Q&A With Egnyte: Why Cybersecurity is a Must in the Construction Industry (and How to Start Protecting Your Data)

Posted on

Raken customers have the benefit of insightful field data to reference throughout projects—as well as after projects have been completed. But keeping this data safe and secure can prove a difficult task as malware and security breaches are increasingly common. To be sure that all your files—from Raken daily reports to architectural drawings—are safe, we recommend having a cybersecurity strategy in place.

That's why we've talked with Egnyte, a software company that specializes in cybersecurity. Read our Q&A to learn how to keep your files safe—and what to do if your company does experience a data breach (which is more likely to happen than you may realize).

Navigating construction cybersecurity

Egnyte, a modern content sharing platform depended upon by over 3,000 architecture, engineering, and construction (AEC) firms worldwide, makes increasing cybersecurity easy.

Meet Kevin Soohoo

With over 15 years of experience in the Construction Technology space, Kevin Soohoo is responsible for supporting Egnyte’s newly formed Construction and Engineering vertical and its growth efforts within the AEC sector.

What are unique issues construction faces when it comes to cybersecurity?

Kevin: Having spent years on the contractor’s side as ‘the customer’, I can say that the unique issue here is that the construction industry works remotely and with distributed teams. This creates what we call a really large 'attack surface’. This means that not only do I have to worry about my own construction firm—that’s one attack surface—but I also have multiple jobsites, which extends your attack surface to multiple locations.

If you take that one level further, there are multiple people in and out of your environment. You not only have to worry about your own employees, but also trade contractors, architects, engineers, and others you work with.

What is the most common type of malware in the construction industry?

Kevin: Phishing is a major trend, and it’s getting harder and harder to decipher whether emails are real. Generally speaking, the most common types out there today are ones that will scramble all your files and folder names while making them inaccessible. It’s very unsettling to start a coordination meeting only to find all your RFIs are suddenly encrypted.

How common are data security breaches in the AEC industry?

Kevin: We took a look at our existing AEC customers to see how ransomware was affecting them and found the following statistics:

  • AEC companies were more than twice as likely to experience ransomware attacks than those across all industries.
  • The median number of files impacted by an attack was 18,800.
  • More than 31% of the companies targeted by ransomware were successfully attacked at least once more within a 16-month period—and a small number were attacked more than twice.

What is the average cost of a security breach for construction businesses?

Kevin: The ransom itself (which I don’t recommend paying) can vary and even correlate to how big your firm is. Hackers do their homework so they get a sense of how large of a ransom they can ask for.

You will also have a loss of access to files, which can cause extremely costly delays. The cost can easily reach six figures when all is said and done—not to mention the damage to your firm's reputation.

What’s the worst that can happen if there is a security breach?

Kevin: It can be the end of the company. This is not the most common outcome, but it can be a reality. In a construction company, there aren’t a lot of financial margins. If you get hit with ransomware, and you have to pay anywhere from one to five million dollars, it can be enough to put your company out of business.

More commonly, that job is busted, meaning you just lost all your margin and your profitability is gone. Employee bonuses are also gone. Beyond the initial breach, bad actors are starting to threaten posting your payroll and HR data on the internet. In some extreme cases they will also threaten to post your customer’s data. The possibility of designs and contract info being posted can be a very serious issue, especially if you have NDAs in place.

What is a first step construction companies can take to protect their data?

Kevin: There are a few fairly easy and potentially free measures every company can take:

  1. Employee awareness and training. Every employee needs to recognize what phishing looks like and its potential impact to the company. Still, scam emails can look and sound very authentic.

  2. Phone call protocol. One of your best defenses can be employees that know to pick up the phone and verify when something looks fishy.

  3. Password security and multi-factor authentication (MFA). Enforcing more stringent password controls, like requiring 10-12 characters for passwords that expire periodically, can also improve security. MFA is available with most softwares, but is often overlooked.

All of these steps are easy to implement, but executives and those in management need to take the lead in ensuring they are in use—especially considering what’s at stake.

Should I pay the ransom if breached?

Kevin: No. It’s easy to understand the psychology of why someone would pay—you will have instant access to your files and you will be able to continue your project. But, if you do pay, you are now opening the door for future attacks. By paying, you will be added to a “leak list” on the dark web so that other bad actors know that you are likely to pay.

In fact, 80% of companies that pay the ransom experience a second breach.

Should my construction firm be concerned with CMMC and FedRAMP certification?

Kevin: Cybersecurity Maturity Model Certification (CMMC) is a security certification that allows you to engage in projects for the Department of Defense. The Federal Risk and Authorization Management Program (FedRAMP) is another level of security certification that requires cloud solution providers (like Egnyte) to certify that their environment meets additional security standards.

Outside of government work, we’re increasingly seeing firms denied insurance due to lack of proper security practices or solutions in use. So whether the CMMC standard or another security certification becomes the norm, it’s a good idea to start improving your security practices now.

How does Egnyte protect field data collected with Raken?

Kevin: All project data is important. However, finding the right data can be hard when documentation is spread across multiple solutions that don’t integrate to one another. This is why Egnyte provides integrations with several best-in-class solutions (Raken being one of those integrations).

Egnyte also has several content management features that allow for folder-level access controls and automated retention policies. A retention policy means that critical documents (like Raken daily reports) are secured and retained for as long as the customer needs. This way, past data like meeting minutes and daily reports are secure and easy to access in case your records are called into question.

Protect your field data with Egnyte

Ready to learn how you can protect your data with Egnyte? Learn more about Raken’s integration with Egnyte.