Construction firms that work on large projects are obvious targets for cybercriminals. The motivation is clear – if you can take down a single construction firm and disrupt one of their building sites, the business interruption could easily cost them hundreds of thousands or even millions of dollars which they would never be able to recoup. Engineer Reddy Kancharla has some ideas on how to protect yourself from cyber-attacks.
Upon initiating an attack, cybercriminals typically begin with recon work – looking for clues about the target online through basic research so they can gather information about how sensitive/critical your data is and if it might be useful to them. Such research will allow them to choose the best type of attack for you, which could vary from simply trying to find and exploit a vulnerability in an outdated website CMS (Content Management System) to sending phishing emails.
One common form of cyberattack is called “phishing” – the art of essentially luring the victim into providing data which they would otherwise not provide or take action upon. A typical phishing attack would be an email that looks like it’s from your bank notifying you of the suspected fraudulent transaction, so you can click on the link in the email and provide additional details to verify your identity. This is only one kind of “phish,” though – here are some other examples,
· Phone call pretending to be IT at your company and claiming that they’ve found a vulnerability in your network
· Email from a reputable website (i.e., CNN) alerting you to an online survey, asking for information like your passcode or credit card number, etc.
There are no simple ways to protect against such attacks – simply putting up firewalls and antivirus software isn’t going to be good enough. For one, attackers may go after a trusted internal employee – an HR director, for example, and hack into the firm’s payroll database from inside the network. Additionally, most respectable companies have firewalls and antivirus software installed, but these programs require constant updates to still protect against new types of attacks. The frequency of updates is a key consideration when choosing a security solution – the more frequent, the better. Larger firms should look for an automated update system that can be scheduled during non-peak business hours not to interrupt your day-to-day operations.
Another way to protect yourself from cyber attacks is to ensure that you have a clear data classification policy, outlines the categories of information your firm deals with and specific ways that this information should be handled. Data classification policies are important because they give your employees guidelines on classifying and handling sensitive data. This topic might very likely never come up during their day-to-day work. What’s more, it helps you ensure that appropriate security measures are in place for different categories of data. I.e., only highly sensitive information like payroll data should be kept on servers with physical access protection (most firms use biometric readers or swipe cards to enter server rooms).