Recent Articles

PreConstruction Prequalifications for Cyber Security

WATCH PreConstruction Prequalifications for Cyber Security

VIDEO TRANSCRIPT: 

Let’s talk about Preconstruction Prequalification for Cyber Security. 

Yeah, you guys probably don’t know what I’m talking about. It’s a new topic, we’ve seen it once or twice with our construction companies. But we know it’s a good idea, we know that eventually, if you’re a sub, you’re going to have to do it. 

And as a general contractor, it’s something you should  start doing today. And something you should develop and mature. Why do I think this is so important? 

Because recently, I’ve talked to a lot of security professionals, including a few former CIA analysts, and now they are saying “when you are attacked,” not “if,” so they are changing it. They  used to say “if” I get attacked, now they are starting to say  “when” I get attacked.

We at Attain Technology have taken extreme measures to make sure that we keep our clients safe. And we’re also making extreme recommendations to our clients. And this is taking it to the next level for construction companies because we want to get the word out there – we want to make sure that  general contractors are protected. And we want to make sure our subs are prepared for the next level of IT security. 

When a construction company gets hacked, or any company for that matter, gets hacked: everything grinds to a halt. And we’ve seen this many, many times. 

We work with other IT professionals and they have had this happen, we’ve heard the stories. You come in one day, and none of the computer equipment is  useful. And the first thing your IT company or IT guy tells you to do is turn everything off, nothing should be left on. 

So what we do is we turn everything off, so we can start the process of vetting each piece of equipment. And come up with a recovery plan. If your company has no access to email, computers and all of that data, of course, your jobs are going to be affected and every device in that company, from the iPads of the guys out in the field, to the office staff,  to the all email accounts, to every computer,  every laptop , it all needs to get vetted.

We have to track down what is compromised and figure out where the compromise came from. And then where it traveled to. And if we don’t do that, and we recover everything, the hackers are just gonna re-encrypt everything and make the problem worse. 

The Process To Come Back From A Cyber Attack

So you come in on Monday morning, no computers, everything’s off. First thing we’re going to tell you to do is call your attorney and then call your insurance company – hopefully you have cybersecurity insurance – but they’re gonna give us guidelines to follow so you stay within policy. 

So we want to make sure that this event is covered by your insurance. So that takes time and it happens after business hours. We’re going to get the president of the company and the agent and hopefully get somebody on the phone to start that process, then we get the guidelines from them. And then we have to make a decision.  Are we going to call law enforcement?  Are we going to report the event if we decide to go down the law enforcement route? 

Law enforcement is going to ask us to back up each piece of equipment so they have an image of it exactly the way it was before we touched them. And then we’re going to have to start the process of turning on the servers first and vetting those servers, checking they are not compromised. 

Backup and Recovery Process After A Cyber Attack

So, let’s look at the backups. One of the things that hackers are doing is they’re sitting in the background for six months and then compromising the servers. The reason they’re doing this is because most companies only keep a few weeks of backups, so they’re trying to be in the shadows long enough so that if you recover they can just re-encrypt you. 

Also they’re trying to destroy your backup – we’ll talk about that a little bit later. So you come in Monday morning basically your communication to the jobsite has failed your focus is on the cybersecurity attack and your focus is off your jobs. The focus is off your business and on the cybersecurity attack. Clearing up the mess from a typical attack takes anywhere from four to five days, and can take all the way up to a month and a half to recover. It depends on the size of the organization, it depends on the complexity of the business, you know we can get small organizations back up and running faster.

But it’s all labor.  So we need to bring in some additional labor to make sure we vet those images and make sure we do our due diligence – and we have some great partners in the industry. 

We get our partners to help us out with this,  one of them is a former CIA analyst and they have a different way of looking at things so they help us speed up that process and the recovery. 

So let’s say you’re a general contractor and this is your sub right? Let’s say a plumbing sub. Instantly, all plumbing work stops. Well, that is eventually going to stop your drywallers and your carpenters because you know the plumbers need to do some stuff before the carpenters and then before the drywall, so it’s going to have a cascading effect on your job. 

If it’s a carpentry company sub that was hacked,  well that’s the beginning of the process. Electrical is the same thing. You know, some electrical might need to be run before the carpentry is finished. 

Certainly before drywall goes on as, you know, it might affect wall panels. Ask them if they have ordered wall panels from a wall panel plant. Did they ensure their suppliers have a security plan? Ask them, “Do you require a prequalification from them?”

What is their recovery plan? So if they can’t get walls or floors, or roof trusses to your job, is that gonna affect you? So we need to think about all of this. We have to think about the whole supply chain, not just the subcontractors.

Let’s talk about steel manufacturers as well. Because if they’re compromised and they can’t produce, then your job falls behind. Right? And we all know that time is money. 

So let’s say they’re in a recovery process, and they’re slowly ramping up to be able to get back on the job. And you realize that sub is going to be two weeks behind. What does that do to the rest of your schedule? What does that do to your job? Do you have to work to supplement that vendor while they’re compromised? We know that happens. 

So my recommendation to all subcontractors and all general contractors is to start thinking about an IT Cyber Security Prequalification process because it’s critical to keep your jobs running. 

This adds another layer of protection and assurance that your job will be completed on time and budget.  

Hackers look for the low hanging fruit. Who is it easy to encrypt? Who is it easy to target? Who is it easy to compromise? 

They’ll hit those guys first, our job is to move you to the top of the apple tree. And if we do that, the likelihood of you getting compromised starts decreasing.  So, instead of a 50% chance of being compromised, now you have a 10% chance of being compromised. 

That’s why, we’re recommending adding a Cyber Security Plan section into your Prequal requests. Ask them, what is the plan? What do you and your suppliers do for Cyber Security? 

Why A Cyber Security Culture?

Why a cyber security plan? Because you are vulnerable.

In your business, You should create a Cyber Security culture, I think that’s critical. Getting everybody leary about clicking on things, and social phishing and stuff like that. Did you know that 80% of compromises start with an end user?  In other words, your employees.

And you know, to tell you the truth, that’s a wide gap, 80%, right? Your employees are the easiest targets. 

So have a disaster recovery plan. Let’s make sure we test that disaster recovery plan to make sure everybody in your company has cybersecurity training at least annually, and at least quarterly have live updates from an IT professional to talk about what they’re seeing, and have conversations with the users – create or gamify the process of cybersecurity. 

And then let’s test them with phishing testing. And then retrain those users. Let’s reward them when they don’t click on a phishing scam. And let’s retrain the ones who have.

Let’s not make it just punitive. Because we need to create that culture. We need to get them on board with cyber security because they’re your first line of defense for bulletproof backup and disaster recovery. 

Let’s vet your backup and disaster recovery, let’s make sure that the hackers really can’t get to that backup and can’t prevent your disaster recovery. 

And let’s check that you have backups for at least a year to make sure that we can recover in any event. 

And let’s  introduce multi factor authentication on all systems, including email and make sure that we have a next gen artificial intelligence malware and AV protection, along with foothold detection and response.

 DNS protection. Everything on the internet has an IP address and you type in www google.com. Right? Well, that www Google turns into an IP address. And there’s servers that do that. So what we do is we use servers that know about the threats globally. And then if you go to a compromised site, or a site that wants to download a payload to your computer, our tool blocks you. 

Commit to a Cyber Security Framework

Commitment to mature cybersecurity framework. To  start the process, become level one certified in the CMMC. or start down the NIST framework. It seems daunting, and I’m not saying do it all – and it is not required – but I’m saying start the process. 

Have a plan to move forward through the process. Make sure we have foothold detection and response on our systems looking for the tools and the tactics the criminals use to get on our systems and compromise them. 

These are the things that we need to do and check to make sure that you’re not the  low hanging fruit. You don’t want to be that piece of fruit that the four year old can grab off the apple tree right? 

You want to be the fruit at the top of the tree. 

Let us guide you to become more resilient to cyber attack. 

If you have any questions, my email and contact information is below. I’d be happy to spend half hour to 45 minutes with you, talking about cybersecurity in general, or talking about adding a proof qualification to your company. Let’s start the conversation. 

Schedule 45 minutes to talk about Cyber Security here: https://attaintechnology.com/construction-technology-audit/

If you would like to learn even more about construction technology, read our Definitive Guide to Construction Technology

Bob Paradise – Attain Technology
Phone: 401-409-5288
Email: bparadise@attaintechnology.com
www.attaintechnology.com