As a hands-on field, it’s natural for construction to focus more on quality assurance, achieving deadline and budget targets, or operating in an environmentally responsible way than cybersecurity. Yet, digital threats can derail otherwise fine-tuned construction operations if their knowledge and implementation of cybersecurity best practices are lacking.
Awareness of the regulations governing data protection for the construction sector is a good start. This article introduces key regulations, explains why compliance is essential, and offers ways of ensuring it.
Why is Ensuring Compliance important?
The construction sector is a prime cyberattack target. According to ReliaQuest, there are more cyber-related incidents in construction than in transport, manufacturing, or retail.
On the one hand, construction is receptive to developments like the integration of IoT and AI, which may be easy to hack due to design constraints or rife with unknown exploits. On the other, it’s a field where legacy software still plays an important role. The lack of continued support means old vulnerabilities remain.
The sector also attracts diverse attackers. Conventional hackers may extort construction companies through ransomware or set up fake contracts and use phishing to steal funds. Moreover, state-sponsored actors may exploit construction companies’ lax cybersecurity to obtain strategic information on buildings and infrastructure.
Which Regulations Do Construction Companies Need to Comply With?
The industry is working with governments to develop standards and laws that strengthen companies’ cybersecurity posture. Failing to comply with the following regulations may result in fines, higher insurance premiums, and missing out on desirable contracts.
ISO/IEC 27001
Meeting the International Standards Organization’s information security standard is a baseline for establishing compliance and trust. It establishes guidelines for secure management of sensitive information and for setting up and developing information management systems.
NIST CSF 2.0
The National Institute of Science and Technology’s Cybersecurity Framework is a flexible set of guidelines that help companies of various sizes in different industries adopt cybersecurity best practices. While not mandatory, compliance with the CSF promotes regular monitoring, bolsters cyber threat resilience, and helps establish incident response plans.
Consumer Data Privacy Laws
A growing number of regulations center on citizens’ rights to data privacy and security. The trend started with Europe’s GDPR, but similar laws are now active in most countries and 20 states. Compliance involves transparency about the data companies collect and the steps they take to protect it. Individuals also have the right to amend data on themselves or have it removed.
CMMC
The Cybersecurity Maturity Model Certification is issued by the U.S. Department of Defense. It is a prerequisite for contractors wishing to apply for government defense contracts involving sensitive information handling.
HIPAA
Companies engaged in construction or renovation work on any buildings and infrastructure that may have employees come into contact with personal healthcare information must adhere to standards prescribed by the Health Insurance Portability and Accountability Act.
How to Ensure Compliance?
Data security is at the heart of all mentioned regulations, so implementing steps to secure it is fundamental. Specifically, construction companies need to develop policies on what data they collect and limit collection to a reasonable minimum to reduce their attack surface. They also need to track and dispose of obsolete and unnecessary information. Finding the best data removal services may be necessary to dispose of sensitive information properly.
Secure backups and stringent access control are instrumental in securing the data that matters. Regular backups are an effective measure against ransomware threats. They are necessary for maintaining normal business operations or quicker recovery in disasters and other unforeseen circumstances. Several backups, both digital and in separate physical locations, are the norm.
Monitoring and control prevent unauthorized access to sensitive data. A reputable business password manager can effectively and affordably handle unique password generation & storage regardless of needs. Its encrypted vaults and support for two-factor authentication may be enough for smaller companies. Enterprises should supplement password managers with wider-reaching measures like role-based or mandatory access controls, Single Sign-on, etc.
Conclusion
The construction industry might be among the worst-hit cybercrime victims, but it’s also learning from its mistakes and adapting. Being aware of the threat, along with the regulations and best practices developed to combat it, will ensure your company continues to thrive despite the uncertainty.
