Construction being data-rich and complicated, it’s therefore no surprise that companies in the construction sector are becoming an increasing target for cybercrooks. In 2021, Construction Dive reported that construction was the #1 industry hit by ransomware (ahead of finance, astoundingly), according to a comprehensive, multinational report by Nordlocker. Similarly, in a report by the Associated General Contractors of America (AGC), concerns like data breaches, cyber extortion and ransomware, fraudulent wire transfers, breach of intellectual property, and breaches of bid data were all considered high cybersecurity risks for construction businesses.
Cybersecurity in construction is a mission-critical driver for keeping your company agile to respond to growing cyberthreats. And as every phase of the construction process creates a possible attack vector that would-be cybercriminals may look to exploit, it’s therefore crucial that companies increase cyber awareness and best practices among their employees, and implement antifragile business structures that help empower a strong first line of defense in your workers.
A cybersecurity vector you’ll want to shore up: Your asset inventory, which we’ll turn our attention to in this article.
On the surface, your tool and equipment inventory may not strike you as valuable to cybercriminals—full of service records, perhaps individualized short-hands used by your tool team to streamline processes, and other item-level information one might consider pedestrian.
In reality, tool theft is a rising concern costing the U.S. an annual $300 million to $1 billion. What’s more, as the physical and digital realms continually blur, access to, for example, equipment location records become more valuable to tech savvy criminals looking to track down possible paydays.
Costello started his career in information technology (IT) routing, switching, and IP telephony (aka: voice over IP). He eventually transitioned to a security engineering role supporting a data loss prevention tool. Thriving in this role, he eventually became a security manager, later shifting his focus from organizational security (aka: IT security) to product security (i.e., safeguarding the security of a product a company offers, how the customer perceives that security, as well as how the customer can implement the solution in a secure way).
Today, Costello is broadly responsible for security and compliance of our One-Key application, connected products, and ensuring from an application security perspective the app is developed and deployed in a secure way to protect end users as well as Milwaukee Tool. He manages a team of security analysts, engineers, and architects that work to keep the application infrastructure secure from design to deployment. They also collaborate with security teams across Milwaukee Tool’s corporate ecosystem to keep the company and our customers’ data secure.
Bringing this specialized subject matter expertise, I looked to Costello as an advisor to offer cybersecurity principles most relevant to inventory managers and business owners in keeping their inventory data secure.
Here’s some of his advice:
As the industry looks to execute projects with a continually narrowing talent pool, interoperability and data governance are of growing concern. That said, companies staring down the barrel of increasingly complicated building projects often look to building partners (e.g., subcontractors) and technology partners (e.g., software integrators) to facilitate these projects’ completion. Experts agree that software integration in the industry is going to increase by necessity (and with it the need for data security best practices grow increasingly critical).
“You may value the subset of data you share with third party companies, or business partners, differently than they value the data,” he continues. “So, it's important for you as the customer to understand what data you're sharing and with whom you're sharing it. This will allow you to ensure the third party or business partner is placing a similar level of control around that data as you would put on it internally to your organization.”
Costello explains this kind of data security is what the security industry refers to as third-party risk management. It’s critical, he expounds, and part of any admin’s responsibilities, “managing the third party to make sure they're going to handle your data in the appropriate way.”
To put this into context, integrating your One-Key account with the project team’s Procore account or the design team’s BIM 360 account can provide important data sharing between teams to eliminate duplicate project data and also help provide them speed to execute on building projects. However, it also potentially opens your company up to potential data leak concerns if proper controls aren’t put in place. It’s therefore important to ask questions like: “Who on these teams has access to what? Can we limit who has access to what (i.e., to only those on a need-to-know basis)?”
That’s where Costello’s next piece of advice about admins securing multi-user accounts comes into play:
Costello tells me that the multi-user admin feature within One-Key was engineered to give admins an extra layer of protection through permissioning at the account-level.
The new multi-user functionality shifts to individualized logins with specific, customizable roles that allow admins to ensure any new account creation is only given access to what the admin determines is necessary for that team member’s account (similar to your IT department dictating what a manager versus an employee has access to in Microsoft365).
Costello encourages admins to take advantage of the multi-user admin feature and role customization to shore up their One-Key account security: “If you are going to have multiple users in your account, I recommend highly using our multi-user feature that was implemented for a couple reasons – one of those being so that users don't share passwords. Password proliferation and reuse is an easy way for an attacker to compromise an account. Multi-user also allows you to set up roles for users in your account. This way, they have access to the right data at the right time, while limiting access to higher level admin functionality.”
The overall security of a One-Key account, Costello explains, is ultimately the responsibility of the admin. Therefore, he recommends a couple of tips:
Another consideration for inventory-related security is to ensure your tool team has proper education and (if applicable) is deploying the correct tracking hardware (and proper configuration of that hardware) to ensure the best performance for each application.
Barcoding may be useful around the tool room for checking in and out items or used in conjunction with a bulk send for quick auditing and reference.
That said, using One-Key compatible tools and trackers, Costello agrees, require proper understanding and education on how Bluetooth works and how settings need to be configured to get the best performance relative to what’s possible of Bluetooth tracking.
“From a One-Key perspective,” Costello explains, the app “does need location services for tracking and Bluetooth enabled to connect to the tool and change configuration settings. Bluetooth is also used to identify nearby tools. That data is then tied with the phone’s geolocation data and sent back to the application.”
Other ways we commonly recommend improving Bluetooth range:
All this to say, education on GPS tracking (i.e., the One-Key tracking community does not use GPS technology) and where it might be used in place of Bluetooth is also important to ensure you’re applying the right capabilities for the precise scenario at hand.
Ultimately, managing cybersecurity as it relates to your asset inventory and One-Key account security is a shared responsibility between your admin and tool team. Proper education, application of account security best practices, and practicing cyber hygiene are an ongoing commitment to ensure your inventory data remains secure.
Costello offered some advice for what he, as a leader in the product security space, looks for when seeking both internal talent as well as what to look for from cybersecurity vendors:
The construction industry remains a hot target for cybercriminals likely due to its disjointed nature and many possible attack vectors that open throughout the process that attackers will look to exploit.
Furthermore, from a cybercriminal’s perspective, Costello explains, construction companies may be perceived as “easy to hold at ransom with the perception of having a lower security posture.”
All this to say, shoring up your security best practices and organizational education and training can help protect against potential hazards, keeping your first line of defense (your workers) empowered to keep attacks at bay.
Offering some parting thoughts, Costello remarked, “For anyone in the construction space, it’s important to understand that when you implement technology, it also comes with risk. You've got to look at the technology you're implementing, not only from the value it’s providing, but also what the added connectivity opens you up to from a risk perspective.”
Understanding the risk, he explains, is the first step in protecting against it.