The world has become largely digitized over the past few years, and more reliant on technology than ever. In 2018, Forbes wrote that humans created 2.5 quintillion bytes (2.5M Terabytes) of data every day, and 90% of the world’s entire data was created within just the previous two to three years. That same year, Cisco noted in a report that 94% of all workloads would be run in some form of cloud environment by 2021. 

Today, as contractors have spent most of 2020 deploying the latest technologies to work remotely and social distance amid the global COVID-19 pandemic, even those lofty figures might seem understated. Technology, and especially the cloud, have been vital to businesses’ continuity efforts. So too is securing the data that flows through these platforms.  

Even before COVID-19, technology’s rapid growth meant that data security has become a higher priority—both in personal lives and in business. It wasn’t all that long ago that data security was something that many took for granted. The idea of someone stealing money, compromising identities or hijacking files was reserved to physical crimes like burglaries, muggings or larceny. Today, while technology opens up new doors of opportunity, it can also expose more risk if the proper safeguards aren't in place.

By the Numbers

With COVID-19 ushering in a new reality, companies across all industries—and their IT infrastructures—are adapting to be agile to allow employees to work from home, while striving to ensure critical company data is protected.

In April, VMware Carbon Black noted that data security attacks like ransomware were up 148% since the beginning of the COVID-19 pandemic, but fewer of those attacks are successful thanks to heightened data security technologies. The pandemic has forced companies’ IT departments to take a closer look at their data security safeguards. Here are some other figures to consider:

• many contractors don’t expect business to return to normal for six months or more; 
• 62% of companies (in all sectors) have crisis management plans, though few companies practice them, and it’s unclear how many companies actively update those plans;
• JBKnowledge reports that nearly 12% of contractors have reported a data security breach in the past 12 months;
• multi-sector studies in the past decade suggest that only 43% of companies with a major data loss reopen, and only 6% survive more than two years; 
• more than $1.5 trillion was lost in cybersecurity expenses and breaches in 2018; and 
• more than $6 trillion could be lost to cybercrimes by 2021.

Protecting the New Norm

Contractors that rely on lots of data to facilitate complex construction projects are among the many businesses that can often be targets of cyber criminals. Multiple projects, using many different applications and hundreds, if not thousands of workers entering data can provide plenty of potential doors of opportunity for cyber criminals to knock on. So, how do contractors ensure these doors stay locked? It begins with knowing what to look for.

Here are three common cybersecurity threats that businesses face every day:

1. Ransomware. In this attack, a breach occurs when someone clicks on a link or file in an email, or hackers are able to hijack a user’s credentials. Once they’re in, they unleash a program that essentially encrypts the data until the user or company agrees to pay a fee. Some companies can be put in difficult positions where their operations are effectively shut down and they have to decide whether to remain closed or pay the ransom—sometimes well in excess of $100,000.
2. Phishing. By far one of the most widely used tactics for exploitation, successful phishing campaigns target people by soliciting them to take a specific action, usually in a rushed capacity. In these cases, victims might get an email, text or even call alerting them of a reported virus, locked account or other “problem” with a software application or credit card they use that requests immediate action. Many times, these attempts will target folks that don’t even use the application, device or account in question—hence the phishing designation. The offenders request access to a system, ask for a card number or other personal information, or try and get the victim to visit a site where they can skim their data. Of course, it’s a ruse, and most legitimate providers and retailers rely on more legitimate ways to alert users of problems, but many folks fall for this anyway. In other, more personalized cases, someone might call an elderly person and tell them their son or daughter has been injured or imprisoned and needs an immediate $5,000 or $10,000 to help them out and ask for the money online or via wire transfers. Another approach called “spear-phishing” is much more targeted, where scammers do online research to build a profile to use to make the scam more believable. They may also appeal to folks’ likes and interests by offering up bogus special deals (front row tickets to concerts of their favorite bands, exclusive movie viewings, etc.) to get people to share information or credit card numbers. This is sometimes known as Clickbait.
3. Wire Transfers. Wire transfers are another area that have given thieves access to companies and individuals. And it’s one that has particular interest in construction, where multiple bills, invoices and payments permeate the daily work. In these scams, criminals send phony invoices or initiate calls requesting immediate payment for items in order to avoid default. Once the money is transferred, it’s gone forever (and thieves could have a new back door into companies’ payment processes). A strong deterrent to these is instituting a policy where wire transfers are forbidden without a specific phone call being made to someone well known to the company to authorize it. Emails, in and of themselves, should never be used to authorize wire transfers or change bank account numbers. Anyone who has experienced actual loss in relation to this scam should report it to their local FBI field office.

Proactive Measures

Thankfully, there are ways to protect against these threats. Most companies doing legitimate business have safeguards in place to protect their clients from cybersecurity hacks and legions of cybersecurity experts are further helping companies by staying on top of the latest schemes and exposing weaknesses in organizations before the criminals do.

With many businesses moving to the cloud—including leading construction companies—the weaknesses of yesterday are being replaced with stronger security and protective measures.

Generally, storing data and working in the cloud is safer than with on-premise software that consistently needs updating to provide the latest security protections. So long as cloud software vendors are providing consistent high levels of security on their end, those safeguards are then automatically rolled out to clients. It’s also important to understand these platforms have some excellent security tools built-in, but they are only effective if deployed properly, so leveraging secure configuration expertise is paramount for successful implementation.

Regardless, even the most robust security technology cannot prevent the inevitable human factor, and contractors should take their own steps to ensure consistent data security practices are employed throughout their organizations. Here are some strategic approaches: 

• Deploy Multi-Factor Authentication. Wherever possible, require multifactor authentication. This control requires that multiple steps, identifiers or devices are needed when logging into systems, applications or devices. This makes it significantly harder for cybercriminals to gain illegitimate access, and the odds are most will move on to an easier target.
• Demand strong usernames, passwords or passphrases. The more complex, the harder they’ll be for scammers to crack. Also, consider requiring passwords be changed routinely to meet compliance requirements and best practices.
• Backup Files. Contractors (and employees) should back up their files in multiple, secure places. Having files accessible in the cloud is essential should local devices or servers go down, but the opposite is also true. If there is a breach with a cloud provider or something goes wrong, have critical files routinely backed up on devices like encrypted external hard drives or local, on premise servers, NAS or SAN devices.
• Provide Consistent Training and Updates. One of the biggest challenges is staying current on cyber threats. Many people don’t know about new threats until they’re affected by them. Each company should have at least one designated person to stay on top of the latest threats and train employees thoroughly on how to spot and avoid them.