Prevention: Your First Tool in Cybersecurity

The best way to address cyber threats for construction companies and professional contractors are to prevent them from even happening. Part 2 of a four-part series on cybersecurity.

Craig Yeack Headshot
Preventing Cyber-Related Attacks
To protect against cyber-related attacks and threats, companies must implement the three Ps: prevention, protection, and preparation.
@Skórzewiak - stock.adobe.com

To protect against cyber-related attacks and threats, companies must implement the three Ps: prevention, protection, and preparation. This article will look at prevention, and the strategies companies can put in place to successfully address this phase. This is Part Two in a series on cyber-related attacks and threats and how the construction industry can address those in the best way possible.

Prevention

The prevention phase is exactly what it sounds like: keeping cyber-related attacks and threats from getting anywhere near a business’ network or digital landscape. “The best way to deal with a threat is to avoid it in the first place,” says CalPortland CIO, Luis Angulo.

Prevention should be a two-pronged approach: user awareness and technical tools.

"You have to rely heavily on education. It’s the highest return on investment you’ll ever get as an organization.” 
Keith Onchuck, CIO of Ozinga Bros Inc.

The best mechanism a company can use to avoid a cybersecurity threat or attack is education. It’s important to raise awareness within your organization. Employees must understand the motivations and mechanics behind an attack so they are well-equipped to identify that threat early on and whether or not to engage with it.

Many companies ask, “How can I educate my employees, my business partners, and basically my business ecosystem to make sure that we're all pulling together to address this?” says Angulo.

If a company is being bombarded with cyber-related threats left and right, whether by phishing attempts on email inboxes, through a website, internet browsing, text messages or robocalls, then it must acknowledge that the best way to decipher these threats is by knowing what to look for, by educating employees and teaching them the right skills.

It’s the equivalent of teaching your children about “stranger danger,” says Ozinga Bros Inc. CIO, Keith Onchuck. You have a lock on your home, maybe even a deadlock, and sometimes there is also a secondary door with yet another lock. Children are taught to be cautious and not open the door to strangers. "You might see somebody who comes to your door who looks very suspicious, so you don't open the door or acknowledge that they're there,” says Onchuck. “It’s the same with prevention.”

Cybersecurity threats still might reach your employees, however. “That’s why you have to rely heavily on education,” he says. “It’s the highest return on investment you’ll ever get as an organization.”

Bottom line: If you do one thing, train your people in cybersecurity.

Coding a Training Program

Angulo recommends establishing a formal education program for your company. The program should be something that allows you to cater the content and assets to your business. He suggests relying on expert guidance to draft a formal plan for dealing with cyber threats and attacks. To do this, companies need to analyze their threat landscape, specific to the industry and company. “You need to understand your organization’s strengths and weaknesses, so you know where to focus your efforts,” says Angulo.

The prevention phase of cybersecurity is basically adjusting your lifestyle to stay healthy versus getting medication,”
Luis Angulo, CIO of CalPortland CIO

“When you understand your threat landscape you can develop the right curriculum of training,” he says. “Next you need a way to deliver that training in an effective way to your workforce. And you need a way to measure and create accountability for how that training is being consumed.”

Finally, the most important piece of the puzzle is assessing how well your employees understand the training and can apply it to a real-world scenario. There are software programs available to test your system, and consultants for hire who will try to infiltrate your system. “We need to test ourselves constantly,” says Angulo. “If there is a threat and they get in, we need to learn from it and create a plan. We have to make this a cyclical process. The technical landscape is always changing, which is why constant education is the best return on investment.”

The education process deals with the recipient, the person who’s receiving the threat, and gives them the tools necessary to identify suspicious items as threats and ignore them or address them as needed.

Building Blocks

The second aspect of prevention is utilizing technical tools to stop threats from making their way to the person on the other side of the computer screen. There are many tools Chief Information Officers can deploy to keep unauthorized users out of their company’s systems. It’s important to keep current with multifactor authentication, filters and firewalls on your website, email, and network.

One way to prevent cyber-related threats and attacks is to set up email filters to sort out suspicious emails. These tools can scan emails and let you know if it’s from a newly created domain or if the sender’s email doesn’t match the email address you currently have for that person. “With these kinds of alerts, you’ll know it’s garbage and that it's a spoofing email,” says Onchuck.

He explains that certain malware software and other tools can prevent suspicious emails from even reaching your inbox by filtering out bad messages before they even get to the user.

It’s important to have a unique, complicated password. “In the old days, an 8-character password could take weeks or months to crack,” Onchuck says. “Now, those can be cracked in minutes.” From a prevention standpoint, companies need to make sure employees are creating passwords that can’t be easily guessed. Organizations can lock out users after entering the wrong password several times. “That way if somebody's just trying to force attack or beat their way in, they aren’t able to,” says Onchuck.

Companies can also require a second-challenge login, also known as multifactor authentication. This could be a text message sent to a phone number with a code that verifies the user’s identity. If you only operate within the U.S., you can prevent someone from logging in from another country by blocking them completely via geolocation and geoblocking technologies. 

Angulo reiterates the importance of education combined with technical tools. “If any of the tools put in place fail, you then must rely on your employees. If the user is doing their due diligence and staying on top of what looks suspicious and doesn't engage, then nothing happens,” he says.  

The National Ready Mixed Concrete Association’s IT Task Group, led by Angulo and Onchuck, gathers resources and best practices for widespread industry use. The idea is not to keep these resources and tips a secret but to make them accessible to everyone in the industry.

“The biggest thing is, you have to start somewhere or you're never going to get anywhere,” says Onchuck.

Depending on their size, it might be wise for some companies to hire an IT professional to train cybersecurity employees. They can do lunch-and-learns and other presentations to keep the awareness level up. For smaller companies, the best route might be to hire a consultant to conduct an awareness program. Companies can simulate email phishing attacks to determine the risk level and where companies need to focus their education efforts.  

Regardless of where you start, Onchuck emphasizes the importance of assessing your organization’s cybersecurity health, similar to getting a checkup at the doctor’s office. A regular assessment can address your current state and help you formulate a plan to help you reach your goals.

"The prevention phase of cybersecurity is basically adjusting your lifestyle to stay healthy versus getting medication,” Angulo adds. “We want to avoid the disease or illness to begin with by being proactive and adjusting how we behave online.”

Stay tuned for the next article in this series, which will discuss the second P: protection.

Page 1 of 596
Next Page

Create a free For Construction Pros account to continue reading