The local Portland, Oregon, CFMA chapter held an Emerging Issues meeting, at which cybersecurity and legislative issues took front and center in the latest meeting. Michael and I attended, and there were many useful tidbits, which I've summarized here.
Cybersecurity threats and best practices
An opening statement by one attendee pointed out that, "Construction companies keep their valuable data on site, on their own servers, with on-site software. And they don't do regular security updates to the software."
At first glance, this does not seem too bad of a process. After all, most small companies do exactly this.
Enter "ransom-ware" or "Cry-ware" as some call it. Take a guess why it's called "cry-ware."
An example given during the meeting involved a construction company (about 20 million in revenue) that had their internal servers taken over by ransom-ware recently. The company lost access to all project information, accounting information, customer information. Everything that they kept on their servers, they lost access during the ransom-ware attack.
The ransom was set at 50K in bitcoin, which the company ended up paying to unlock their data. Unfortunately, it took two weeks of intense activity to get things back to normal plus bringing in some experts to help clear up the mess. The culprits were not caught nor identified. The total cost was well over the ransom paid.
It turns out the medium and smaller companies are prime targets for ransom-ware. Invoices embedded in email and emails in general are highly susceptible to attack.
Small- and medium-sized companies, like most construction companies, have cash or access to cash, valuable data, and not the security in place to properly protect their data. Often these small and medium-sized companies cannot afford a staff of cybersecurity experts to watch over the servers 24 x 7 x 365 as cloud-based companies and full-service data centers do.
Cybersecurity Training Best Practices
In response, many IT organizations hold training on cybersecurity. Even surety companies offer cybersecurity training and insurance coverage in case of a successful attack. However, this is new and developing.
As part of the training, the IT groups send out test "scam" messages to their employees to test the employees' knowledge. The test email is not a set of questions to answer. The test is whether the employee opens the email and if they click on the link. This small action of clicking on the link can open the door to hackers giving them access to inside servers and data. Those employees who failed the test are immediately put back through training.
Best practices discussed include not opening suspicious emails, personally calling the sender to verify the legitimacy of the email and reporting the email to IT security.
One attendee mentioned how cloud-based software can, in some cases, offer 24 x 7 security and performance monitoring that is simply not done in small and medium sized companies trying to staff their own IT groups.
Attendees generally agreed that cyber attacks are a big issue and many recounted recent experiences receiving suspicious emails.
New legislation considered that affects the construction industry.
Bill Joseph, a Dunn Carney partner, an experienced construction litigation attorney presented what's a happening in Oregon legislature that will affect construction companies' ability to do business.
Some of the highlights from Bill Joseph's presentation.
Increase the number of apprentices on public jobs. The legislation (HB-2162) requires public projects to set the percent of apprentices working to 10% of the "apprentice-able" hours. This would have to be tracked and proven if audited.
Flex work schedules for workers including (sub-) contractors. SB-828. Workers are by law allowed to swap hours worked with other equivalent skilled workers. Construction contractors were exempted for now. But the discussion continues in the legislature.
A lot of legislative discussion around whether there can be mandatory drug testing and drug-free work zones especially in light of Marijuana legalization. The question is whether companies should be allowed to test for drugs and send home workers even if they are not "high" at the moment. This bill did NOT pass but is being aggressively pushed.
Energy efficiency capabilities built into all new structures added to the building codes. This means all new buildings including residences must have at least the capability to add water efficiency, solar energy, gray water treatment, and seismic upgrades all built into the structure on site. This NOT yet passed.
Demolition construction waste handling. Asbestos and lead are the main concerns. Asbestos and lead will need to be separated out from the rest of the waste and disposed of in specialty waste disposal facilities. The waste will require certificates identifying them as asbestos-free and lead-free. The legislation targets residential both private owners and contractors. There are pilot projects in place now in Washington and Multnomah Counties. This did not pass state-wide. Expect this legislation to gain momentum in the future.
More attacks from hackers and new legislation will keep IT, finance, management, compliance, and legal teams busy at construction companies.
Keep your eyes on these topics so you can be prepared when it happens in a state near you!
Phil Bride, Construction business consultant and business development coach