It’s no secret that data breaches are on the rise, regardless of industry or company size. Protecting your business and employees from cybersecurity attacks is a growing concern, especially for small construction companies and contractors. A cybersecurity strategy that was acceptable at the beginning of the year may be outdated with the latest cyber threats. Most construction companies store sensitive project information, including bids, designs and material pricing, on top of their own financial data and employee information, banking records and other confidential information. With all of this information at risk, it’s shocking that on average, 68% of construction companies spend only 1% or less of annual sales on their IT budget, according to JBKnowledge.
Ensuring your company’s data is protected is a daunting task, and requires time, money and resources to stay up on the latest cybersecurity practices. Whether you’re just getting started in the security process, or ready to ramp up your existing strategy, below we cover the necessary pieces to keep your company secure.
Start with the Basics
Starting with the cyber perimeter of your network is a great place to begin the process of securing your company. A few simple steps can make a big difference. Consider implementing:
A properly configured firewall will take you from being an easy target to having a well-protected attack surface. A firewall should be installed by a certified network engineer. You will also want ongoing technical support and an advanced security subscription to keep your firewall up to date against developing threats.
One feature that is specifically beneficial for the real estate and construction industries is the ability to block by country. Consider blocking the countries that you do not do business with and have no reason to allow them to communicate with your organization. For instance, if you are a construction contractor only working on projects in North America why allow any country outside of the United States, Mexico, or Canada to communicate with your network? Blocking this access helps put up an appropriate barrier against cyberattacks in other countries. If you look at where cybersecurity scams and breaches are generated from, the same list of countries show up over and over. Are you blocking those countries or are you allowing them to knock on your virtual door?
A Spam Filter
Over half of all emails sent globally are spam. A spam filter can help protect against phishing emails and malicious links with strategies to take your password and other sensitive information.
There are many reputable spam filters, but not all are created equal. Some require appropriate configuration to make sure the overwhelming majority of malicious emails are blocked. If a spam filter is not configured adequately, malicious emails will make it to inboxes and increase the probability of one being clicked on by an employee and jeopardizing the entire organization. If you have not already, consider adjusting your spam filter to reduce the number of emails making it through.
Viruses are getting increasingly more aggressive, but there are anti-virus tools used to fight malicious software including artificial intelligence, automatic updates, self-cleaning mechanisms and real-time scanning. A reputable, up-to-date anti-virus is the most basic protection of all. Please check with your technology provider when assessing whether your current anti-virus strategy is adequate. Anti-virus and anti-malware help protect computers and servers but should be supplemented with other tactics to provide a holistic cybersecurity approach.
Cybersecurity Awareness Training
On average, four out of every 100 employees will click on a malicious link presented to them. A cybersecurity training program can shrink that number and provide best practices on how to recognize threats and what not to click on. Cybersecurity awareness training provides excellent reporting on which employees or groups of employees are causing your organization the most risk. You can evaluate if their cybersecurity awareness improves over time by continued campaigns aimed at changing any bad habits.
Ramp up Your Security
When you have the basics covered, it’s time to look at more advanced practices to help protect your company’s sensitive data. Consider implementing:
A Company-Wide Password Policy
Combining a strong password policy with multi-factor authentication can be a great line first of defense against a data breach while also educating employees on password best practices. Learn how to implement a strong password policy.
Annual Vulnerability Assessment
This assessment provides critical information about possible vulnerabilities. A simple vulnerability test can identify any areas to improve before implementing a penetration test.
Annual Penetration Test
A third-party organization will attempt to find methods for entering your network and finding valuable data. Annual penetration tests can identify weaknesses to improve upon.
System Information and Event Manager
This service will filter through logs and find particular events for review and potential remediation, such as failed login attempts and malware activity.
Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan and be prepared for an incident with cybersecurity insurance. Even if you started a policy a few years ago, it may not be robust enough to account for modern, costly security threats. The cost of a production down situation or breach can be staggering for a business, and cybersecurity insurance can help your business recover from data loss if a breach occurs.
Backup and Disaster Recovery
Backup and disaster recovery can save you from losing valuable data in the event ransomware encrypts your data or if data is destroyed. If you have an incident that encrypts your data or deletes your data, you may be relying on a solid backup platform to get things back online. Maintain offline, encrypted backups of data and regularly test those backups. A disaster recovery plan can shrink the impact caused by a ransomware or data deletion event.
With all of the moving parts above, it will require management and coordination. This coordination is not always possible by in-house IT for many reasons. Sometimes providers who run multiple businesses, or even businesses within your peer group may have very valuable strategies to use.
Implementing a cybersecurity strategy takes a significant amount of resources to implement and continuously evaluate the effectiveness as new threats arise. Even a dedicated in-house IT employee will most likely need assistance with such a large specialized task. Anders Technology offers the tools, training and managed IT services necessary to keep your company protected, now and in the future. Contact an Anders advisor below to discuss your specific needs.All Insights