As construction contractors ease into the ‘information age’ and continue to embrace emerging technologies in construction delivery, the associated information security risk to the Company, its employees, and its customers increases exponentially. As boards, executives, and steering committees assess the vast benefits of adopting new systems and technologies, it is critical that the process also includes a focus on the potential exposure that may come from such advancement.
Another key concern regarding cybersecurity threats in the construction area relates to the technology that is being integrated into ongoing projects. Often, construction executives focus cyber-concerns on their own internal networks and systems and may lose sight of the exposure they may face should an installed system in a customer’s project be attacked. As noted in a recent article in Construction Executive magazine, contractors should “expect to see an increase in attacks against building automation. These attacks are of particular concern to construction companies, as commercial builders are faced with the very real proposition that cyber criminals will attempt to infiltrate command and control systems, which could lead to the compromise of security, HVAC, electrical, elevator, and potentially other major building components.”
As executives consider the new world of data and cyber security risk, it’s important to understand that, while the terms information security and cybersecurity are often used interchangeably, there are distinct differences between the two. Information security focuses on the protection of IT systems and data against unauthorized access, use, and changes from with the entity. Cybersecurity is the processes and controls implemented by an entity to manage threats and vulnerabilities related to the connection to and use of cyberspace. Cybersecurity has become a top concern for boards of directors and senior executives regardless of entity size or industry. By using the term cybersecurity instead of information security, board members and senior management acknowledge risks with doing business in cyberspace and can ensure that their organization addresses the unique concerns in this area, while not losing focus on information security processes and procedures already in place. Both are necessary but should be viewed separately in determining a risk management approach.
Additionally, board members and senior management recognize that the cyberspace environment is becoming increasingly hostile. Entities must continually develop more effective and more targeted processes and controls to respond to those risks. Board members and senior management should be thinking well beyond traditional IT areas of networks, applications, and data stores.
Cybersecurity applies to all industries, including construction. The use of cyberspace in construction is evolving at a rapid pace in construction for entities of all sizes. A quick Google search will provide endless examples of how construction contractors are using cyberspace to become more efficient, address talent shortages, manage jobsite risk, and provide more data to management.
- Cloud based software. Most software is moving from on premise to the cloud. Employees have the ability to access critical software from phones, tablets, and computers almost anywhere in the world.
- Connected jobsites. Everyone on the jobsite, trailer, and corporate office has access to up to the minute drawings, documents, timekeeping, and job costs.
- Remote equipment monitoring. Includes wireless monitoring systems to provide equipment locations, fuel usage, and other equipment operating information useful to project managers and senior leadership.
- Drone technology. Drones can be used to monitor job progress, inspect structures, and monitor job site safety to report real time data to project managers and senior leadership.
All of these examples use cyberspace to report information back to decision makers within the organization and further emphasize the need for entities to address cybersecurity. A breach in any of the areas listed above can bring a project to a halt, possibly stop operations entirely, and will most certainly cause reputational damage.
Cybersecurity risks are one type of risk that threaten the achievement of an entity’s overall business objectives. Listed below are next steps for those organizations that have not yet adopted a cybersecurity policy or are in the process of enhancing a policy already in place.
- Prioritize cybersecurity procedures and controls.
- Consider a cyber liability insurance policy.
- Identify the company’s most valuable information and understand potential cybersecurity risks and vulnerabilities with that information.
- Establish cybersecurity objectives with sufficient clarity to enable users to understand how processes and controls within the entity’s cybersecurity risk management program were designed, implemented, and operated effectively to provide reasonable assurance of achieving those objectives.
- Engage a third party for a cybersecurity risk management examination.
Remember, it’s a matter of when, not if, your systems will be attacked. Taking steps now to mitigate exposure and plan for recovery will only serve to help minimize the potential exposure and damage.
If you’d like to discuss your organization’s Cybersecurity Risk Management plan or explore the benefits of a cybersecurity examination, please reach out to the professionals at McKonly & Asbury. Our practice leaders, Michael Hoffner, David Hammarberg, or Samuel BowerCraft, would be pleased to assist you.
Source Data: AICPA Audit and Accounting Guide for Reporting on an Entity’s Cybersecurity Risk Management Program and Controls (Updated May 1, 2017)