Episode 27 | Building a Secure Future: Cyber Defense in Construction -
Cybersecurity isn't just a tech issue—it's a construction imperative. Join Frantz Ward Partner Brad Reed and Associate Brad Ouambo as they uncover the vulnerabilities within the industry and share actionable advice on defending against cyber attacks. Equip yourself with the knowledge to safeguard your projects and data
Podcast First Aired: November 11, 2024
Transcript
Brad Reed:
Hello, and welcome to another installment of Shoveling Smoke, a podcast from Frantz Ward discussing various legal issues and risks that are facing our clients.
I'm your host today, Brad Reed, a partner here at Frantz Ward, specializing in data privacy, cybersecurity and compliance, regulatory issues across multiple industries and sectors, including healthcare, payments, and general small and mid-sized business counseling. I'm joined today by my colleague Brad Ouambo, an associate in Frantz Ward construction practice.
Brad, recently, presented at the Constructions Group's Advice from the Trenches Seminar on cybersecurity risks facing the construction industry. Following up on that presentation, he and I will be discussing in a little more detail those issues facing the construction industry with regard to data privacy and cybersecurity.
Generally, the most significant cybersecurity risks our construction clients are seeing and diving in a little deeper into some emerging issues around business email compromise, biometric data, and AI concerns. So, with that, I'll turn it over to Brad to introduce himself and we'll get started.
Brad Ouambo:
Hey, thanks for introducing me, Brad, and not making it confusing, so I'll call you Brad Reed, you call me Brad Ouambo, if you would like.
This is an important topic, and I think a lot of people, particularly in the construction industry just need to become more aware of the risks that it poses for not having proper cybersecurity in place, so that way we can do a better job of preventing the bad things that could happen if we don't address those risks. So, I'm happy to have an awesome conversation with you.
Brad Reed:
Yeah, absolutely. For better or worse, today we're going to be discussing a lot of the bad things that are out there lurking for you and traps for the unaware, so hopefully that you can start assessing those and spotting them in your own practices and in your own companies.
But as an initial matter, I kind of wanted to go through, what is cybersecurity? How do we define that, and how do we distinguish it between some other terms that are often used kind of in the same context?
And a lot of times in the same discussion that you might hear, such as data privacy, data protection, or data governance. So, what I think of cybersecurity, I think of the ways about how you are protecting your data, your information, and your company from threats and compromise in an online and digital environment.
So, cybersecurity involves multiple aspects of data protection and governance, information technology management, as well as employee management and oversight, and thinking about how the steps and measures and tools that you're using to protect and secure your data to ensure that only those individuals who are authorized to have access are able to see, view and share it, and that it's being disclosed properly.
Cybersecurity also involves incident response and management. What are you doing now to prepare for and respond to a security incident, an attack, something that compromises your data and systems, and what do you do after such an event occurs with respect to understanding what your notification obligations may be.
And whether those are to your customers, your other business partners, to legal authorities, as well as loss mitigation. What steps can you do in an immediate aftermath of an event to ensure that funds could be recovered quickly, or other data that has been lost could be recovered, restored, backed up.
So, that's kind of the idea of cybersecurity about the ways, manners in which you protect, secure, and manage confidential, proprietary and protected information.
Data privacy protection is really about the rules and regimes in place around the types of data that you might be collecting, the types of information, and often, this is focused on personal information, identifying individuals, whether it's their name, their address, their social security number, their financial information.
And I think a lot of times for the construction industry, probably a lot of the folks don't have as much of that individual personally identifying information, and so may not think of data privacy regulations and protections as directly applied to them.
But that said, more and more clients, more and more industries, all of us are collecting data in new and different and unique ways. And there is a lot of personal information out there for construction clients, whether it's employee information, whether it's biometric information, whether it's simply just business confidential and proprietary information – your drawings, your plans, your bids, bid data.
These are all things that while there may not be specific legal regimes, rules, regulations, governing them, it's still worthwhile for companies to think about the business risk and harm that can come from having that data be unsecured or improperly accessed.
Brad Ouambo:
Absolutely. You gave a great summary. I know, and in construction you're often dealing with, in some cases, very confidential type of projects. Like if you're working for a government building, what are you keeping secure? A hospital, what are you keeping secure?
And as you mentioned, employee information, client information, the way you do your practice, your techniques, things like that that you would rather not let the rest of the world see. For me, when I was looking over this topic, one thing that I try to do that helps me is to try to take something that's abstract and make it real.
So, when you have something like cybersecurity, I think, well, it's really not that much different from securing any of your effects. So, if you're at home locking your door in a safe, that's the most secure way, but you take that letter out of the safe, you got to take it outside, what are you doing to keep it safe?
So, same thing with data. Once you put it in the internet or put it on the web and you send it off, what are you doing to keep it safe? Where's your lock, what's your security system to help your message from point A to point B and keep everything protected? So, I do think in a world where we are more and more digital, more and more online, having these two concepts in mind are important for us moving forward.
Brad Reed:
Yeah, absolutely. The data that you protect in paper format needs to be protected in the exact same way in the digital form. And with that, what specifically are the threats and attacks that you’re seeing a lot of in the construction sector that construction clients are facing?
Brad Ouambo:
So, common threats you'll see in the construction field that I'm sure in many other are three broad categories. You're talking ransomware, you talk about fraudulent wire transfers, and those general data theft – a lot of times you might see that in those phishing emails.
I'm sure a lot of you get those where someone sends an email, they pretend to be, let's say your boss, and they say, “Hey, I need you to do something urgently for me,” that's usually a big giveaway. And I need you to give me X amount of money right now or you might see iTunes gift cards or whatever it is.
And there are just a lot of tells, but oftentimes, people might before they even bother to look, they might jump say, “Oh, my God, my boss is talking to me. I need to make sure I do whatever they ask me to.” But in the end, it's just a scam.
And while I think a lot of people are getting more wise to it, one of the best ways to keep us wise to it is to keep bringing it up. In my presentation, I actually will point out a lot of people who you would think would be best equipped at not falling for this (so, you think the younger people) are the ones most likely to fall for these scams.
So, that's why it's important every time you're getting a new workforce, you're trading them as to what to expect to see, so that way they don't fall into any trouble.
Brad Reed:
Right. With business email compromise, which is in my mind something that probably construction clients face, possibly a greater risk from your average business or folks in other industries, in many ways, it is a low level and unsophisticated method by which people are gaining access to your systems.
They are not looking to break down the barrier of your firewall. They're not looking to actively get around encryption and penetrate those defenses in a method of brute force. They're relying on human error on the fact that we are responding to an incredible amount of email traffic, and that all it takes is one person to click the link that has the phishing link that installs malware.
All it takes is one person to open up the PDF that has a bogus credentials box, and they put in their username and password information, and now, all of a sudden, the bad actor, the attacker has access to their email, has access to their Microsoft office account.
And so, the goal, the challenge is that this is a constantly evolving a set of issues. It's something you have to basically always be on the lookout for. And particularly with the construction industry, I think a ripe target in the sense that managing a lot of payments across multiple vendors, suppliers, subcontractors who may be different on every project you're working on. And so, you may not have those obvious touch points that you can know that this is a trusted person sending you this email.
Brad, as part of your presentation, did you see any specific routes or risk areas that the construction clients are facing with respect to folks looking to compromise for the misdirecting payments to dupe either the customer or their clients and to sending payment to the wrong place? And what are the ways that you could prevent against that?
Brad Ouambo:
Well, that's one of the myriad of risks that you face. We talked about those business emails, for instance, and I do want to just say one way for those to avoid falling with that trap is you get an email, ask yourself, “Is this suspicious?”
Because sometimes, as you said Brad, that they're not doing brute force. It's almost a low level of effort of trickery. So, they come in with the emails as your boss, but if you actually read the email, the email is not your boss's email. It is some slight change or sometimes even a lazy change. Most people just see the name when they move forward.
So, if it looks like a suspicious content, check the email. If it still seems legit, maybe you should talk to … pick up the phone and call the person that sent it to you just to be sure.
But at the other end, sometimes, they might impersonate you, and then send something out to your clients, to your subcontractors with a link. In that case, it doesn't matter how smart or how aware you are, you have to make sure that your subcontractors, your suppliers are privy to that too because that's just how you can create a cascading problem.
So, it's helpful when you start a project and you're coordinating with many different groups, is you have a discussion about cybersecurity measures that you're going to be taking, things you're going to do to protect the data that you're going to be collecting, and a lot of times that seems to be an overlooked process, but it's essential.
Brad Reed:
Right. Knowing at the start of a project, who are the individuals who are authorized to request payment, to send payment – knowing at the start what the appropriate payment instructions are.
And so, if you see somebody halfway through a project and you get an email from a name you've never worked with before, or you get an email saying, “Hey, our payment terms have changed,” that should be a red flag to anyone in your organization to say, “This isn't how we've been normally doing business.”
And the next step should be to probably in many cases, pick up the phone and get that person on the line and find out what … or at the next in-person meeting or touchpoint or whatever it is that you might have to be able to confirm that, and not simply be relying on an email back to that person saying, “Hey, I just want to double check,” because if it really is an attack, it's likely that those bad actors are just lurking on that email and are going to respond as if they are that person.
Brad Ouambo:
Yeah, absolutely. I remember my first year as an attorney … it's not quite construction, but as an attorney, I remember getting those spam emails, brand new and I'm young and I respond asking a question, those guys are right there with an answer. I eventually figured it out thankfully, but not everyone will because they do a good job, try to appear real.
But as to broaden it back out whether you're talking about how you can mitigate attacks also considering who has access to the information, you were touching on that a bit earlier – so, who is the person in charge of payment?
And when you have a big project, a lot of people, you probably want to create some limits as to who has access to certain data, and maybe you curtain those things off so that way only a few people are in charge of making any mistake that might cause a bigger problem.
Because the more people you have running through things, the more room for error you're allowing. So, with sensitive information, it makes sense to have some privileged access management systems in place.
Brad Reed:
A lot of this is, again, not based upon a brute force attack, but it is going to be human error, and any ways that you can limit those touch points so the number of people who can make that error, the better.
Moving along then, we've been talking about phishing attacks, business email compromise, but I know you had also mentioned ransomware and data theft in general. Are you seeing a lot of that still current with construction clients, and is there anything that we've haven't already touched on that is helpful on to mitigate those risks?
Brad Ouambo:
Well, when it comes to something like ransomware and just to give a brief explanation, that's effectively when a bad actor or hacker, whenever you want to call them, they get into your secure network, whatever system that you're using, and then they block your ability to access your own material, your own data, and they try to sell it back to you at a price.
So, I can't give you specific numbers on this on how often it happens. However, the seriousness of it is that once this event happens, once they've blocked you out, there really isn't a way to get back in. So, you want to be protective on the front end, preventing it before it happens rather than after the fact.
So, what's your IT department look like? What are the password, securities that you have to access certain information? For some places, they're requiring you to use dual authentication just to make sure that it's actually you accessing it.
Sometimes these things can be a pain, but if you make it harder to get in the front end, you're prevented in the back end. With data theft, that's where you're talking about them just coming in mining for that personal information, mining for that confidential client information, and then turning around to sell it for the highest bidder.
So, that one, again, once it's done, there's not much you can do about it. So, it is really about creating protections on the front end. And so, we talk about privilege access management, which is just reviewing who has the rights to information. Just making sure you have an actual, intentional data governance policy at your firm or whoever you work for, backing your information up.
Now, this is probably the best thing that you can do if someone comes in and walls you off from your data. If you only back it up once every six months and someone comes in, you've lost what, how many months of data that you have.
So, thinking about how frequently for your needs, you need to back up your data just in case this event happens. Because if they wall you off and they charge you money, but you backed it up last week, you can probably say, “I'm good. And you don't have to worry about it.”
Because here's the thing, with ransomware, even if you were to pay them, there is no guarantee they'll actually follow through on their promise. And of course, I keep going back to this education, educating your team. Again, this is a preventative is the best way to do it than post the event.
Brad Reed:
Absolutely. And a lot of that ties also to the fact that your mitigation options, once some of this happens, once a ransomware attack happens, or you've had data extraction are limited, cyber liability insurance thresholds are often not high enough to cover the loss.
You may have coverage that's in the million or 5 million or whatever it might be, range, and the ransomware demand may exceed that or the costs of recreating that data or the damages that might result is not being able to … if you can't access your systems for a day or a week or a month, performance is delayed. I mean, you may have delay penalties that greatly exceed your coverage.
And then additionally, what other areas that likely when these events happen, not only will you have the issue of how do I mitigate, how do I cover losses – seeing more and more in the contracting stage where if you have a ransomware attack or you have a data theft event, you're going to be obligated to notify the prime or the project manager or the project owner.
They may be requiring you to inform them of these events because they have underlying reporting obligations, particularly if you're dealing with contracts that involve federal dollars, state dollars, government contracts, or projects related to critical infrastructure, hospitals, energy, pipelines, those types of industries have mandatory reporting obligations.
And if you end up having data about the pipeline that you're building be lost, or the hospital system that you're building is compromised, you're going to have to report that up and out. There's really no way to close the bar door on that.
Brad Ouambo:
Exactly. I think earlier you mentioned some of the changes in the advancements that we're seeing in the data that we're using and the technology that we're using, and how that could pose additional risks of things that could be captured. You don't mind educating some of us on that?
Brad Reed:
Absolutely. So, there's two things that I think are coming down the pipe and maybe in many ways, have already arrived and impact construction clients specifically. One is biometric data, the collection of facial images, fingerprints, iris scans of individuals, and particularly of employees. One common way that this information may be collected and used is in timekeeping systems.
So, a very easy, effective way to know when somebody clocks into the job site and clocks out is to use a fingerprint scan or an iris scan for those timekeeping purposes. And there is more and more legislation coming out regarding the use of and collection of biometric information, particularly in Illinois and Texas and in California.
And there are specific notice and consent requirements that if you're using those technologies in those states, you need to have. And one of the challenges I think for a lot of construction clients is you may be based in Ohio, but you may be bidding on a job in one of those locations or staffing or sending in folks to work across state lines.
And so, the rules that you're used to dealing with in Ohio may all of a sudden change when you bid on that job in Illinois. And so, knowing that on the biometric side, appropriate consent and notice and compliance and record keeping requirements vary greatly from state to state.
And we are seeing more states pass legislation regarding the use in collection – I think is going to oppose probably some data protection and governance requirements for construction industry that maybe they haven't had to deal with before.
Brad Ouambo:
That's valid. I also note that in a lot of the information that construction clients deal with, not all of it is stored within the company, there's a lot of third-party vendors that are involved as well. And so, it's important to read what they are doing for data security, and hopefully, those companies might be better at keeping track of all the different state rules since they don't tend to just operate in one location.
But it is important to understand who you're using to store any electronic information. Those biometric information, which I understand would be far more sensitive than others, and what those policies, these third parties should have, I think that's key.
Brad Reed:
Absolutely. A lot of the vendors you use will provide those policies and those consents, but at the end of the day, if it's your employee and it's your employee's information, they're collecting it on your behalf and as a result, that's going to be information of your company.
And it may be as simple as just making sure that the policies and procedures that your vendors have in place are being provided to your employees. It may be that they have all the appropriate compliance things put in place, but you've got to take those steps to make sure that they get them, that your employees get them, that they have adequate notice.
And so, working with your vendors to understand what protections they have in place and working with them to find out how they're meeting those obligations is a great way to assess, “Is this a person I want to get into business with to provide me this service?”
I think similarly, the other area that is going to create a lot of new data, different data, and implicate all the things we've been talking about with respect to biometric information collection, with respect to how are you securing data, and how are you ensuring that the vendors you're working with are securing and collecting data appropriately revolves around AI, and the use of AI and the adoption of AI technologies in the workplace.
And there's going to be a lot of benefits to folks in the construction industry from the use of AI monitoring technologies to improve worker performance, metrics, how things are being done in a timely and appropriate manner.
But let's say you have a measuring tool and a piece of equipment that's kind of monitoring its use, how it's being used, when it's being used, whether it's being used in a manner that is safe, unsafe within its normal operating requirements.
One way that this is being matched with AI is to track all that information and then also use like a driver or operator facing camera to then identify exactly who is in that machine or that vehicle at a given time.
And that interaction of that AI identification using biometric markers, plus then having all of that data specifically tied to how an individual may or may not be operating or may or may not be following company policies or procedures, is going to, I think, greatly increase the amount of personal information that construction clients are collecting about their employees.
And how are you going to store it? How are you going to protect it? How are you going to stay on top of the regulations that might be coming down the pipe on the use of AI, particularly with employee monitoring.
Brad Ouambo:
And AI is also used in not just for employee monitoring, but helping manage the construction project. For instance, you might see these robots going around and checking the levels of a surface. They might help you keep track of the progress you are making, and that's additional information that's being collected, that's being stored, and that's being stored digitally. So, that information just needs to be protected.
And AI is not really the future anymore, it's now, and it's just getting increasingly, increasingly intelligent at a higher rate. So, as we make use of those tools and as you said, there can be very helpful tools in managing these logistical behemoths that a construction project is; what are we doing to make sure that that data is safe, that our client's data is safe, that your employee's data is safe, and the individuals that you interact with that, all that is safe.
And I think what you and I have been saying, and what I want to urge people listening this to get in mind, it is in the front end, protect the information in the front end, and you will save yourself a lot of headache down the road.
Brad Reed:
Everyone is in the business of data management, data security, and information management in the world we live in. It is no longer something that you can look at and say, “Well, I'm not a IT service provider. I'm not in the communication space. I'm not in the retail space.” There's all of this consumer information.
You have valuable information that others are trying to get and use to their own ends, and if it's valuable and confidential protected for you, somebody is out there trying to exploit it. And so, it behooves everyone to then think about, “Okay, what am I going to do to protect it? How am I going to manage it, and how am I going to be ready for an incident when it happens?”
Because the first time you think about your incident response, how you're going to manage it cannot be when the ransomware attack has happened, when the business email compromise event has happened. Just like employees need to know how to avoid them, the people who are going to be responsible for responding to and mitigating those events need to know that upfront as well.
Brad Ouambo:
Definitely.
Brad Reed:
I think with that, we've probably appropriately scared everyone about the threat of cybersecurity and the risk, but realistically, it's something that happens every day. Clients across industries are facing attacks and events really on a constant basis.
And so, particularly I think for our construction clients, they are a target that folks are looking to exploit because they know that there's valuable information there, and they know that there is a lot of payment information and financial information that's flowing just constantly that they can use. So, it's critical to think about these things.
Brad Ouambo:
I mean, the same way you lock your door every morning, the same way you put important files in a safe, is the same way you've got to protect your digital information.
[Music Playing]
Brad Reed:
Well, thanks, Brad. I think that was a very illuminating discussion, and I hope that this can spawn further discussions and lead to questions that you and I can help answer clients who are working through this.
So, with that, I think we'll leave it there.
Brad Ouambo:
Absolutely.
Brad Reed:
That wraps up another episode of Shoveling Smoke. Thanks for checking in with us and we hope you listen next time. Shoveling Smoke is a production of Evergreen Podcasts. Our producer and audio engineer is Sean Rule-Hoffman. Thanks for listening.