OP-ED: Smart Technologies and Associated Cyber-Related Threats
Daily Journal of Commerce Oregon
Advances in software and technology are enabling whole industries to operate more efficiently and realize greater profits. The building industry is no exception. There are industry-tailored technical solutions for nearly every function of a construction company, including payroll/accounting, HR, project management, modeling and design, and estimating, among others. These tools enable some contractors to become design-build firms by performing tasks in-house that they previously had to outsource.
Connected, smart or “internet-of-things” devices are increasingly used on jobsites to monitor environmental conditions and equipment performance. They can provide builders with real-time insights that reduce accidents, downtime and loss. Wearable technology is used to increase workforce safety and productivity through biofeedback, and monitor personnel and equipment movement on-site.
New technologies can provide significant benefits to construction firms of all sizes. Like any tool, there can be substantial risks associated with software and device use based on the large amount of data that is collected, stored or otherwise processed by software programs and connected devices. Cybercrime is on the rise, with data breaches and cyberattacks affecting more businesses each year. In addition to cyber-threats, a developing global landscape of consumer privacy laws requires awareness of evolving compliance and regulatory obligations across all industries.
Construction firms tend to do a good job of understanding and identifying risks, and making plans to manage them. While risks, needs and capabilities vary by firm, all businesses can benefit from data mapping and data minimization, and prioritizing data privacy and security in documents. Putting these principles into practice will help firms understand and reduce their data privacy and security risks, and mitigate harm in the event of an incident.
Data mapping and data minimization
An organization cannot address data privacy risks without understanding what data it handles. Data mapping involves making an account of the types, uses, storage and disposal of data the business handles. The process frequently reveals data processing activities that might otherwise be overlooked.
Outsourced and digital data processing activities can easily be missed if not mapped. For example, many connected devices require a user profile, or even allow an employee to run a program on his or her own device. If use of a device or program can be traced to an individual, the business needs to understand what data the device or program collects and the purpose of the collection, and where it is being transmitted and stored.
Data elements such as biofeedback or location data may be considered personal data if they can be used to identify an individual. Processing personal data may trigger additional regulatory and compliance obligations for the employer depending on the applicable law. It also presents a greater risk of harm from cyberattacks if accessed by an unscrupulous user. Further, if the device or program connects to other systems of the builder or the client it could present an ingress point for hackers.
Contractors typically handle personal data via HR, payroll and health care programs associated with employees. However, contractors are often targeted by hackers attempting to access the confidential or sensitive information or systems of their clients. The most widely known instance of this is the 2013 data breach of Target involving the theft of approximately 40 million credit card numbers, and costing Target more than $200 million. The thieves gained access to Target’s system via a project management platform using stolen credentials from a third-party HVAC vendor.
The data mapping process provides a good opportunity to review vendor provided services. For outsourced services, the business and its vendor should discuss any data processing to be performed, and any controls the vendor provides to protect personal data, such as anonymization or encryption. Mapping will inform the contractor of the risks associated with its practices and enable it to evaluate areas where it may be able to “minimize” the data it handles.
Data minimization is the practice of limiting data collection, processing and retention to that which is necessary to accomplish a specific business purpose. Data minimization is required under some privacy laws, such as the European Union’s General Data Protection Regulation.
Even where not expressly required by law, data minimization can reduce spending as well as the cost of remediating a cyberattack. Data storage costs can add up quickly. Limiting the amount of data stored can reduce costs associated with storage and secure destruction of data. Storing excess data can increase the likelihood of a breach and the cost to remediate it. Data breach remediation efforts must be performed for every potentially compromised record. If a breach occurs, remediation costs may be amplified for organizations that store more data than necessary.
Data privacy and security in documents
Emphasizing data privacy and protection in policies, procedures and contracts helps the business stay on top of data practices and makes it easier to identify risks. When contracting with vendors and clients, discuss how data will be processed and stored under the agreement. The contractor should be aware of allocating risks related to data processing. The contractor may have little say in how a technological tool processes or stores the data it touches, and should be careful about assuming liability for risks that are largely outside of its control.
As jobsites are increasingly equipped with connected devices, it is paramount that the contractor have strong policies and procedures related to proper data handling. Phishing, email spoofing and other social engineering attacks have become successful forms of cybercrime in recent years. These are crimes designed to trick employees into disclosing credentialed information, such as passwords or account numbers. The attacker uses the information to make fraudulent transactions that appear authentic, such as rerouting wire payments or withdrawing funds from accounts. Maintaining written resources can help a workforce spot these attacks before falling victim to them.
In an increasingly digital construction landscape, contractors are exposed to greater amounts of data than ever. Being conscious of data processing practices will reduce risk while allowing the business to confidently integrate advanced technological solutions into its operations.
Column first appeared in the Daily Journal of Commerce on May 21, 2019.