Cybersecurity - the notion of protecting digital systems and assets from intrusion - is not a new concept, but one that increases in relevance every year. As our industry becomes more technologically advanced, it’s only natural for industry cybersecurity practices to grow alongside innovations like e-Construction software and the construction cloud. In the past few years alone, entire DOTs have been shut down due to cyber attacks. The ways we protect our networks is more important than ever.
In the second episode of Let’s Be Civil, cybersecurity experts Marty Provost, Doug Couto, and Ben Smith break down cybersecurity trends, philosophies, and best practices in a moderated discussion led by Chad Schafer and Nate Binder.
Cybersecurity is becoming a matter of infrastructure.
In the first episode of Let’s Be Civil, we provided an in-depth look at the Infrastructure Investment and Jobs Act and the ramifications it would have on our industry. In this episode, that conversation continues with a narrower focus on cybersecurity. With several funding items in the bill to support cybersecurity efforts at state agencies, Washington DC is making it clear that it is a top priority for them, on par with revitalizing the nation’s physical infrastructure.
“What’s interesting to see is that there are callouts in the infrastructure bill for cybersecurity, where we typically might think of traditional infrastructure as roads and bridges.” - Chad Schafer
Cloud migration is coming for DOTs.
As DOTs try to figure out how to make the most out of limited IT budgets, more and more are turning to cloud hosting for their software and systems. Moving from on-premise legacy software to a cloud-hosted service takes responsibility and accountability for cybersecurity out of the agency’s direct hands so they can focus on their primary duties.
“What I’m hoping to see is more of the cloud-first strategy at DOTs to get the cybersecurity responsibilities out of the DOT and putting it in the hands of the experts, so to speak. And I think some of the additional funds that are coming might get agencies to start looking at their on-premise legacy systems and how they might replace them with cloud-based, SaaS offerings.” - Marty Provost
Training and education are a crucial line of defense.
An organization can have a robust firewall, advanced defense protocols, monitoring systems, etc. - none of it will matter if the organization’s staff are not trained to identify and respond appropriately to common cybersecurity threats. All it takes is one unaware employee to click on a fraudulent link in a phishing email to compromise an entire network. Regular training and education are crucial to protecting your organization.
“People are the number one cause of ransomware attacks. Some agencies have seen the failure rate go from 20% to 2% or 3% by investing in training and tools to test employees. You want to create a workforce that is cyber-aware.” - Doug Couto
Incorporating guardrails into company policy is key.
Even with the comprehensive training that we recommend, mistakes happen. We’re all human, and humans are imperfect by nature. One way to ensure employees don’t accidentally invite a malicious actor into your systems is to limit their access to certain areas of your network. Limiting everything from Chrome extensions to software downloads can help ensure your organization stays protected.
“There are some things we’re always going to fall back on as humans, like convenience. Those are areas where it’s also necessary to have a framework to regulate certain softwares or the way something incorporates your passwords, and making that something that’s part of company policy to prevent human nature from weakening that system.” - Ben Smith
Cyberattacks should be treated like any other disaster.
When natural disasters occur, response plans provide thorough guidance and next steps for the organization to take to prevent further harm and begin the repair process. This documentation is not always prepared for cyber attacks, but it should be. As we’ve seen, cyberattacks can shut down physical infrastructure just as effectively as natural disasters and should be treated as such.
“If you have a plan in place, you’re able to respond and deal with issues much quicker. I’m seeing more and more emphasis on that incident planning response. Just like we plan for any other incident - we plan for weather events and power outages, hurricanes, tornadoes - we should plan for cyber outages.” - Doug Couto
Multi-factor authentication is the most essential cybersecurity best practice for any organization.
Chances are you are already using multi-factor authentication in your personal life, most likely through your financial institution. Instituting this highly-effective defense barrier is our most recommended cybersecurity practice for any institution.
“Multi-factor authentication is the single most effective protection you can employ. It’s not going to solve all of your problems, but it really takes a big chunk out of your organization’s vulnerability.” - Marty Provost
For a deeper dive into industry cybersecurity and best practices, check out the second episode of Let’s Be Civil, here.