; it can also protect information, including emails, spreadsheets and passwords. To avoid any prying eyes, there should be a locked gate to the construction site as well as a lock on the site’s trailer. Security cameras should also be installed for optimal protection.
• Ensure devices meet minimum security protocols. In addition to setting up physical security measures, establish virtual security standards to verify devices are not violated. An IT department or eDiscovery firm with forensic capabilities can inspect each device to confirm that it has not been compromised before granting anyone access. The team can also install malware protection software to defend against hacking attempts and monitor activity to ensure all cyberactivity is above board.
• Verify public networks. Contractors and their subcontractors may be using public Wi-Fi networks, which can leave them at risk for a cyberattack. It’s important to verify the name of a public network being used before connecting, because hackers can use tools like the Wi-Fi Pineapple to create fake hotspots that seem to match the name of a network previously connected to by a device.
• Consider using a virtual private network. A VPN extends a private network across a public one — and, importantly, encrypts any communications or files sent over the network. A private network is significantly more difficult to hack, but if a hacker were to gain access to files, the encryption would make them virtually impossible to read.
• Create password standards. For years, we’ve been told to create complex passwords for ideal protection, but as of 2017, the National Institute of Standards and Technology says simple, though longer, passwords are more difficult for hackers to break. Their modified guidelines now say:
• Simple, long and memorable passwords containing phrases, lowercase letters and common English words are most successful. Ideally, the words don’t commonly go together, such as something like “pinkmagpieguitar.”
• There is no need for a mixture of uppercase letters, lowercase letters and symbols, and passwords do not necessarily need to be changed every 90 days.
• Something that can be pictured by the user, but no one else — is the most effective password.

Among subcontractors

Security measures are only going to be effective if communicated them with subcontractors. If a subcontractor’s network is compromised, for example, the data that has been shared with them is at risk of being stolen, which is essentially how the massive Target network breach and data theft occurred. That all started with an HVAC subcontractor and ultimately resulted in the theft of Target customers’ personal and credit card information.

Here are some standards to put in place when working with subcontractors to avoid the loss of important data:

• Establish who owns the data. A subcontractor may not have any malicious intentions of sharing or stealing sensitive data, but it’s important to clearly communicate who owns the data and define confidentiality requirements and expectations. By agreeing on those items before sharing any information, contractors, their clients and the subcontractors will know what can and cannot be shared with others, thus reducing the chances of sensitive data being accessed by unauthorized people. Likewise, establishing who owns the data shows subcontractors that the GC is also protecting their interests.
• Use a “need to know” basis. These days, data can be stolen simply by opening a spam email. That is why it’s important to allow subcontractors to only access the files they need for their job duties. In addition to access levels, set up multi-factor authentication to provide an extra layer of protection from hackers and other bad actors. For documents that may be taken out of the protected network – such as files sent via email or distributed on a flash drive – require an additional provided password to access or make edits.
• Conduct a cyber risk assessment. The final step before sharing data is determining how thoroughly subcontractors protect themselves from cybercrime. Compare their security measures to company standards and to industry standards. Also evaluate the company’s existing networks and physical security standards. A report explaining what the company does well, where its vulnerabilities lie and where it needs to improve will assist in determining whether or not to share sensitive data.

Cybersecurity is becoming a part of the everyday business process, and the construction industry should be no different. With so many different contractors and workers coming in and out of the office every day, establishing security measures before sharing data is vitally important. By putting these precautions to use, contractors will be better protected from cyber threats, and their clients and subcontractors will thank them.