Cybersecurity incidents are on the rise and contractors need to be prepared.
Karen Higgins-Carter, CIO of Providence, Rhode Island-based Gilbane Building Co., brings a wealth of experience from previous roles protecting the banking and financial services industries from cybercriminals. She warns that the Internet was not originally created to be secure and that the onus is on contractors to ensure they are up to today’s security demands.
Here, Higgins-Carter spoke with Construction Dive about where the biggest threats come from, how Gilbane keeps its employees up to date, and what the industry can do to protect itself.
Editor’s Note: This interview has been edited for brevity and clarity.
CONSTRUCTION DIVE: What is the state of cybersecurity in the construction industry?
KAREN HIGGINS-CARTER: I’ll start with my take on cybersecurity in general. I think it’s important to understand two things. First of all, the Internet was not designed to be secure. It was designed to be open. Second, we will continue to see a volume of attacks coming from countries that are effectively safe harbors for this type of activity.
Karen Higgins-Carter
Permission granted by Gilbane Building Co.
Because of this environment, we are seeing the regulatory response. SEC Disclosure Requirements being, in the first place, that they were implemented in December.
What I find is the need to adjust and connect with our people based on their current level of consciousness. There’s a predictable cycle to bring our people from a position of not really being aware of threats to feeling invested in protecting the company and being on board with that mission.
How do you get everyone to an optimal level of comfort with cybersecurity when their experiences are different?
One of the things we’ve implemented in construction, in terms of our innovation practices, is responsible innovation. That it is important to take risks to grow.
There is no risk-free path to achieving your strategic goals.
Where this is important in innovation is understanding, how does this innovation help our strategic goals? What are the inherent cybersecurity risks we need to identify? And as part of experimenting, scaling and innovating, we need to make sure we’re mitigating these risks at the same time. There is a level of awareness that goes through the innovation process.
What are the biggest risks for builders right now on the cybersecurity front?
As for the two biggest attack vectors, the first is phishing. This is why awareness is so critical, because people are the first line of defense against phishing attacks.
The second attack surface involves application programming interfaces. Our connectivity with third parties and third party software providers is the next most prominent threat.
Where this influences our industry, and where there really is an opportunity for leadership, is working with our software vendors.
With the recent investment in construction technology and many startups, security is not necessarily first on their roadmap when it comes to demonstrating early returns for their investors.
Recognize that we can have a collective voice as an industry and help these software vendors achieve a higher level of capability, particularly in API security. Sometimes marketers can make it sound very easy, and it’s really something that we as end users have to deal with.
What does Gilbane do to stay safe?
From a strategic perspective, our board is dedicated to cybersecurity. We’ve written what we call a cybersecurity risk appetite statement. This is a practice I brought from banking, which involves identifying how a cyber security attack creates losses for Gilbane and affects our customers.
So, let’s identify these main risks and, based on this view, how they would affect us. We have a cybersecurity program where we prioritize our cybersecurity investments in processes and controls to mitigate these risks.
We prioritize the safeguarding of our customers’ confidential information. We protect the data of our employees because it is personally identifiable information. There is other inside information about some of our investments in our development company.
I would say the other aspect of what we protect is an interruption in a business process.
If our workplace can’t function, because Gilbane or one of our commercial contractors suffers a ransomware attack and can’t access their systems, we also look at how a critical business process would be affected and then how you handle that. impact
What can the construction banking and finance sectors learn about cyber security?
First, I think we can really collaborate on threat intelligence.
And I don’t mean sharing general best practices. I mean very specific threat intelligence, so that we can collaborate and work together to prevent that same threat from affecting another company.
I think the second thing we can do is collectively and proactively define our security expectations, especially for software vendors.
Given the volume of investment in building technologies, startups typically don’t focus on security first. Some yes, some no. But acting with a collective voice to express what our standards are is what we need to do to mitigate this third-party risk.
