This piece originally appeared in:

Retrofit, March/April 2023

Attacks on Cloud and Data Infrastructure Underline the Need for Cybersecurity

Like most every sector of the global economy, the design and construction industry has become exponentially more digital, more connected and more cloud-based. Project managers on job sites rely heavily on their ever-present tablet devices, and massive amounts of information and data on everything from drawings to budgets and contracts are generated and shared seamlessly in a digital environment.

Technology has revolutionized the industry, streamlined processes and made the sharing of vital information so much simpler. But creating these open pathways to enable the seamless flow of data comes at a cost. For firms of all sizes and types, the threat of cyber attacks continues to grow and the need for cybersecurity is greater than ever.

“The threat landscape is constantly evolving and the need to adapt cyber defenses is something that requires attention every day,” says Mike Carr, vice president, Information Technology for Clune Construction, a national general contractor, headquartered in Chicago. “Threats from bad actors have increased and threats come in daily. We routinely see standard attacks, such as spear-phishing and whale-phishing, but a lot of threats have become more complex and targeted.”

The types of threats companies face vary depending on where they are in their adoption journey,” explains Aditya Thakur, director, Product Management at Autodesk Construction Solutions. “Some companies are still for the most part using manual workflows with pen and paper. Others are moving to cloud-based systems and asking how they secure their data. A few years ago, most customers were concerned with issues, like single-sign-on and wanted to make sure to add additional authentication to protect access to data. As customers become more sophisticated, they are thinking about the integrity of the data itself and maintaining it in case something was to happen.”

Sharing and Securing

Although the degree of adoption and technological reliance may differ from company to company, firms of all sizes and operations need to be thinking about cybersecurity. The amount of information that goes into building design and construction, the number of interactions involved and the overall level of technology adoption in the industry makes it very important for firms in all parts of the building process to be on alert.

“Most small- to mid-sized businesses do not have a dedicated cybersecurity department. However, maintaining a solid cyber defense is something every organization should strive for,” Carr says. “Companies should never assume their industry isn’t a target for attacks. All organizations should have a culture of security. Trends for 2023 indicate the use of artificial intelligence/machine learning to increase the effectiveness of phishing cam- paigns. Protecting remote and hybrid employees and mobile-device compromises are things to focus on this year.”

“The pandemic pushed a lot of companies to quickly adopt cloud-based solutions and, as a result, many of those companies are trying to figure out what their security roadmap should look like,” Thakur says. “Traditionally, construction has lagged slightly in terms of technology adoption. Previously there were mostly design workflows using Revit, AutoCAD and other design-authoring tools and the process would happen on paper, email and Excel. But now there’s a burst of activity in cloud services.”

Many threats are universal, but there are factors the construction industry specifically should consider.

“Based on my experience, there are challenges that are specific to the construction industry,” Thakur notes. “All companies need to think about how they secure their data, their employees and their information, but what can be unique in construction is that you might be working with 50 different companies sometimes on a single project. There is a lot of need for data sharing back and forth. As a general contractor, for example, you might invite numerous trade partners to your cloud, but how do you secure data you want private to yourself? That’s one challenge and another is that you might be dealing with many partners in vastly different stages of technology adoption.”

Threat Environment

The nature of the threats out there aren’t necessarily new, but many tried-and-true attack techniques are becoming increasingly more sophisticated and damaging.

“Malicious parties, both individual and state sponsored, are targeting all industries with crypto, phishing and direct ransomware attacks. I’ve been seeing incidents that impact even Fortune 500 companies,” Carr explains. “A lot of threats have become more complex and targeted. They will compromise a subcontractor and directly use their email to attempt to get you to respond with a targeted email.”

Thakur adds: “I’ve seen attacks on the rise in general. You breach some servers, you get the professional email addresses and then start sort of repeatedly attacking. Denial-of- service attacks have been on the rise, and those are targeted attacks on cloud resources to bring the service down. I know the cloud companies are sort of working on it, but that’s just something to keep an eye on.”

“We’ve started seeing more instances of very targeted campaigns where they set up nearly duplicate domain names and user email accounts and then start trying to represent themselves as legitimate users,” Carr says. “At Clune, we have an external service doing regular checks and takedowns of those domains as a service to us.”

Educate and Defend

Cybersecurity is an ever-escalating struggle that forces companies to constantly keep up and defend against ever-more sophisticated threats and attacks. While security technology is part of the solution, it is not a silver bullet. Education, authentication and process are vital to any security strategy.

“It is critical for any company to increase the awareness of its staff through cybersecurity training and phish testing,” Carr says. “The end-user is the front line of defense. They need to partner with a cybersecurity industry specialist to make sure they are protected. I suggest performing professional risk/gap analysis at least once each year to mitigate possible points of vulnerability.”

“Make sure employees are constantly educated about phishing attacks. What a lot of companies don’t realize is that when a breach happens, you may not see the true impact of it until a few years later,” Thakur says. “Make sure folks are aware, because it can happen very innocently. More companies now are running fake phishing attacks internally to make sure employees are always aware.”

There is a delicate balance to be struck between security and usability. In the end, technology and data sharing are intended to make jobs and processes easier, and that simple truth can be jeopardized with overly onerous security protocol. A combination of process and technology is required.

“I think authentication is always going to be a trend because there are a lot of tools out there and the threats are always evolving,” Thakur says. “But how do you create security without making it too restrictive for users to log in? In construction, it’s very important to be usable because the project managers in the field have limited time, and they want to get in and get out and get stuff done. It puts the onus on tech companies to constantly evolve and upgrade their security infrastructure to make sure they’re doing right by their customers.”

“Security is something that should be at the forefront for all organizations,” Carr says. “Protecting their data and their clients’ data should be top of mind, not only for the IT department, but for the entire company.”