Construction of any sort is a time-consuming and expensive affair. Considering the costs of materials, hiring workers, permits and the equipment, even the smallest project is extremely expensive. Therefore, internal security is paramount within the construction industry.
"There is much more to construction than just a guy with a hammer," said a construction superintendent for a large local firm, who was kind enough to volunteer for an interview but wishes to remain anonymous. Let's call him "Jason."
Jason identified both physical and intellectual theft as the primary security threats faced in the construction industry. Theft on job sites is common, ranging from a worker's tools to entire spools of copper. The law of supply and demand drives material theft as much as it does anything else, he says. When the price of a given commodity goes up drastically - such as the spike in the cost of building materials after a natural disaster - so too does the rate of theft for those materials. This is exactly what happened in the aftermath of Hurricane Katrina: The sudden spike in copper prices led to thieves looting copper wiring and plumbing from abandoned homes.
Project sites are always physically secured with fencing, ample lighting and sometimes a security guard, but according to Jason, "these things just keep honest people honest." More important is the culture of security and camaraderie fostered among the workers. His employees receive badges and regular training to monitor everyone on a job site and recognize those who are not supposed to be there. They are taught to hold each other accountable for security and to report any thefts to supervisors. This culture of security is reinforced with random bag searches, which Jason says are performed in a manner that is informal and friendly but which readily reinforce the belief that everyone is on the lookout for theft.
Another important tool for monitoring employees is the rigorous use of statistics. By keeping track of the number and type of thefts per week, Jason can identify situations where, for instance, a new subcontractor is introduced to a project and suddenly there is a spike in thefts. Perhaps the subcontractor is directly responsible for the thefts, or perhaps he is causing a personality conflict with other workers, driving down the overall morale and indirectly leading to more thefts. Either way, by simply keeping track of the overarching statistics at play on his job sites, Jason can detect, mitigate and potentially prevent security incidents.
However, physical theft is not the most pressing security issue for the construction industry. Even more critical - and vulnerable - is intellectual property. Jason not only identified current project and bidding information as valuable to competitors, but also the performance data on past projects. As he puts it, "information control is essential." By having access to the statistics on previously completed projects, a competitor can identify the strengths and weaknesses of the business down to the microscopic level and can subsequently leverage this data to gain the upper hand on the competition.
Jason has identified a number of weaknesses in the information security of his company.
First, the number of IT people responsible for assigning and maintaining company devices (smartphones, etc.) is disproportionately small, and those people are not necessarily security professionals. End users constantly want greater levels of remote control, so for the sake of convenience, more building controls are networked than ever. It often falls upon IT to set up these controls, and security is often sacrificed due to the demand to have everything up and remotely controlled as quickly as possible. Jason sees this as a recipe for disaster, especially with the potential for cyberterrorism. If a building's lights, sprinkler system and heater can be accessed over the Internet, and if these avenues are not secured, the level of damage a hacker can do is exponentially multiplied into real-world damage.
The lack of security-mindedness in the company's IT department is also present in the username and password system. According to Jason, each user's password is given to the user following a formula based on their first and last name, and every password follows the same formula. There is nothing stopping Manny Kant from logging onto Fred Nietzsche's account and gaining access to all his data. The only piece of information required is the person's first and last name. Jason says user accounts have been created according to the principle of least privilege - that is, administrative data can only be accessed by the proper personnel - but this is moot considering the ineffective password scheme in play. Again, this is the result of a demand for speed and efficiency outweighing a need for security.
Even among the workers themselves, the culture of security that is so passionately fostered in regard to physical theft falls short on information security matters. Jason commented that on numerous occasions, he has been the last person on a job site, only to find that all the on-site computers, logged into the company's main server through VPN, were left powered on, connected and unlocked. This is no different from leaving expensive equipment sitting out in the open unsecured - in fact, it is even more of a risk because of the value of the data on the server.
Jason's company does a lot of things right in terms of providing regular training and promoting a culture of security among the workers. However, it seems to fall short on the information-security front, which is just as much a part of security as the physical dimension. His company is not alone. Even the smallest of businesses lock their front doors after hours, but how many secure their computers? Until these two actions are seen as equals, information security will still be the weak link in the chain for many companies of all sizes and industries.
Written in collaboration with information security expert Dylan Evans, Reveal's vice president of operations.