TIME TO GET SERIOUS:

PROTECTING YOUR COMPANY FROM

CYBERATTACKS

BY ROB RUDLOFF

Every day, you and your team find

ways to overcome the challenges
(e.g., schedules, budgets, safety,
compromised workers, failed
equipment) to completing projects
on time and on budget. But there is
another and possibly even more
sinister threat to your company
that is entrenched in your business
model and cybercriminals want it:
YOUR DATA.

Data Is Increasingly at Risk

Data exists on your servers, in every e-mail, and in every text message. It lives on every mobile
device carried by your employees, in every drawing received from an architect, and in every schematic sent to a client. Your laptops, printers, tablets, phones, fax machines, scanners, and mobile
devices are constantly accessing and transmitting data.
Data crosses your job schedules, employee and safety records, blueprints, and CAD drawings. It
travels through your accounting and billing departments; to your fabrication shop and warehouse;
through your HR department and into your payroll; out to your jobsites to your superintendents,
PMs, and safety directors; and, most importantly, to your customers. In other words, its all
around you and your projects because its at the heart of your business.
That said, its easy to understand how your company could become a target for a data security
breach. As part of its 2014 Data Breach Investigations Report, Verizon reported on the breakdown of breaches within the construction industry, with crimeware accounting for the most
frequent cause.1 (See Exhibit 1 on page 26.) Crimewares goal is to gain control of systems as a
platform for illicit uses like stealing credentials, DDoS attacks, spamming, etc. Web downloads
and drive-bys are the most common vectors. In its recommendations, the report prioritizes
software inventory, standard configurations, malware defenses, and boundary defense for the
construction industry.
One disturbing phenomenon that has grown exponentially over the past decade is social engineering the use of human assets and vulnerabilities to try to break into systems. Examples
include hackers calling people to try to gain information, picking up access codes or entry cards
by shoulder surfing employees, sending phishing e-mails, or placing calls asking users to update
computers or software all in order to gain context or credentials for hacking into your systems.
Phishing e-mail attacks are increasingly sophisticated, presenting seemingly legitimate information with disastrous consequences. Assuming a 5% click-through rate on these types of attacks,
it is very likely to happen in your company. The question is: Will you know when it has happened
and are you equipped to deal with it effectively?
According to the Ponemon Institutes 2014 Cost of Data Breach Study: Global Analysis,2 U.S.
companies had the most costly data breaches worldwide on average ($201 per record); on average, they also had data breaches that resulted in the greatest number of exposed or compromised
records (29,087). Based on these figures, a single breach costs approximately $5.8 million. For
more on the costs of an attack, see Exhibit 3 on page 27.

How Can You Protect Your Company

With the rising risks and costs of cybersecurity, knowing how to protect your company is critical.
Such risk must be managed as an ongoing enterprise-wide concern, not just an IT issue. The first
step is to admit that the threat is real and your company could be a target.

CRIME WARE
EVERYTHING ELSE
MISCELLANEOUS ERROR
POS INTRUSION
CYBER ESPIONAGE
INSIDER MISUSE
EXHIBIT 1:

BREACHES WITHIN THE CONSTRUCTION INDUSTRY

MISCELLANEOUS
ERROR

POS
INTRUSION

7%
CYBER
ESPIONAGE

7%
33%

13%

INSIDER
MISUSE

13%

13% 14%

THEFT/
LOSS

CRIMEWARE

EVERYTHING
ELSE

Source: Verizon 2014 Data Breach Investigations Report

EXHIBIT 2:

DID YOU KNOW?

DISTRIBUTED DENIAL OF SERVICE (DDoS) uses a network of
(mainly) compromised systems to attack a single target causing a
denial of service.
DRIVE-BYS are a malware infection technique where malware
is downloaded without a persons knowledge (often embedded in
a legitimate file).
SHOULDER SURFING refers to following an authorized person
through a door to avoid presenting credentials.
PHISHING E-MAILS look like legitimate e-mail, but in reality are
designed to gather personal information, credentials, or convince the
person to execute an attachment.
CLICK-THROUGH RATE measures the success of an online campaign
through number of users that clicked on a specific link.

Know Your Self

THEFT/LOSS

Determine what is known about your companys data, where

and how it is accessed, and how it is protected. Consider the
following questions to develop a clear snapshot of your companys sensitive information:
What Sensitive Information Exists in Our Company?
Do we have social security numbers, drivers license photos,
credit information, or other personally identifiable information for our employees, contractors, or vendors? Do we have
marketing, pricing, drawings, or other information that is
valuable to our competitors? What kind of customer information is covered by confidentiality agreements?
Where Does the Sensitive Information Exist? Where
do we store paper documents, scanned documents, electronic files, e-mail, application data, and faxes? Are we
using cloud service applications to store data outside our
environment?
Who Has Access to Our Data? Who in our organization
has the ability to log in and access the data? Once logged
in, are there rules to restrict who has access to only what is
needed? Do we have any partners, suppliers, subcontractors,
or other vendors in our systems with access to our data? Do
we use segregation of duties to limit and detect fraudulent
activity?
How Is Our Data Protected? Is our data encrypted as
it is transmitted between our internal environment and outside recipients? Is our data encrypted when stored? Do we
have appropriate authentication methods in place? How do
users get provisioned for access?
How Is Our Technology Protected? Do we have
adequate perimeter controls to detect and prevent attacks
against our IT systems? Do we have adequate internal
controls to detect and prevent attacks from within our
environment? Is our technology physically protected to
prevent tampering? Do we have disaster recovery and continuity plans in place?
How Will We Know? Unfortunately in todays world, it is
not if but rather when well become a victim. How will
we know if/when a security event or breach has occurred?

26 CFMA Building Profits July/August 2015

CYBERATTACKS

Do we have enough security intelligence to inform us when

something abnormal is occurring so it can be investigated,
contained, and eradicated?
Once this information is obtained, share your concerns with
your leadership team, board, and investors. Find those with
expertise in this area to evaluate your current systems and
suggest solutions. Develop programs to detect and prevent
cyberbreaches, then perform ongoing testing of those systems. Most of all, be vigilant in monitoring and testing your
systems. When (not if) there is a breach, have a plan in place
to address it immediately.
It is also essential to determine who within key management has responsibility for protecting your company against
cyberattacks. The lead employee should report to the owner
or CEO. Also, consider ramping up financial and human
resources to tackle the job on an ongoing basis. A security
breach can disrupt operations, could cause job shutdowns,
and may tarnish your companys brand and threaten its well
being in the marketplace.
Limit Your Exposure
A good next step is to review your construction or customer
contracts with your legal advisor to ensure you are limiting
your exposure in case of a data breach. It is critical to review
your vendor contracts for the same issues, especially data
centers, cloud and software providers, IT specialists, and
other outside suppliers with access to your internal systems.
Talk with your industry peers about what they have learned
and which systems they are implementing, and assign
responsibility within your own organization.

EXHIBIT 3:

DATA SECURITY BREACHES & COSTS

DATA SECURITY BREACHES ARE AT AN
ALL-TIME HIGH, AS ARE THE COSTS:
The Office of Personnel Management (OPM) recently disclosed
that personal information of more than four million federal
employees may have been compromised, potentially by a foreign
nation-state. However, the American Federation of Government
Employees has stated that the breach was far more damaging,
and that all personnel data for every federal employee, every
federal retiree, and up to one million former federal employees
was compromised.3
JPMorgan Chase was reportedly compromised on 76 million
consumer and seven million small business accounts.4
Direct costs of stolen credit and debit cards from the Target
data breach in 2013 reportedly exceed $250 million5 and total
costs are estimated at more than $1 billion.6
A record-breaking 1.1 billion personal and sensitive records were
compromised in 2014 across 3,014 incidents, which is a 22%
increase over 2013. Hacking and fraudulent activity accounted for
a staggering 97.6% of the records lost.7
The probability of a data breach of more than 10,000 records over
the next two years is 22%.8

Regularly review your companys cyber liability insurance

coverage to determine whether coverage is appropriate.
Determine what risks you are willing to take on at your
company. A board management discussion should include
identification of which risks to avoid, accept, mitigate, or
transfer through insurance, as well as specific plans associated with each approach.

Safeguard Your Data

Data protection must be company-wide. Think about the various ways in which your company interacts with technology

July/August 2015 CFMA Building Profits 27

EXHIBIT 4:

MOBILE DEVICES: RULES FOR THE ROAD

APPS Make sure mobile applications you develop or deploy are
self-contained and do not collect personal information from other
mobile apps.
CONTROL Use a mobile device management (MDM) solution to
grant or restrict access, as well as manage, inventory, and remotely
wipe mobile devices.
INVENTORY Keep an inventory of authorized devices and require
registration of all new devices.
PROTECTION Require passwords, pins, or swipe technology on
any mobile device attached to your network.
EDUCATION Train your users how to protect themselves and
implement acceptable use policies to reinforce the message.

Understanding how
INFORMATION MOVES
into, through, and out
of your business is
ESSENTIAL
to assessing security
VULNERABILITIES.

28 CFMA Building Profits July/August 2015

and data. Use these areas to develop policies, procedures,

and technology solutions. For each area, the goal is to have
layers of defense in place so that even if one is compromised,
additional protection remains and access is still restricted.
Physical Environment
Safeguarding your data begins with a secure physical environment. Restrict access to physical areas with sensitive
information and monitor who accesses the area. Maintain
secure destruction of paper and media, including PC drives,
USB drives, servers, copiers, scanners, fax machines, etc.
Most companies address this through normal operations at
their main offices, but may neglect this practice at jobsites,
sales offices, or other remote locations.
Technology Infrastructure
Understand your inventory of hardware, software, and applications so you can recognize something out of the ordinary.
Implement web content filtering and automated threat intelligence feeds to block outbound access to known malicious
sites. Install and update antivirus and anti-malware protection
regularly. Decide who receives mobile devices and set up protocols for how and when they are used. Consistently monitor for malicious or abnormal behavior across the network,
applications, and end-user workstations. Finally, establish
solid perimeter controls, including firewalls and intrusion
detection/prevention programs.
Applications
Limit access to your software applications on a need-toknow basis, sometimes referred to as least privilege. Set
up access rights for sensitive applications that limit read
vs. write access and manage segregation of duties. Enable
audit trails to monitor who has been on your system, when
it was accessed, and what changes were made. Require
strong passwords and consider using multi-factor authentication (MFA), particularly when remote access into the
environment is involved. Regularly review contracts to
understand the risk associated with the ongoing use of each
application. Require Service Organization Controls (SOC)
reports for all cloud providers and understand how your
data will be handled in their environment. Encrypt all data
in motion and assess risk to determine if it should be used
for data at rest.

CYBERATTACKS

Users & Endpoints

Understanding how information moves into, through, and out
of your business is essential to assessing security vulnerabilities. Identify any sensitive information that personnel or third
parties have (or could have) access to via your systems. Limit
the information collected and retained to prevent needless
data storage and to reduce the risk of unauthorized access.
Further, protect the information that is maintained by
assessing risks and implementing protections in certain
key areas physical security, electronic security, employee
training, and oversight of service providers. And, be sure to
properly dispose of information that is no longer needed.
Finally, have a plan in place to respond to security incidents
and data breaches should they occur. The plan should be
closely aligned with your companys continuity plan.

EXHIBIT 5:

TOP CONTROLS ASSESSMENT

The areas listed below are covered in the The Critical Security
Controls for Effective Cyber Defense, Version 5 (www.sans.
org/critical-security-controls) and include aspects of the
National Institute of Standards & Technology (NIST) Framework
for Improving Critical Infrastructure Cybersecurity, International
Organization for Standardization (ISO) 27000 series, and can be
linked to other standards as well.
ACCESS & Authentication Controls
CHANGE Management
DATA Retention & Secure Destruction
DATA Security
END-POINT Protection

Mobile Computing Security

INFORMATION Security Policies

Employees use of their personal devices (Bring Your Own

Device or BYOD) represents a huge potential threat to your
company. With the explosion of social media sites and other
applications, it is essential to decide whether or not you will
allow personal mobile devices on your network.

IT RISK Assessment Process

Cybercriminals are increasingly targeting mobile devices;

seemingly innocuous activities like downloading a video or
installing a new app could represent a serious threat. Clearly
document what devices can be used as well as how and
when they may be used. Set similar protocols for USB drives,
tablets, and other hardware that may be connected to your
environment. (See Exhibit 4 on page 28.)

PATCH Management

Prevention Is a Continuous Process

LOGGING, Auditing & Monitoring

MOBILE Devices
NETWORK Architecture, Design & Implementation
PASSWORD Management
PERIMETER & Network Segmentation
RECOVERY, Response & Continuity Plans
REMOTE Access & Authentication Controls
THIRD-PARTY Security & Cloud Usage
VULNERABILITY Management
WIRELESS Security

Ongoing vigilance can be one of your most effective tools

against risk to your cybersecurity. Continuously educating and
training employees is critical to combat the daily threats delivered via e-mail and malicious websites. Are your employees
aware of the threats, and are they informed and trained on
proper procedures? Are they encouraged to report possible
breaches because those reports are vital to the company?
Performing periodic assessments of the environment based
on risks and threats can be extremely useful to understand where weaknesses may exist and how the security

July/August 2015 CFMA Building Profits 29

CYBERATTACKS

infrastructure detects and prevents attacks. This approach

should also be applied to networks, systems, and applications.
Monitor activities to determine what needs to be updated
or replaced.
If youre unsure of where to begin, take a look at Exhibit 5: Top
Controls Assessment on page 29. A comprehensive review of
your systems should include a review of available logs, alerts,
reports, and key systems. Data flow should be traced (both
inbound and outbound) and both controls and weaknesses
should be identified. An effective review will also include an
external vulnerability assessment, examining perimeter controls, and identifying potential issues or vulnerabilities from
external connections.
Continuously identify and deploy new solutions to secure
your data as your environment and threats change. Consider
developing a red team comprised of IT specialists who try
to hack into your systems.9 This is a good way to identify vulnerabilities and determine where an open door may exist.

Conclusion
Construction is an extremely collaborative effort among
owners, real estate professionals, financial institutions, architects, engineers, GCs, subcontractors, equipment and material suppliers, etc. Contracts, blueprints, CAD drawings,
BIM models, workplans, and financial documents represent
merely the tip of the iceberg of the complex information that
is shared among building partners during the life of a project.
Your cybersecurity must be managed in the context of this
extended digital ecosystem.
Data used in construction projects today improves efficiencies, saves time, and creates digital footprints for future work.
However, you owe it to your customers and colleagues to
operate securely and prevent threats. Proper management of
cybersecurity will ensure this valuable information remains
secure and that benefits of data continue to outweigh the risks.
There is no silver bullet that will solve all cybersecurity challenges, but investing in long-term maintenance, monitoring,
and security that can be sustained over time is an excellent
defense. n

30 CFMA Building Profits July/August 2015

ROB RUDLOFF, CISSP, ISSMP, MBA, is Partner-inCharge of the Cyber Security Risk Services at RubinBrown
LLP in Denver, CO.
Rob has been helping organizations improve their
security posture for more than 20 years. He specializes
in application and network security vulnerability and
penetration testing, security policy and procedure support, security posture reviews, mitigation support and
architecture development.
Phone: 303-952-1220
E-Mail: rob_rudloff@rubinbrown.com
Website: www.rubinbrown.com

Endnotes
1. 2014 Data Breach Investigations Report (DBIR), Verizon, available at
www.verizonenterprise.com/us/DBIR.
2. 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute,
May 5, 2014, available at www.ponemon.org/blog/ponemon-institutereleases-2014-cost-of-data-breach-global-analysis.
3. bigstory.ap.org/article/af77f567a4b74f128a4869031dc9add9.
4. dealbook.nytimes.com/2014/10/02/jpmorgan-discovers-further-cybersecurity-issues.
5. Target Data Breach Price Tage: $252 Million and Counting. MintzLevin,
February 26, 2015. www.privacyandsecuritymatters.com/2015/02/
target-data-breach-price-tag-252-million-and-counting.
6. Cox, Randall. Expected Target Losses. Rippleshot, January 29, 2014.
info.rippleshot.com/blog/expected-target-losses.
7. Data Breach Quick View: 2014 Data Breach Trends report, Risk Based
Security, February 2015. www.riskbasedsecurity.com/reports/2014YEDataBreachQuickView.pdf.
8. 2014 Cost of Data Breach Study: Global Analysis, Ponemon Institute,
May 5, 2014, available at www.ponemon.org/blog/ponemon-institutereleases-2014-cost-of-data-breach-global-analysis.
9. Mejia, Robin. Red Team Versus Blue Team: How to Run an Effective
Simulation. CSO. March 25, 2008. www.csoonline.com/article/2122440/
emergency-preparedness/red-team-versus-blue-team--how-to-run-aneffective-simulation.html.