Building Excellence

Dedicated to the people who make our built environment better and safer. We tell your stories and celebrate your successes.

Register with us and receive industry news and content only available to subscribers.

Subscribe
Contacts

Indianapolis, IN, USA (HQ)

903 E. Ohio St., Indianapolis, IN 46202

Call: (317) 423-2325

info@acppubs.com

Lessons from a Cyberattack

by: Tamika Bass and Kelly Marshall, Gannett Fleming
Photo courtesy of Robby Brown + Sundt Construction
Photo courtesy of Robby Brown + Sundt Construction

Cybersecurity has become a critical issue across all industries, including construction. Often perceived as less vulnerable to cyberthreats than high-tech sectors, the construction industry has nevertheless seen increasing cyberattacks, underscoring the necessity for robust cybersecurity measures.

Cyberattacks that shut down business operations, damage firms’ reputations, and result in litigation and fines are rising in the industry. Yet a recent IBM and Ponemon Institute study found that 74 percent of construction-related organizations have not formed a plan or implemented a cybersecurity response.

This article is based on experiences and lessons learned from a significant cyberattack in June 2020, offering valuable insights into the changing cybersecurity landscape.

Mastering Cybersecurity: Terms You Need to Know

Understanding cybersecurity terminology is crucial for protecting your organization as cyberthreats continue to evolve. Familiarity with these key terms can help you recognize and respond to potential threats more effectively:

  • Social engineering — This technique involves sophisticated psychological manipulation to trick people into performing actions or divulging confidential information. Cybercriminals often exploit human emotions and behaviors to gain unauthorized access to systems and data.
  • Phishing — Attackers use deceptive emails to trick individuals into providing personal and security information. These emails often appear to come from legitimate sources, making them hard to detect. Phishing remains one of the most common and effective cyberattack methods.
  • Vishing — Short for “voice phishing,” this method uses phone calls to deceive individuals into revealing personal and security information. Vishing can be particularly effective because it exploits people’s trust in phone communications.
  • Drive-by downloads — This occurs when users unknowingly download malicious software from compromised websites. Simply visiting an infected site can result in malware installed on a user’s computer without their knowledge.
  • Malware — A broad term for any software designed to damage or disrupt an IT system intentionally. Malware can take many forms, including viruses, worms, trojans, and spyware, each with its own method of attack and impact.
  • Ransomware — A type of malware that locks users out of their data or systems, demanding a ransom for restoration. Ransomware attacks can weaken organizations by denying access to critical data and systems until the ransom is paid.
  • Cyber kill chain — This concept outlines attackers’ steps to compromise a system. Understanding the cyber kill chain helps organizations identify and interrupt attacks at various stages, from reconnaissance to exfiltration.

Recognizing and comprehending these cybersecurity terms is more than just academic; it equips individuals and organizations with the knowledge to identify and mitigate potential threats. As the industry becomes an increasingly attractive target for cybercriminals, this understanding is essential for construction professionals who might not traditionally focus on cybersecurity.

Kleemann
Your local Wirtgen America dealer
Brandeis Machinery

By familiarizing yourself with these concepts, you can better protect your organization’s sensitive data, safeguard against disruptive attacks, and ensure continuity in operations. The need for robust cybersecurity measures becomes more critical as the construction industry integrates more digital tools and platforms.

What We Learned from the Cyberattack
Lesson 1: Know Where Your Business-Critical Data Resides
During our cyberattack, Gannett Fleming learned the importance of knowing where all critical data is stored. Without this knowledge, it’s impossible to protect data effectively. Organizations must categorize and classify data, perform disaster recovery planning, and understand the sensitivity and ownership of their data.

Lesson 2: Implement a Cybersecurity Framework
Gannett Fleming adopted the National Institute of Standards and Technology Cybersecurity Framework, which provides recommendations and standards for identifying, detecting, and responding to cyberattacks. Historically, cybersecurity focused on protection and recovery, but the new reality requires a “defense in depth” strategy, which includes detection and response to intrusions.

Lesson 3: Internal Communication Is Key
Effective internal communication is crucial during a cyberattack. IT staff must focus on executing disaster recovery plans. Communication teams should be integrated into the incident response plan to keep everyone informed and calm.

Lesson 4: Anticipate a Juggling Act
A cyberattack creates numerous tasks, such as informing clients and partners, restoring systems, and recovering data. An apparent incident response plan helps manage these tasks efficiently and ensures a quicker return to normal operations.

Takeuchi Mfg Ltd
Your local Takeuchi Mfg Ltd dealer
Brandeis Machinery

Lesson 5: Ensure Backups Are Immutable
Organizations must ensure that backups are not only secure but also restorable. Regularly test disaster recovery plans to verify that data can be restored in an attack.

Lesson 6: To Pay or Not to Pay
Organizations should decide in advance whether to pay a ransom if attacked. While cybersecurity professionals generally advise against paying ransoms, having a pre-determined strategy based on discussions with legal teams and boards is crucial.

Lesson 7: Incident Response Firm on Retainer
Having an incident response firm on retainer can be invaluable. These firms can assist during a cyberattack but must be familiar with the organization’s systems and disaster recovery plans beforehand.

Lesson 8: To Tell or Not to Tell
Organizations should have a clear policy on external notifications for partners, customers, and clients in the event of a cyberattack. These decisions should be made and documented in the incident response plan.

Epiroc
Your local Atlas Copco CMT USA dealer
Brandeis Machinery

Lesson 9: IT Supply Chain Planning
Develop partnerships with vendors to ensure they can quickly provide necessary equipment and services during an incident. This preparation can significantly reduce downtime and help restore operations faster.

Lesson 10: Business Continuity Exercising
Business continuity planning must involve the entire organization and use worst-case scenarios to prepare for significant disruptions. Regularly exercising these plans ensures everyone knows their role and can respond effectively during an incident.

Lesson 11: Awareness Training and Testing
Ongoing cybersecurity awareness training is essential. Gannett Fleming conducts annual and quarterly training sessions and monthly phishing tests to keep employees vigilant and prepared.

Lesson 12: Cyber Insurance
Obtaining and maintaining cyber insurance is critical. Organizations must ensure they have the right coverage and that their cybersecurity hygiene meets the requirements for obtaining insurance.

Komatsu Dealer Program
Your local Komatsu America Corp dealer
Brandeis Machinery

Fortifying the Future

A cyberattack is a stark reminder of the critical importance of robust cybersecurity measures. Understanding key cybersecurity terms and implementing comprehensive security strategies are essential amid increasing cyberthreats.

The lessons learned from Gannett Fleming’s experience underscore the need to know where critical data resides, have a clear incident response plan, maintain effective communication, and regularly test business continuity plans. You may want to implement recurring simulations and drills to ensure employee readiness.

By prioritizing cybersecurity, firms can protect their operations, safeguard sensitive data, and ensure resilience against future attacks. Cybersecurity is not just an IT issue but a fundamental component of overall business strategy, crucial for protecting the organization, its employees, and its clients.

Tamika Bass, CBCP, CISA, CRISC, HCISSP, is Cybersecurity Director for Gannett Fleming and a Lean Six Sigma Green Belt.
Kelly Marshall, PE, CCM, MBA, is Vice President and Area Manager for Gannett Fleming.

Leeboy - Pavers/Asphalt
Your local LeeBoy dealer
Brandeis Machinery
Epiroc
Your local Atlas Copco CMT USA dealer
Brandeis Machinery
Komatsu Dealer Program
Your local Komatsu America Corp dealer
Brandeis Machinery