Cybersecurity: Trends & Actions to Implement Immediately

As security threats have changed over the years, from structured query language (SQL) injection attacks to malware to phishing and ransomware attacks, one risk factor has remained constant: Unsecured passwords, phishing, clickbaiting, and other security risks center around exploiting human tendencies to inherently trust the information they are presented with and act promptly.

Any approach to improve organizational security must consider the effect of humans and the culture of information security in which they operate. 

Exhibit 1 presents the most concerning threats in the U.S.; in our experience, more than 40% of the top cybersecurity threats are strongly influenced by a human factor in some way, shape, or form.

This article will discuss how to adopt cybersecurity measures based on people, processes, and technologies to improve the security posture of your company.

But before implementing any cyber solution, it’s important to first look at what types of cyber breaches occur – and why they happen – to get a clearer picture of which areas to focus your attention.

What We’re Seeing

Cybersecurity breaches and incidents are overwhelmingly financially motivated – 86% of breaches and 65% of cyber incidents are motivated by financial reasons, and organized crime is by far the largest threat.1 Trustwave’s 2020 Data Security Index finds that malware and ransomware are the most concerning threats,2 and Verizon’s 2020 Data Breach Investigations Report (DBIR) finds that hacking and phishing are the most commonly occurring threats.3

Anticipated vs. Actual

What cybersecurity planners are anticipating does not match actual attacks. For instance, in the U.S., only 13% considered phishing the most concerning threat vs. 38% for ransomware; however, when looking at the actual attacks, 24% experienced a phishing incident vs. 30% who experienced a malware attack (Exhibit 2).4 Therefore, using better threat intelligence to inform cybersecurity spending is an important consideration given how thinly spread cybersecurity resources are in a typical organization.

Hacking

When it comes to hacking, more than 80% of breaches involved brute-force attacks, often using lost or stolen credentials. In comparison, exploiting unpatched vulnerabilities constituted about 15% of all hacks. Phishing is the most common form of cyber breach experienced.5

According to the 2020 DBIR, 96% of social actions were triggered over e-mails. In the past, this has caused the U.S. Securities and Exchange Commission to release a business e-mail compromise advisory6 to alert auditors of public companies and senior management about this specific risk.

The Impact to Construction

The construction industry may not come to mind when you think about data breaches, but hackers are always integrating new industries into their ecosystems. For the first time, the 2020 DBIR examines trends in the construction industry with respect to breaches and shows that it suffers from weak web application, social engineering, and ransomware attacks (like phishing) the most.

A phishing test conducted as a part of the DBIR survey noted the low number of submissions to clickbaits. Overall, there were 37 reported incidents, of which at least 25 had confirmed data disclosures. Another trend that we have noticed over the past few years is that the risk to small and large companies is similar, so a company’s size does not insulate it from being attacked.

If you have not done so already, start by selecting a suitable framework to fit your organization. Depending on the company’s size, complexity, and regulatory needs, various cybersecurity frameworks are available like that of the National Institute of Standards and Technology (NIST) as well as the Information Systems Audit and Control Association’s (ISACA’s) Control Objectives for Information and Related Technology (COBIT).

However, the Cybersecurity Maturity Model Certification (CMMC), an emerging framework from the U.S. Department of Defense (DOD), may be the most relevant to the construction industry, particularly to those that work on defense contracts or for defense contractors.7

The CMMC Framework: A Tiered Approach to Cybersecurity

Building on NIST’s 800-171 standard, the CMMC moves away from self-assessments and toward external assessments, depending on the maturity level. The goal of this framework is to increase the protection level of data and information within the supply chain of the DOD by managing federal contract information and controlled unclassified information (CUI) from public access and release. The CMMC outlines five maturity levels as shown in Exhibit 3.

Actions to Implement Immediately

Information Security Policy

An information security policy is the foundation upon which every contractor should build its security model. According to cybersecurity expert Larry Alton, lack of a formal strategy is one of the most common weaknesses, especially in many small businesses.8

A good information security policy lays out a high-level guideline to define a security strategy, connects it to other relevant and common policies (like an acceptable use policy), and provides the bedrock on which other procedures and standards can be built. Common themes of a well-written information security policy include:

  • Simple and easy to understand
  • Enforceable but reasonably flexible
  • Updated to remain current
  • Describes the high-level approach to secure data and systems (e.g., defense-in-depth)

If you are a CFMA member login to continue reading this article. If you aren't a member yet and would like unlimited access to all of the content on cfma.org, plus a variety of other benefits, join CFMA today!