PICPA  >  CPA Now
CPA Now
Aug 26, 2016

How Construction Contractors Can Reduce Their Risk of Cybercrime

Mark EichBy Mark A. Eich, CPA, CISA, CliftonLarsonAllen LLP


I wish I could tell you there was a singular solution to prevent a cyberattack from hitting construction contractors, but it just isn’t that simple.

However, there are a collection of protections you can put in place to help keep hackers at bay, safeguard your data, and keep your business from becoming victimized.

Since most hackers enter a system via phishing e-mails, you should establish internal controls in your IT processes and user functions. Those controls may vary based on the risk factors of each contracting company, but the focus should generally be on two areas: process and systems.

Controls for Business Processes

  • Be suspicious of “urgent” requests for payment from someone you would normally trust, like an existing vendor or colleague. That person could be a hacker who has gained control of your colleague’s e-mail. Instruct your staff to pick up the phone to verify the legitimacy of the request.
  • Be wary of sudden changes in business processes. For example, a colleague requests payment outside of the normal payment protocols.
  • Establish a threshold limit for online banking, especially transactions over a certain dollar amount or those that go to foreign suppliers or banks. These instances should require vendor or colleague call-back protocols.
  • Engage a specialist to perform periodic vulnerability or penetration tests to determine if your system is susceptible to attacks and to validate that controls are functioning as intended.

Controls for Servers, Workstations, and Users

  • Include spam filters in all e-mail processors that will flag, alert, or block suspicious messages and attachments. Make sure those spam filters are updated according to your vendor’s schedule.
  • Minimize user access and require passwords on all administrative functions, such as installing software and programs.
  • Disable, rename, or password-protect all “guest” and “administrator” accounts. These usually come with default passwords that, if left unchanged, invite easy access.
  • Mandate complex passwords (numbers, symbols, cases, minimum character length, etc.) and require changes every 90 days.
  • Ensure servers and workstations are updated with the latest software, including a validated patch-management process.
  • Educate staff on the danger of e-mailing or sharing passwords, clicking on links in unsolicited e-mails, and allowing others to use their laptops.
  • Regularly review security logs that track password changes, unauthorized log-in attempts, or changes to data files. React quickly to identified anomalies, which could indicate a vulnerability.
  • Make sure your IT personnel are getting continuing education to keep abreast of the latest hacker methods.

Basic security practices can give you a false sense of safety. A multilevel security protocol and regular assessments can help you keep hackers at bay and safeguard your construction data.


Hear more from Mark Eich about cybercrime in the construction industry at PICPA’s Construction Industry Conference on Oct. 10 in Malvern or via webcast, and on Oct. 11 in Cranberry. View the agenda and register at www.picpa.org/construction.

Leave a comment

Follow @PaCPAs on Twitter