The evolution of cybercrime has executives on edge, particularly as construction increasingly uses electronic data and hosted services. ENR asked an array of vendors serving the industry how they assure customers their data is secure and their services will not become a vector for the next cyberattack.

We received responses from Aconex, CMiC, EarthCam, FieldLens, Fluid Contract Manager, Heavy Construction Systems Specialists Inc. (HCSS), JB Knowledge Inc., Nasuni, NoteVault, Panzura, Sage Construction and Real Estate, and Viewpoint Construction Software. The extended responses are in alphabetical order below.

The most often mentioned assurance is that, due to scale, management and R&D investments, customers of vendors with services built on major cloud providers—such as the Amazon Web Service (AWS) cloud infrastructure—automatically gain a lot of protection against cyberrisk. "The cloud acts as a shield," says Nikol Par, CMiC communications manager. Amazon AWS was cited as a pillar of security by several respondents, including cloud-based document storage system vendor Panzura, and voice-to-text service provider NoteVault. "Amazon is far more secure than what a company can build themselves," says NoteVault CEO Peter Lasensky, who adds that companies also need intelligent monitoring, which Amazon AWS provides. "Alerts on unusual activity set off automatic alarms that can help companies nip the problem in the bud with early detection of a breach," he says.

Other platforms received praise. Jon Witty, vice president and general manager of Sage Construction and Real Estate, cited the Microsoft Azure platform, which his company uses, as a "reliable application-hosting platform that assures the highest levels of data integrity, availability and confidentiality."

Witty and others also say industry customers should look for platforms that include notifications, audit trails and regular third-party security audits of service providers. Viewpoint Construction Software added several other considerations: "For any hosted solution, confirm that the data is being encrypted during transmission, that personally identifiable information is obfuscated, and that the vendor's data-center partner has the necessary certifications—ISO and SOC-2 and SOC-3—in place."

James Benham, CEO of JBKnowledge Inc., adds, "Those of us who have implemented security policies and procedures can certainly reassure our customer base that we have taken every reasonable measure possible to safeguard their information."

The responses:
From Rob Phillpot, co-founder and senior vice president of product and engineering, and David Chatterton, chief information officer:
The move to Software as a Service (SaaS) at the end of the internal investment cycle:

Organizations in construction and engineering are moving to SaaS. As recently as five years ago, many organizations were still skeptical of hosting sensitive data in “the cloud.”  It was unknown to many industry IT departments – even if the security offered by cloud vendors was often beyond what individual companies could achieve on their own.

It’s taken around a decade for the IT investment in internally hosted systems to be fully amortized. At the same time, certain disruptive technology trends - notably BIM and mobile – have given organizations a choice between doubling down on their aging infrastructure or moving to a sophisticated, purpose-built system backed by significant ongoing R&D.

For the same reasons that architects built their own CAD software in-house in the 80s and then moved to commercially available software, and that organizations built their own ERP systems in the 90s and then moved to commercial solutions, construction and engineering firms are now faced with choices regarding the internally hosted EDMS and collaboration systems that they’d built in the late 90s and early 2000s.
True multi-tenant environments versus shared internal environments:

The main issue with internally hosted systems is that the sensitive corporate data of different organizations on a project has to reside on another company’s network or be maintained in parallel in the organization’s own network. The redundancy of parallel systems for project information management created inefficiency and risk. Every information flow that crosses company boundaries requires manual export and import, wasting significant amounts of time on data entry and posing the enormous risk that one company’s version of the truth isn’t necessarily the same as another company’s.

The two differing schools of thought are: 1) “This is my system, and I will let people in and decide who gets to see what”; and 2) “On a common platform, let everyone have their own space that they control and then each can decide who sees their information.” Moving from the first view to the second represents a subtle yet fundamental step change in project collaboration across different organizations. It means that every company on a project can truly manage all of their project information, plus share what they want—and no more—with other organizations. As a result, the adoption of cross-company, cloud-based collaboration platforms has skyrocketed, and their inherent efficiency, risk mitigation and value have been validated by the industry.

Security protection and user authentication:

In the past, companies have adopted a “ringed fence” approach to security—i.e., build enough walls to keep others out. In construction collaboration, that isn’t enough. In addition to building enough walls, companies need to patrol their boundaries and look for unwanted visitors who may have made their way inside. Companies must avoid the trap of believing that their walls are perfect and must constantly build new walls.

If an unwanted visitor has the right credentials, then they can get inside the project collaboration system. Therefore, collaboration service providers need to offer tools that allow users and organizations to add successive layers of authentication. Traditional methods of username/password authentication are no longer sufficient. If a password is compromised, then anyone, anywhere can use it. Implementing two-factor authentication (2FA), using tokens as well as passwords, provides significant additional protection. Also, implementing single sign-on (SSO) allows organizations to integrate their internal security protocols with the SaaS collaboration platform to provide two key advantages: 1) users can pass seamlessly between their internal work and their SaaS collaboration environment; 2) the collaboration platform adheres to the company’s internal security protocols.

Significantly, in a SaaS environment, project owners and managers can apply additional security measures to other organizations that are working on the project—from implementing 2FA to additional password complexity and expiration rules. This allows everyone to have their own project space while collaborating seamlessly and ensures that the highest level of security is enforced across the entire project team.

Protection from denial of service:

Sometimes, the main security concern isn’t hacking but rather the inability to access project data. If users can’t access project information, then it might as well be lost—the project suffers and risk escalates. Preventing denial of service (DDoS) attacks is key not only for managing risk but also for avoiding potential extortion.

Managing unauthorized entry:

Companies shouldn’t assume that the security of their project collaboration system can never be compromised. They should invest in a security operations center (SOC) team to constantly monitor traffic, trends and activity to keep the platform and its data safe. If someone is logging in simultaneously from two different locations, then this is a red flag that should be addressed quickly.