How to make sure you're secure
by Srikanth Veeraraghavan
July 9, 2019

The construction industry is crossing the bridge from outdated processes into digitization. Firms everywhere are now embracing software throughout their organizations. The upside is that work can be done more productively. The downside—as is the case with adopting connected technology anywhere—is the introduction of cybersecurity risks. 

With insufficient safeguards, organizations can become vulnerable to a host of security risks, including data loss and theft of valuable organizational intelligence, which could interrupt operations and result in the lost business opportunities. The following are some best practices construction companies should employ to maintain their security posture. 

1. Define Security Parameters

First, you have to understand what you need to protect. Are you storing project and organizational information in the cloud? How much and what types of data do you have to secure? Does it contain financial data? Personal data? Intellectual property? Do your clients have particular compliance measures? These are just a few of the questions to ask. 

Once you know what data to secure, you can map out what you need to secure it. Do you require encryption? Two-factor authentication? Do you need vendors that have certain types of security certifications? What level of complexity will your employees be able to manage? 

Regardless of the approach to security, the first step should be to understand what the most important assets to protect are, and then intentionally build protection around them. 

2. Look for Trusted Vendors

Construction companies are trusted to manage sensitive client data, including the proprietary details of projects and contracts, private financial data, user information and more. To keep all of this data secure, it’s imperative to seek out trusted software vendors. Service organization control (SOC) certifications provide a good baseline understanding of a vendor’s security capabilities. 

SOC certifications, available on three levels, demonstrate to increasingly detailed extents that an independent auditing firm has reviewed and examined the vendor’s security control objectives and activities and has tested those controls to ensure that they work as they should. 

Given that the construction industry is increasingly adopting cloud-based software solutions to improve document management and collaboration with real-time communication, companies should seek vendors with SOC 2 certification and above, as this certification indicates vendors who are able to provide privacy in cloud environments.

Contractors should look beyond the baseline certifications, too. Research the vendor’s data breach history and ask questions to determine if the solution and the team behind it is trustworthy, such as:

  • How is security managed for software integrations and any other software the vendor uses? 
  • What do your security maintenance operations look like?
  • How does your company react to various breach scenarios? 
  • How do you keep your local offices and equipment secure? 

The list goes on, but the point is that a trustworthy team is also an important piece of the security equation.  

3. Hold workers Accountable

If the employees who use the solutions on a daily basis do not understand their responsibilities for keeping the system secure, breaches are inevitable. As such, it is wise to ensure employees know not to share their passwords or to write them down. Employees should also avoid sharing information through channels that are outside of the purview of the organization’s own information technology (IT) department or the vendor’s.

These practices are particularly important given how many parties are often required to coordinate on construction projects. In addition, it may seem easier for teams to share passwords, but doing so will only open the company up to security risks.

When any software used across the company issues a security patch, confirm everyone has applied it on his or her devices. Train employees on how to recognize suspicious links and emails, even those coming from your projects’ partner organizations.

If a bad actor is able to compromise the email accounts of one team on a project, sharing infected links and documents with partners is an easy way to get to data of the other teams. And of course, if possible, test all employees, including the IT department, on their approach to security so that everyone remains aware of best practices.