This article is the first in a four-part series on cybersecurity and how the construction industry and construction business owners can prevent, protect, and prepare for cyber-based threats and attacks.
Many of us remember the transition from listening to music on cassette tapes to CDs and then eventually to digital. The same thing goes for movies as well. They used to be on VHS tapes, then Blu-ray discs, and now they’re digital. “Anything that can be digitized is digitized,” says CalPortland Chief Information Officer Luis Angulo. Serving the western U.S., CalPortland is one of the largest building materials companies producing cement and production material products.
In the construction industry, the processes around manufacturing and delivering construction materials have been digitized as well. “From the time you place an order, fulfill that order, transport the material, then finish the process,” Angulo says, “everything that's involved with that resides in a computer system somewhere.”
Cybersecurity:
What can be done to protect the digital information that supports a business in an effective way.
With our heavy reliance on digital information, businesses and people must think about ways to protect their operational data from threats. Cybersecurity is defined as what can be done to protect the digital information that supports a business in an effective way. While there are many benefits to a digitized world, people now have access to change or destroy digital information for the purpose of profiting or causing damage to an individual or business.
At the most basic level, cybersecurity is a foundational discipline for safely using all digital devices, according to Ozinga CIO Keith Onchuck. “As we become more and more digitally connected, we must understand the risks that persist and the way to protect ourselves from these threats,” he says. Ozinga provides quality bulk materials and diverse concrete solutions to the concrete and aggregate markets.
Defining Cybersecurity
Onchuck compares cybersecurity to protecting your home, explaining that people use multiple tactics when protecting their home and its contents. The same can be said for your data and information. “We keep the doors and windows locked to prevent access unless you have the right keys,” Onchuck says. We install smoke alarms, carbon dioxide detectors, battery backups, and generators to protect from fire and power outages. We have homeowners' insurance as preparation if any of the above were to occur. Cybersecurity is all about protecting our digital landscape in much the same manner.”
The risks are everywhere, although we might not realize them in our everyday environment. Using the house analogy, if you live on an island, one might not be as nervous about someone trying to break in. Doors probably aren’t locked. If someone lives in a rural area, they might lock their doors sometimes. Now if they live in a bustling city, they probably lock their doors all the time, even when they are inside.
“Why is that? Because when you’re on an island, there are really no threats nearby,” says Onchuck. “When you're in the suburbs, there are some threats nearby. When you're in Manhattan, there are a lot of threats nearby. In the digital environment, the threats are exponentially greater because every human being in the world that has internet connectivity could be a threat to you.”
Evolutionary speaking, humans are good in their visual aspects of the physical world. However, when you move into the digital space, someone’s sensory response to a dangerous website might not be as adept. One might not be as educated and as good at detecting those dangers and threats that exist in the digital space.
“That transition from physical to digital is happening at an exponential rate, and as humans, our brains have not adapted to understand the threat landscape,” Angulo says. “It’s just way more dynamic than we’re able to respond to. This is why prevention and education are so important.”
Digging Deeper on Cybersecurity:
The Digging Deeper podcast interviews Ghousuddin Syed, senior director at ISN about the growing risk of cybersecurity threats in construction and what you can do to reduce your company's vulnerability. Listen to the episode at ForConstructionPros.com/21577449.
Potential Threats to a Business
A security breach can wreak havoc on a business. “We should have a healthy fear of the number of threats out there,” says Onchuck. “You don't want to retreat. We still have to communicate. We still have to survive and thrive. The threats to digital security are just a little different.”
People’s senses must be raised to work smart and safe in a digital environment. It requires a new set of knowledge and visibility that people aren’t used to.
Onchuck's advice: second guess things.
- Second guess things, if you get an email saying, ‘pay here.’
- Second guess things if the website you go to looks slightly funny.
- Second guess the phone call saying, ‘Dad, I'm in an auto accident. Send money.’ Ask personal questions. The same goes for video; video can be stitched together.
The best defense we have against cybersecurity is prevention.
Within a business, a lot of these attacks and threats target the accounts payable department. Customers might receive an email that looks legit, asking for an invoice to be paid online. How do they know they are paying the right person? Last year, 10 different companies Ozinga did business with were compromised. “Our employees noticed that the terminology in the email changed,” says Onchuck. “They called the customer and found out the customer was hacked.”
Thankfully nothing happened on Ozinga’s side because of the employees’ knowledge and the education the company has provided about cybersecurity threats and risks. “Had they not done that, we really would’ve had a problem, because we would have just paid with our account and routing number and the vendor would never have gotten their payment,” Onchuck says. “You run the risk of allowing people into your system that shouldn't be in your system.”
Employees also need to be aware of phishing emails. “When somebody puts in their email and password, you just allowed somebody access to our network,” says Onchuck. “You basically gave them the keys to the house, 'Come in any time you want.' These are the things that really keep you up at night—just how easy people can be manipulated.”
Motivation Behind a Cyber Attack: Follow the Money
One way to think about risks in this digital age is to consider how data security affects us on a personal level. Most banking is now done online, payments are automated, and everything is done electronically. “How do you ensure those are not intercepted?” Angulo asks. “How do you protect yourself, prevent access, and be prepared if something happens?” He suggests that employees should be trained in cybersecurity and need to understand the motivation behind the threat.
When someone breaches a business’s data, they want to monetize that activity. The easiest way is to attack the company’s supply chain and the accounts payable department as well as compromising the payroll department.
The second motivation for a data breach is monetizing the activity after the company has been compromised. They are looking to monetize the activity by tapping into your money stream or damaging your processes or your application of services and having to pay them to have it restored. “Can I access your data and hold the data hostage?” Angulo says. “Can I interrupt your services digitally and then have you pay me so you can restore your operations in some way?”
“It’s all about money,” says Onchuck. “If you catch a company off guard, and you have access to all their data, that company is crippled because they can't do anything. The reward for the attacker is ridiculously large.”
In the digital world, someone can target thousands of companies in a single day. “The potential profit is so big, and regulation is lax,” Angulo says. “Legislation to deter this is also not fast enough to react to the evolving threat.”
Anonymity also plays a huge part in the threat factor. It becomes impossible to find that person, unless you are in the FBI, Secret Service, CIA or have wire-tapping skills, Onchuck says. “They can bury themselves in so many layers,” he adds. “There are so many things [they] can do as an attacker that it’s never going to come back to [them].”
To add another layer to the anonymity factor, money became digitized with the creation of Bitcoin—a digital currency that is almost untraceable.
To prevent these attacks, you must ensure you aren’t an easy target. “You’re not striving to eliminate all threats,” Angulo says. “You just have to be faster than the person next to you.”
Prevention, Protection & Preparation
Cybersecurity was born to protect the digital life of companies and people. Companies must develop a plan that involves the three Ps: prevention, protection and preparation.
The best defense we have against cybersecurity is prevention. The first and only layer of prevention lies with the human being.
“By educating our technology users, educating anyone who interacts with an online system and helping them understand what the threats are, we can avoid the impact of the threat from happening in the first place, and that's what this prevention phase is all about,” says Angulo.
“Once someone misses that opportunity, once a person engages in something risky, you’re done with the prevention piece. Something already happened. And now you need to jump into ‘I need to protect myself, because someone made a mistake.’”
Businesses should look at the 3 Ps as a funnel with prevention being the largest piece at the top, then protection and preparation.
“Prevention should catch the vast majority of these attacks,” Angulo says. “Then only a few threats or issues will make it into the protection phase. And only a handful, if anything, will then go to the preparation phase.” The preparation phase details how you recover from an attack and prevent it in the future.