Construction companies in Oregon, both big and small, have taken the path of least resistance when it comes to their cybersecurity maturity and they are paying for it. The primary reason is owners and leaders think there is no reason to ‘hack’ them, but on the contrary, there are lots of good reasons to hack a construction company. #1 reason—you are a business making money. If you have money in the bank, then you are a target, simple as that. The assumption that cybersecurity is an IT issue is wrong, sure they have a role to play, but responsibility starts with owners and leaders setting the tone around security, with intent and the ability to influence, then cascading the mentality through the rest of the company and everyone focusing on the same goal—a culture of security to protect our jobs and the business.
Your #1 defense against a ‘hack’ is your people, but for it to work as a defense, instead of a weakness, everybody must be trained. Training can take many forms, but the key is to make sure it is continuous and to test for knowledge retention. The best approach for training is having an annual in-person course with the opportunity for Q&A, virtual works too, as well as a recurring training video service. Because most ‘hacks’ in small businesses occur when people are not trained properly, investing in a cybersecurity training program will become your best line of defense and one of the highest returns on investment you can make. Below are some key elements of a formal Cybersecurity Awareness Program and good cyber hygiene:
These 12 elements will help you develop a Culture of Security:
- Ownership Support – Just like job site safety, everybody has a responsibility to be security aware.
- Information Security Officer – Seek a staff member with passion for this or partner with a company who can lead you in your cybersecurity efforts.
- Cybersecurity Education and Awareness Activities – Training videos, annual classes, Phishing tests, periodic Backup & Disaster Recovery validation checks.
- Incident Response Plan – Establish one and test it, just like doing the old earthquake drills in grade school, all plans need to be tested to ensure they will work as intended.
- Security Policies & Procedures – Create them or hire a 3rd party to help you create a customized set based on how your company operates.
- Least Privilege – Take away Admin rights from everyday user accounts and create a 2nd account for temporary purposes ONLY for those that need one.
- Multi-Factor Authentication – Implement it, no more complaining about the extra step or inconvenience, this is one of the simplest ways to prevent a security incident.
- Cyber Liability Insurance – Obtain a full policy, not just a rider, with the proper coverage limits including access to legal resources in the event of an incident.
- Technology Standardization – Manage technology changes and use standardized secure configurations across all your company owned devices and personal devices too if you allow them to access corporate information on them.
- Anti-virus & Anti-malware – Install, maintain, and use the automation features for daily and weekly scheduled scans.
- Vulnerability Scans – Execute an annual scan of your entire network for vulnerabilities or hire a third party to do one for an impartial view.
- Supplier Acknowledgement – We are all part of a supply chain in some way, establish a multi-step procedure and process with your suppliers for AP/AR so any changes MUST follow the new process. No need for your people to get duped by their lack of security.
Establishing a culture of security will pay for itself and it will help your company be prepared when a security incident occurs. We believe security incidents are unavoidable, but a full security breach is certainly avoidable when you build your foundation based on a culture of security.
AGC would not be able to have the successful events and meetings without our generous partners! As a benefit of our yearly Partner Program, we spotlight some of our member partner companies. Thank you Convergence Networks!