PlanGrid Construction Productivity Blog
Starting a Security Program in Your Construction Company

Starting a Security Program in Your Construction Company

Securing an organization is like playing a game of cat and mouse. There is a constant need to outsmart the attackers. Today, construction companies who care about the livelihood of their future business need to start thinking less about the “if,” and more about preparing for the “when.” However, a more secure company experiences other advantages beyond protection from threats. In construction, a security program is necessary not only for the well-being of your own company but indicates to potential clients and partners that they can work with you worry-free thereby increasing your ability to conduct business in the long-term.

Although the recent digital transformation of the industry has been extremely positive, there’s never been more of a need for companies to up their security with more and more sensitive information online. Not convinced? Just think about the device policy you currently implement in your construction company. Do you have bring your own device (BYOD) policy for your field workers that allows them to use their personal computers, tablets or mobile phones? Although there are many benefits to a BYOD policy, it could be opening your company up to major security risks. In fact, according to Avanade, more than half of companies experience a security breach due to employee devices. Furthermore, CIO has found that the average cost of a data breach for BYOD environments amounts to more than $150 per device or $1.57 million in losses per company. For enterprise companies, these numbers are much higher due to the amount of sensitive data.

Nonetheless, a good security program is one that equips organizations to stay ahead of the attackers by following a methodical and continuous approach towards risk assessment and management. A solid program needs to constantly assess risks by identifying new risks and also by mitigating existing risks. If you’re looking to level up your security program at your construction company, we recently hosted a webinar titled “Why Construction Companies Should Care About Security.” 

Watch Here

Further Reading:  How Machine Learning Is Making Construction More Human

How to Ramp Up a Security Program at Your Company

Recently, PlanGrid’s executive management assessed the security posture of the organization which involved evaluating the product security, infrastructure security, security compliance, data processing integrity and effectiveness of the security policies. At the end of the assessment, executive management identified a few areas that needed ramping up, so PlanGrid is equipped to stay ahead of the attackers. Below, we’ll share with you how PlanGrid has ramped up the company’s security in the last year, as well as share how you can bring some of these tactics to your own company.

Start with Personnel

The best place to begin tightening up your company’s security is to start with people. To help you ramp up your own security in your construction company, we suggest you hire a dedicated security leader. At PlanGrid, we already had personnel dedicated to security, but our executive team identified a lack of leadership as a potential risk and an area where we could improve. As a result, I was brought on-board June 2017 to lead the security function. Ever since, we have increased our focus on standardizing our company’s security program and enhancing the detection and prevention capabilities thereby protecting our customers and their data.

Furthermore, if the resources are available, enterprise construction companies should consider building a full-time security team to truly manage the wide breadth of security threats. At PlanGrid, we have recently been building our team. The team comprises of people experienced in the areas of security compliance, data residency, product security, infrastructure security and security architecture. Furthermore, we believe a successful security program involves the whole company. Therefore, we have also built liaisons within product and sales teams to assist with the questionnaires and RFI’s requested by prospective customers.

By having leadership, a specialized team and full-involvement from other key players in your company as part of your security program, you’ll have the full support to address security concerns before they become real threats.

Implement a Security Process

After hiring the right people to manage security in your company, the next step is to set up clear processes. Well-defined processes make for efficient functioning of policies and controls and contribute to your company’s overall effectiveness to shutdown threats should they arise.

At the end of 2017, PlanGrid focused heavily on implementing policies and procedures around the acceptable use of technology, password and access. In the last few months, we have introduced a number of processes. These include:

  • Mandating the new hire security awareness training to help train employees in identifying phishing and social engineering attacks
  • SLA’s to triage and patch security issues
  • Third-party vendor assessments to ensure the security standard of the third-party vendors
  • Bi-weekly security working group meeting to identify, prioritize and address security risks for the organization.

Security processes allow for more consistent and reliable controls, ultimately providing a greater level of protection. While your construction company’s security needs might vary from PlanGrid, start by thinking about the major areas and ways you first can improve your security. Start to develop processes and policies around the areas where you can easily improve.

Another advantage of building strong processes is to help organizations certify themselves against public standards that speak for the security posture of a company. PlanGrid has achieved a SOC 2 Type II certification that speaks for the security program instilled in our company.

Review Your Technology

In a rush to adopt new technology, not all organizations really investigate the security of the software they are using. For instance, you might be using mobile technology in the field, but if it’s not powered with cloud-based project management capabilities that follow security best practices, you could put your data and company at major risk.

In addition to evaluating the technology we use within the company, in the past few months, PlanGrid has continuously investigated our own security posture of the product. To further improve the security of the product,  we invested heavily in our security architecture, including enhanced DDoS capabilities and layer 7 web application firewall. We have also built capabilities to identify security vulnerabilities in the product and have augmented our capabilities by performing security audits using qualified third-party security practitioners. Last year, we performed a full security audit of the product. While we have already launched a number of features to help customers better secure their data on PlanGrid, the team has furthered the efforts by supporting Single Sign-On (SSO).    

In your construction company, you should immediately do a full 360 review of all the technology and software you are currently using. Consult with your IT and security teams to ensure they are meeting minimum security requirements and don’t put your data in danger. If you’re using a construction productivity software, ensure it’s powered by the cloud that takes into consideration the steps outlined above and integrates SSO, if you’re already using this in your organization.

Adopt a Holistic Security Program for Your Construction Company

Often security teams tend to focus on one area of security which could lead to data breaches and compromises through other areas. At PlanGrid, our security program takes a more holistic approach by focussing on all aspects of security to identify and address latest threats. If you’re like the majority of construction companies out there today, you’re adding more data online and utilizing more technology solutions. Therefore, you need to tee up a full security policy to stay ahead, before the hacker’s catch up.

Srikanth Veeraraghavan

Srikanth graduated from the Johns Hopkins University with a Masters in Information Security. He’s spent years working in the security field, most recently as Senior Security Engineer at Zendesk and previously at Mcafee and other early stage startups. He joined PlanGrid in June 2017 as PlanGrid’s Security Leader where he is focussing on implementing an Industry standard security program along with building the security team.