The phrase “data security” has recently been replaced by “cyber security, ” but this isn’t just a matter of fashionable buzzwords. The newer term reflects the fact that staying secure involves a lot more than protecting a company’s data. Furthermore, cyber security has become a public issue and as such, is the subject of intense regulation.
Cyber crime has become a lot more common, in part because the tools and methods used by perpetrators are now widely available, encouraging smaller players who pursue smaller targets. “The tactics of the ‘bad guys’ have changed,” says Chris Dill, chief information officer of Omaha-based Kiewit Technology Group. “They’re perfectly satisfied to steal from an individual if they can get their bank account, as opposed to trying to make a big score against a big enterprise.”
“And then, of course, if they get an employee to do something they wouldn’t do if they had awareness, now they have the keys to the kingdom. So it’s changed how you have to protect, how you have to train, and what you have to watch for and monitor.”
In this new scenario, criminals are likely to pursue individuals in any vertical, including construction. “If you think, ‘We’re just a construction company, why would anybody want to do us any harm? Therefore, we’re fine,’ that would be a fatal error,” Dill says.
Along with this, construction is now facing much tighter regulation, either directly, or through customer or partner security requirements.
“If you’re in banking,” Dill says “that regulation’s nothing new to you. But in industries like construction, it’s very new, and it’s come very fast, and companies are really backpedalling trying to figure out how to accommodate that.”
Dill has substantially increased his cyber security spend in the past two years, and last year, he gave a cyber security briefing for Kiewit’s board of directors for the first time. “That wasn’t even on their radar two years ago,” he says.
In Canada, the emerging standard for compliance is SOC2, an acronym for Service Organization Control. The standard covers a broad range of cyber security issues, outlined in what’s termed the five Trust Principles, namely:
- Security: Protection against unauthorized access.
- Availability: Assurance of uninterrupted operation.
- Processing Integrity: Systems have not been compromised.
- Confidentiality: Confidentiality observed as per commitments.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with industry requirements.
For Edmonton-based PCL Constructors, which moved aggressively to the cloud nearly five years ago, SOC2 helps identify potential cloud partners, some of which are start-ups or smaller providers.
“We’re a cloud-first company,” says Chris Palmer, senior manager for Advanced Technology Services, PCL, “so we do a lot of due diligence with our providers. We want to know who is providing their security, what their governance procedures are, how they manage their platform, and that sort of thing. The SOC2 report and audit results give us an independent validation of their security practices, and help us assess the risk involved.”
SOC2, however, may only be a beginning.
“In our assessment, SOC2 is one of the first questions that we ask,” Palmer says, “but it’s one of 20 or 30. We continue to refine our process, but you also have to be willing to trust that the company is forthright, and follows through with their security measures. So we really try to build good relationships with each of the companies in order to get some assurance.”
CHANGING THE CULTURE
With every individual in the company a potential target, employee cyber-awareness is a must. Kiewit and PCL both provide mandatory training for all their employees on an ongoing basis.
“We kicked off cyber-security awareness training last year,” Dill says. “Every employee at Kiewit does an online training class, and has to effectively pass a test at the end of training.”
PCL also runs special campaigns in response to current threats. For example, there has been a recent wave of well-crafted phishes that use construction industry terminology in order to trick an unwitting employee into clicking on a link or divulging sensitive information.
The bottom line is that cyber security is no longer the preserve of a specialized technical group in the IT department, but a company-wide concern that requires not just investment, but constant attention.
“Cyber security’s not something you just throw money at,” Palmer says. “It’s something you actively need to be thinking about in every initiative and every project. That’s one of the bigger changes that I’m seeing here.”
Jacob Stoller is principal of StollerStrategies. Send comments to firstname.lastname@example.org
This column originally appeared in the March 2019 issue of On-Site. To read through the entire issue, click here.