In recent years, cyber-attackers have preyed upon the weaknesses of vendors and third parties to access computer systems at hospitals, banks, financial services firms, retailers, utilities, transportation systems and other critical infrastructure.
For many construction companies, outside vendors or third parties provide services or support for nearly every part of their construction projects.
While companies may feel confident their security controls are well hardened, they have limited visibility into the security controls of their vendors, thus creating heightened risk exposure… Mitigating this growing area of risk requires a thoughtful mix of careful planning, objective monitoring and diligent management.
Vendor and third-party risk management must start with a solid program with supporting policies and procedures that identifies how a company will assess, manage, monitor, remediate and, in some cases, accept risks.
The proliferation and use of technology throughout construction projects, and the Internet of Things (IoT), has increased construction companies’ cyber-attack surface and risk exposure.
IoT has been expanding in the construction industry at a rapid pace including site management, asset tracking, worker tracking, safety improvements and product utilization. IoT devices include wearable technologies such as smart helmets and glasses, sensors that monitor equipment, RFID tagging and tracking and building information modeling software (BIM).
All of these technology advances are now key components that help construction companies manage costs and reduce project risks. Additionally, construction companies will be installing IoT devices throughout their end products. Building access controls, HVAC systems, lighting, safety controls, sprinkler systems, media distribution and appliances are all included in the IoT ecosystem.
The expansion of IoT use in the construction industry, and subsequent implementation in buildings and infrastructure, increases the number of vectors that cyber attackers will try to infiltrate for various motives. Attacker motives will include theft of money, intellectual property, and sensitive information. These individuals or groups might also want to wreak havoc on projects and cause disruption to supply chains.
Since all vendors and third parties aren’t equal in terms of security protocols, a vendor and third-party risk management policy must outline how it will risk-rate its vendors. This risk-rating has many components, with the heaviest weighting in two categories: 1) What is the vendor or third party’s level of access to the most sensitive data, key systems and business processes? The more access, the higher the risk. 2) What is the vendor’s maturity level? Maturity is a reflection of several characteristics, including the length of time a vendor has been in business, its size, and the history of the product or service it offers. Generally, the more mature a company is in these categories, the more secure it is likely to be.
Risk assessments also should answer other questions: Has the vendor or third party kept up on its security investments? Does it train its own employees in risk management? What are its plans for cyber-incident response and recovery? How does it manage its own vendor and third-party risk? (Which, essentially, becomes a “fourth-party” risk for the airport.)
It may be prudent to request a copy of the vendor’s cyber- and information-security procedures. Also, scrutinize the vendor’s financial posture, reputation, and compliance with laws and regulations. On-site visits also may be a good idea, especially if the company is providing data-hosting services.
Potential vendors should demonstrate that their cybersecurity program meets industry standards and, ideally, are certified by a reputable external auditor.
Companies should implement their own controls and risk management systems for vendor and third-party risk-rating, due-diligence, on-boarding, continuous monitoring and off-boarding. There are several risk management software programs on the market. In most cases, one solution alone may not be enough, and companies should select tools based on their immediate and long-term needs and budgets.
Training can be an invaluable in on-boarding new vendors and managing overall vendor risk, and should be updated as new technologies—and new risks—emerge.
It’s important to remember that cyber-attackers aren’t going away. To effectively manage and minimize risk, companies must establish, maintain and continually improve a comprehensive cybersecurity program that manages risk at all levels and at all touch points. While the task is not easy, it is achievable.
The information provided in this article is intended for general educational purposes only—it does not constitute legal, accounting, or other professional advice, and it should not be relied upon as the basis for your business decisions.
Michael Corcione is a Partner at HKA, and has more than 30 years of experience in advising companies and boards of directors on technology, cybersecurity and privacy and risk management strategies.
Frank Giunta is a Partner and head of HKA’s Americas Group. He is an experienced expert in the area of construction claims, disputes and risk mitigation.