A practical guide to minimizing cyberrisk & maximizing opportunity
by Kristina Podnar
August 15, 2019

In today’s construction business world, the processes of creating and operating your website, executing online advertising, building your brand through social media, and managing subcontractors through online tools and systems are just par for the course. But, if you are not versed in the risks that accompany these digital undertakings, it can pose serious threats to your business.

The following are some key issues that arise during these digital ventures, what you should know about them, and what you should do about them. 

1. Privacy

Laws and regulations regarding online privacy vary by country, state and even industry—as do the penalties, which tend to be significant. For example, if you are bidding on a construction project in the European Union (EU), you need to know about the General Data Protection Regulation (GDPR). The law went into effect May 2018 and serves to protect the private data of EU’s citizens, including work email addresses and cellphone numbers.

If your company only operates in the United States, you still need to have privacy at the forefront of your mind. For example, in 2019, many construction companies will need to start complying with the California Consumer Privacy Act (CCPA). It’s similar to GDPR but extends to manufacturers and installers of internet of things (IoT) devices. 

What to do?
Create a spreadsheet that documents which laws and regulations apply to you; the countries, states and industries they apply in; and what you need to do to become compliant. If you’re starting from scratch, it’s almost impossible to do everything at once. In this case, your best strategy is to prioritize policy development based on your level of activity in a particular country, state, industry, as well as the potential for lawsuits and penalties.

2. Security

According to TechHQ, in a recent study of both small and midsize organizations, the construction sector ranked as having the highest proportion of hack-prone employees. A whopping 87% of small business have no data security policies for their employees. Consider the following statistics:

  • Many small businesses don’t have an employee password policy that addresses things like the characteristics that make a password secure, how often the password should be changed, the importance of not writing passwords down or sharing them, etc. 
  • Of those using a password policy, only 35% strictly enforce it
  • Only 31% install regular software upgrades
  • Only 22% encrypt their databases

What to do?
There are plenty of online resources for employee data security best practices. Find the ones that make the most sense for your company, document them in a digital policy (including the consequences for not following the policy) and implement them. If employees don’t take the policy seriously at first, you may have to enforce the repercussions until they do.

One reason cybercriminals target small businesses is that they know how expensive top information technology (IT) talent is, and they know that few small businesses can afford it. Fortunately, there are plenty of security-as-a-service firms that can provide top talent, and outsourcing to them is a smart choice for small businesses. The PCI Security Standards Council LLC suggests considering outsourcing website hosting, payment processing, data processing and storage, vulnerability testing, and breach monitoring and mitigation. 

3. Intellectual Property

As a construction professional, you face myriad issues related to intellectual property during complex projects, including patents, copyrights, trademarks and trade secrets. Intellectual property disputes can create substantial economic risks and even completely shut down an otherwise successful construction project. In a market with a hodgepodge of laws and enforcement efforts, copyright infringement and theft of intellectual property is complex and expensive. 

What to do?
Protecting your intellectual property on the front end, with a copyright or trademark, before it’s stolen or pirated, can save you a lot of expense and hassle down the road. Even the smallest businesses can and should protect their intellectual property.

So decide which strategies you’re going to employ, formalize them in digital policy and ensure that all employees follow the policy’s requirements. For help getting started, check out “10 Ways to Protect Your Intellectual Property” (inc.com) and “How to Protect Your Intellectual Property the Right Way” (forbes.com).

4. Accessibility

Accessibility refers to whether and how well your site is designed to accommodate users with challenges in sight, hearing, mobility, etc. While most construction businesses are familiar with the Americans with Disabilities Act (ADA), many don’t realize that courts have ruled that it applies to digital spaces as much as it does to physical ones. 

According to Seyfarth Shaw LLP, the number of lawsuits filed against businesses whose websites aren’t accessible has skyrocketed over the last few years. About one in five Americans have some disability. Do you want your website to broadcast a “You’re not welcome here.” message?

What to do?
One of the most important things you can do is add an accessibility statement to your website. The point is not to claim accessibility you haven’t achieved, but to make a good-faith statement describing your awareness of the problem and your commitment to fixing it. 

After adding an accessibility statement, there are many steps involved in achieving accessibility compliance, including adding captions to videos and descriptive alt-tags to images; using high-contrast text on light backgrounds; providing a number for people to call if they’re having problems using your website.

But that’s just the low-hanging fruit. You should consider additional ways of achieving accessibility and develop your policies based on what works best for your business. The Web Accessibility Initiative’s website (w3.org) and essentialaccessibility.com are good places to begin researching. 

5. Systems

Many businesses use so many software products that it’s almost impossible to keep up. The most recent Ponemon Institute study on data security, the fourth edition of “The Cyber Resilient Organization,” revealed that 65% of respondents said they had a hard time prioritizing what systems to patch first. The time required to implement the patches (particularly for small businesses with inexperienced employees) adds to the cost and inconvenience.    

What to do?
The best way to address this issue is through digital policies. A policy that establishes a time table for reviewing channels and establishes triggers for acting helps keep small problems from accumulating into an impossible mess. When your policy tells employees what to do and the order in which to do it, you reduce the risk of a time-wasting debate and make sure the most important patches are prioritized.