What is risk?
Risk is the possibility of something happening that will result in a loss or negative impact. We all possess an innate understanding of risk in various ways and environments.
For instance, if we leave the stove unattended while cooking, our homes may be at risk of fire. Similarly, in a construction work environment, we may risk injury from falling objects on a project site.
In each example, we identify risk (harm to a home or our physical body) by pairing two elements together—a threat, such as fire, with a vulnerable condition, such as an unattended stove. When these elements are combined, the risk can be realized, with the negative impact ranging from a charred meal to losing a home.
So, what does this have to do with Cyber Risk?
Cyber Risk has the same threat/vulnerability elements within the cybersecurity context. When the risk of loss is realized, it can result in a range of negative impacts on an entity. For example, a company may face financial loss from a job not completed on schedule, which is an operational risk.
Using the premise of Risk = Threat + Vulnerability, we see how those business risks can also be realized in a cybersecurity context:
An external entity (a threat actor) may send a phishing email (threat) to an employee who may not have sufficient anti-phishing training (a vulnerability). The employee is lured into disclosing a password, which the threat actor uses to gain access to an account that does not have multifactor authentication (a vulnerability) and launches a ransomware attack (threat), which renders Gilbane systems inoperative. This results in project schedule delays and a potential loss of capital (the risk realized) due to late-schedule fees, system recovery, ransom expenses, and loss of reputation, impacting our ability to secure future work with clients (the negative impacts).
Cyber Risk is a Business Risk
When thinking in terms of Risk = Threat + Vulnerability, we can look at how other business risks may be realized without appropriate safeguards in place:
Are Construction Companies at Risk?
“We’re just builders; we don’t have anything they want. Right?”
Construction companies are often late adopters of Information Technology (IT) compared to other industries, making them appear less mature in IT protection and thus an easier target for threat actors. While we may see ourselves outside the tech field, focusing on building structures, working in the field, pouring concrete, and welding steel, we rely heavily on technology in our daily operations. This includes using cell phones, laptops, crane remotes, drones for site photography, and digital camera technology on project sites and in-office support.
Despite identifying as a ‘construction’ company, threat actors view us as a financial opportunity to exploit due to our perceived vulnerabilities. Recognizing this perspective is crucial for improving our cybersecurity measures and protecting our assets from potential cyber threats.
What Gilbane Does to Reduce Risk
So, what are we doing about all this risk? The good news is that Gilbane as a team has done a lot of work to reduce cybersecurity risks by implementing new tactics and improving our controls in place:
Always On Virtual Private Network (VPN)
Our computing devices are now configured to automatically connect to the Gilbane network whenever working outside, whether in our homes or while traveling. This automatically affords a secure, encrypted connection, so threat actors can no longer intercept and decipher network traffic between you and Gilbane.
Phishing Simulations
Gilbane’s cybersecurity team runs periodic phishing simulations and targeted spot checks for the enterprise. We aim to prepare all team members for real-world phishing attempts from threat actors and introduce new scenarios we see in the wild. Our results have paid dividends with improved phish-reporting responses and a lower click rate over time, falling from around 25% in 2018 to an average of 2% as of July 2024, giving threat actors a much smaller opportunity to gain access to our systems.
Cyber Security Training
Gilbane requires annual cybersecurity awareness training, and in addition to this training, we post news articles on cybersecurity hot topics to keep our employees informed.
Multi-Factor Authentication
One of the most important security features implemented for Gilbane is Multi-Factor Authentication (MFA), which has dramatically decreased our attack surface and opportunities for threat actor exploitation. The year before MFA, the Gilbane Cybersecurity Team investigated over 50 credential theft incidents due to phishing attacks. Compared to the year after MFA was implemented, those incidents dropped to nearly zero, and, in all cases, MFA has prevented further incursions into the Gilbane IT enterprise.
Long Passwords and Ending Password Rotation
The National Institute of Standards and Technology (NIST) published new guidance last year on the importance of password length and the reassessment of password rotation strategy. It turns out that people are likely to write down passwords, thus defeating the purpose of securing them. As a result, Gilbane increased the mandatory password length and complexity and eliminated the periodic change requirement unless passwords were compromised.
Educating Employees About ‘Free’ Software
Threat actors routinely target these “free” applications to hide malware in hopes of gaining a foothold in an IT enterprise. Additionally, software “free trials” have license limitations limited to personal use, not for use by an entire company IT enterprise, and violating license terms can be costly in litigation and copyright violations. Unvetted software services can lead to unintended information disclosure if the vendor is hit with a cyber-attack.
What You Can Do to Reduce Cyber Risk
Training and Awareness
Keep your skills sharp through cybersecurity educational materials, participating in webinars and workshops on cyber topics, or reading up on the latest cybersecurity trends in journals or articles like this.
Spread the Word
Some of us have encountered threat actors through phishing attempts, watched our partners or clients grapple with a cyber-attack, or even experienced such attacks through identity theft. Talk to others about their experiences and share your stories and lessons learned.
Report Any Suspected Security Incident
Cyber attacks and their negative impacts can occur in minutes, so reporting any suspected or confirmed incident is vital to limit impact and damage. It’s essential to report any security conditions that may lead to a threat exploit if left unaddressed. Contact the Cybersecurity team immediately to report these conditions or events.
Conclusion
Risk reduction starts with awareness. Everyone has a role to play in reducing risk. Threat actors target construction companies and, by extension, everyone. Therefore, we are all responsible for knowing these risks and how to avoid them.
