Construction Best Practices

4 Top Cloud Security Tips for Construction Contractors


When it comes to cybersecurity, Bryce Austin has seen it all. He built his consulting firm, TCE Strategy, around helping business clients understand threats and developing strategies to protect their data.

In this blog, we’ll take a look at a few of the top cybersecurity tips and best practices that Austin has shared with construction contractors over the course of several special sessions with Trimble Viewpoint.

Understanding Risk and Methods of Mitigation

Cybersecurity is a vital part of construction risk management.

At its heart, cybersecurity is about risk mitigation. Just like other risks, there’s no way to guarantee a data security event will never happen; all we can do is be well prepared if or when it does. According to Austin, there are three risk responses that businesses can choose to engage in:

  1. Quantify the risk, and then accept it

  2. Mitigate the existing risks to an acceptable level

  3. Transfer risks to a third party

These categories are true across most aspects of security—and it’s about being proactive.

“If you can see the freight train coming, it's much easier to get off the tracks than it is to try to put the pieces back together after you get hit,” Austin said.

Focus on Stopping ‘Phishing’

Phishing is one of the first steps cyber criminals will take in attempting a breach of your data.

First and foremost, Austin said, is knowing where to focus. Phishing is a great place to start, because so many aspects of cybersecurity—from breaches to ransomware—begin with phishing. It’s critical that teams and their third party partners understand what to look for.

“Cybersecurity experts might know what phishing is, but do your technology users know?” Austin said. “Do users know it could be text messages? Spam calls pretending to be someone else? Emails? Any user that interacts with technology in the business must be educated about what phishing is, so they know how to prevent it.”

The good news is, there is a common methodology to every breach, a chain of events in which each step is necessary for the hacker to succeed:

  1. Phishing—sending fraudulent emails to induce the recipient to reveal important personal information, like credit card numbers or social security numbers.

  2. Hopping—a cyberattack targeting a company’s third-party vendors in an attempt to hack that company’s data.

  3. Scraping—collecting and copying large amounts of data from a website or application for later malicious use.

  4. Aggregating—compiling and consolidating massive amounts of data into a single entry for easy transfer.

  5. Exfiltrating—an unauthorized transfer of sensitive data into the custody of a malicious actor.

Disrupt any of those steps and companies can stop the breach. Or, as Austin says it: “Stop any step, stop any breach. All of these things have to happen in order for a breach to take place. And if you can detect and disrupt any one of these five, you will stop the breach. That’s an important take-home message.”

4 Construction Cloud Security Tips

Cyber criminals will look for areas to exploit, but if strong safeguards are in place, they'll likely move on to another target.

Austin breaks down the idea of cloud security in an easily-digestible way:

“We’re going to think of ‘the cloud’ as the internet: It’s a way for you to get computing services from other companies delivered essentially to your door,” Austin said. Cloud services offered by Microsoft, Google, and Amazon (the big players in the space) vary but all have essential security features.

Cloud services offer a lot of potential benefits to companies because you don’t have to think about things like server banks anymore,” Austin said. “And now your personal PC has a small part to play in the overall cybersecurity of your company, but it’s about the behavior as well: the password you choose, or whether or not you set up additional security measures.”

Those measures include things like multi-factor authentication (MFA), which is a way to utilize multiple personal features to secure a device or program.

There are three types of information to confirm your identity with a computer:

  1. Something you know, like a username

  2. Something you have, like your car key or your smartphone, and

  3. Something you are, like a facial recognition scan or a fingerprint.

“What multifactor authentication says is pick any two of those three, and you're good to go,” Austin said. Which leads us into his first tip:

It’s about the behavior: the password you choose, or whether or not you set up additional security measures.

Ensuring software patches and updates are regularly in place helps prevent open windows to your data.

Cloud Tip #1: Secure Administrator Portal Credentials

Using MFA (and other security that your company chooses to adopt) should be built into existing security protocols, or added if it doesn’t already exist.

“Take-home tip: If you have a cloud service of any sort, it’s very important that you secure the administrator credentials to that port very, very strongly,” Austin said as he walked through the recent Colonial Pipeline breach and shut-down (more on this later), which was a case of MFA not being in place.

Cloud Tip #2: Patch Your Cloud Environment Regularly

Cloud systems require maintenance, although it is markedly different from on-premise care and maintenance.

“Now, there are a lot of things happening in the cloud that are a huge net benefit to you as a consumer, you as a company,” Austin said. “I’m a fan of the cloud, but users must be aware that the level of ‘care and feeding’ goes up more often than it goes down. There’s a strong consideration for outsourcing your cloud hosting.”

Remember our earlier methods of risk mitigation? Austin recommends finding the right vendor to whom you can hand-off data security responsibilities.

“Someone needs to be responsible for patching your cloud environment. If you partner with the right third-party, they will take on that particular responsibility, so that you don’t have to,” Austin said.

Regular backups are essential to ensure business continuity should a breach occur.

Cloud Tip #3: Backup & Secure Your Cloud Data

Austin wants companies to focus on becoming ransomware resistant.

Most ransomware attacks are not aimed at personal individuals, but rather easy money.

“It’s like a random car theft,” said Austin. “It’s the people that leave their keys underneath the visor and their doors unlocked. That’s what we have on the internet right now: Companies that don’t understand what it means to have your cyber doors locked.”

Some companies, like retail organizations with credit card data, have information that is easy to sell on the black market and dark web. In these cases, there’s a monetary benefit for criminals looking to exfiltrate that data—which is then sold to others.

“Most companies that aren’t retail don’t have a lot of credit card data, or at least they don’t have enough of it to where the profit model makes sense,” said Austin. “But the bad guys figured something out: Just because there’s no one else that’s overly interested in your data, doesn’t mean that you aren’t extremely interested in your data—because without your data, you probably can’t run your business or service your customers or fill your bank accounts.”

So, let’s talk about how businesses can check up on their ransomware defenses and responses, and see where Colonial Pipeline went wrong earlier this year.

Cloud Tip #4: Checking Your Ransomware Defenses

The Colonial Pipeline breach is a story that might be near-and-dear to the hearts of our readers, because without energy sources like gas and oil, construction projects can’t make any movement. So, how did they get hacked to begin with?

They had a Virtual Private Network (VPN), which is a tool used to anonymize a company’s IP address and make it more difficult to tie a specific company to a specific IP address. However:

  • Their VPN was old, and should have been shut down but wasn’t
  • The admin account should have been deactivated but wasn’t
  • Finally, they did not use MFA

This mish-mash of factors led to the breach.

“They didn’t understand internet facing systems, or how important it is to be more careful with how you authenticate yourself,” Austin said.

More on Ransomware: Defense and Response Recommendations

Multi-factor authentication is one of the best ways to thwart cyber attacks.

Ransomware is one of the primary means cybercriminals use against businesses like construction. When it comes to protecting against ransomware, Austin recommends doing the following:

  • Patch firewalls that host your VPN once a month
  • MFA on all email accounts
  • MFA on your VPN
  • Identical local admin accounts
  • Geo-filtering all internet traffic and emails

Of all of these measures, Austin dwells on MFA for VPNs, saying it is imperative: “It’s the closest thing to a silver bullet we have in the cybersecurity industry right now.”

Contractors seeking to bid on federal jobs also have specific requirements for cybersecurity. Read more about these requirements.

While it’s never ideal to have to respond to ransomware, Austin suggests that most companies should have a pre-negotiated incident response team contracted so you have help if it happens.

Austin on MFAs: It’s the closest thing to a silver bullet we have in the cybersecurity industry right now.

Enterprise companies with mature, experienced in-house incident response teams should consider the following:

Offline backups

  • Regularly test and monitor offline backups
  • Understand and document the process to restore backups

Have at least 35% free drive space on all network drives

Some types of ransomware tools take up a lot of hard drive space. When the backup hard drive is full, the system will not be able to encrypt the data. So if you have very little free drive space and end up the victim of a ransomware incident, most of your data isn’t going to be recoverable even if you do pay the ransom.

If you use an incident response company, make sure terms are pre-negotiated

  • Agree on terms before the incident, because afterward you’ll have no leverage for contract negotiation

Notify your insurance company as soon as the incident occurs

  • Most notification requirements have very tight timelines, sometimes within 24 hours

Final Takeaway: 4-Step Cybersecurity Checklist

Create a cybersecurity checklist for the software providers you're considering to see if they pass the muster.

Austin recommends taking a look at all of your resources and asking questions about the security of your cloud data.

“You need to choose your cloud providers wisely,” Austin said. “Some cloud providers take cybersecurity much more seriously than others. Make a list of your cloud providers so you understand who to call for which concern. And you need to have multi factor authentication on any administrator accounts that run your cloud services.”

Austin has four main recommendations when looking at cloud service providers:

  1. Ensure Administrator accounts in the cloud are set up with MFA

  2. Make a list of your cloud providers and share it with stakeholders

  3. Discuss cloud security with your providers regularly

  4. Choose your cloud providers wisely!

The role of IT has expanded significantly over the past few years, as construction technology expands. You’re probably already feeling the pressure to modernize but are too busy managing multiple, disconnected solutions.

Connected, cloud-based construction software suites like Trimble Construction One have some of the latest data security safeguards in place. By hosting contractors’ data and workflows in the cloud—with daily backups, strict access permissioning, strong firewalls, and more—Trimble Viewpoint takes the IT burden off of contractors, allowing them to focus on their real work. Watch the Trimble Construction One Video below and connect with Trimble Viewpoint today to learn more.

Posted By

Ron is a Content Manager & SEO Strategist for Trimble Viewpoint. A professional writer for more than 10 years, his focus is now on showcasing the benefits of the industry's top connected construction software platform: Trimble Construction One.