By PATRICK NORD, PAUL CORMIER AND JAY SNYDER Leveraging Cybersecurity as a Market Advantage
By PATR ICK NORD, PAUL CORMIER AND JAY SNYDER
Leveraging Cybersecurity as a Market Advantage
2
Let us take a moment to understand the magnitude of the threat. By
Accenture’s count, the total cost of cybercrime per company increased
from $11.7 million in 2017 to $13 million in 2018—an increase
of 12%. According to the Internet Crime Complaint Center (IC3),
financial losses associated with cyberattacks reached $2.7 billion in
2018, with the most devastating threats including investment scams,
business email compromises and romance fraud.
As the number and types of cyberattacks continue to proliferate
worldwide, the impacts of these crimes are being felt by everyone
from individual consumers to global corporations. Unlike five to
10 years ago, when most cyberattacks targeted large organizations,
financial institutions and computer networks, cybercriminals now
target smaller organizations in industries that wouldn’t have tradi-
tionally been on their radar. The emergence of cloud computing
Engineering and construction firms need every edge they can get in their competitive business environment. Let us provide context for the growing
risk of cyberthreats and share stories of contractors who have successfully pursued cybersecurity as an advantage in their market.
Leveraging Cybersecurityas a Market AdvantageBy PATR ICK NORD, PAUL CORMIER AND JAY SNYDER
Cybercriminals now target smaller organizations in industries that wouldn’t have traditionally been on their radar. The emergence of cloud computing and the Internet of Things (IoT), notably, can unknowingly expose companies across all industries to threats that they didn’t worry about when their IT infrastructure was housed within their office.
and the Internet of Things (IoT), notably, can unknowingly expose
companies across all industries to threats that they didn’t worry
about when their IT infrastructure was housed within their office.
In this article, we will explore the key reasons E&C must pay at-
tention to cybersecurity, advise which steps to take to establish a
good cybersecurity front, and show how three different firms are
practicing improved security measures as an advantage when po-
sitioning in their market.
The Threats Are Vast and ExpandingAs mentioned, the hacking industry is vast, expanding and growing
at a ferocious pace. A veritable playground, the web provides
resources, data and information that are even used by hackers and
other cybercriminals to set up research and development (R&D)
departments. The threat is real, organized, incentivized and adept at
pouncing on low-hanging fruit.
Specific to E&C companies, the threat is exacerbated by the indus-
try’s increased use of technology. Ten to 15 years ago, it wasn’t un-
usual to see companies running their businesses with only landline
analog phones forms (do you remember “Goldenrod”?), pencils
and an occasional spreadsheet (usually housed on a single com-
puter hard drive). Except for “dumpster divers” seeking sensitive
data that was disposed of without being shredded and the internal/
employee threat, these methods were considered safe.
3
As E&C firms adopted enterprise solutions, cloud-based applica-
tions, mobile devices and smartphones, this sense of security di-
minished. Concurrently, cybercriminals realized they didn’t need
an elaborate plan to disrupt well-respected companies like Target,
Yahoo! or Equifax; they could prey on smaller entities and their
supply chain that often neglect maintaining the most up-to-date
cybersecurity infrastructures and policies. Industries already un-
der direct attack like heathcare, energy/utilities and state/local gov-
ernments, to name just a few, have a new avenue to vulnerabilities,
E&C firms and the built environment’s supply chain.
From our perspective, E&C is particularly vulnerable to cyberse-
curity threats because of the industry’s general lack of awareness or
sense of urgency around this risk. Put simply, most E&C compa-
nies lack the experience needed to identify, prioritize and mitigate
cyberthreats because, in the past, the risks weren’t prevalent, and
cybersecurity experts weren’t focused on the industry. As a result,
the typical construction firm’s IT staff provides support and ex-
pertise more along the lines of a “help desk”—a group that keeps
employees online and that prepares technology equipment for de-
ployment to the field. These folks are not trained on cybersecurity,
nor do they have the resources they need to be able to identify and
address these risks.
Here’s the good news: E&C firms that do make cybersecurity a
priority have a definitive leg up on their competitors that choose
to ignore it until a catastrophe occurs. By implementing policies,
processes and resources to address this issue, companies can posi-
tion themselves as both forward-thinking and proactive. To illus-
trate the value of prioritizing cybersecurity for E&C firms, here are
three stories about firms that were impacted by cyberthreats and
turned these events into an opportunity to dramatically improve
their business security and lower their risk, readying them to po-
sition cybersecurity as a market advantage.
To this point, by simply ensuring that all operating systems, soft-
ware and third-party applications are up to date and running on
the latest software versions, E&C firms will have taken the first
precautionary step needed to ward off the latest threats.
Battling RansomwareAfter falling prey to a Megacortex ransomware attack in 2019, one
solar installer was left to sort out all its files—a process that took
weeks to recover from. Originating through phishing emails, the
attack was devasting for the firm. “All of our files were encrypted,”
the company’s owner said. Fortunately, the firm had already
completed a cybersecurity vulnerability assessment prior to the
attack and was already starting to work on the items of highest
priority.
Since the attack, the company has been taking proactive steps to
combat any future breaches.
“We’ve probably done 20 things already to make things better,” said
the owner. For instance, it improved its password policy; refined its
account accessibility privileges (limiting them only to those users
who need access to certain accounts); and began using the Barracu-
da email filtering program.
The typical construction firm’s IT staff provides support and expertise more along the lines of a “help desk”—a group that keeps employees online and that prepares technology equipment for deployment to the field. These folks are not trained on cybersecurity, nor do they have the resources they need to be able to identify and address these risks.
4
The solar installer now also takes a more calculated approach
to working with new business partners, knowing that its vul-
nerabilities are not just limited to the space within its four
walls. “We collaborate electronically and share sensitive data,
so we want to work with partners that have good processes
and programs in place,” he said. “We’ve invested in a sophis-
ticated IT practice and we now have a road map that supports
our digital transformation.”
The De Facto StandardFor one commercial contractor, combatting cyberthreats has
meant disconnecting an employee’s laptop from the corpo-
rate network in order to address a ransomware or phishing
threat (usually by reformatting the laptop). Fortunately, these
quick moves have kept the company from experiencing an
enterprise wide cyberattack.
“We’ve had employees click on unsavory links or websites
and inadvertently download ransomware,” said the compa-
ny’s president.
To minimize these occurrences, the company has developed
internal policies outlining how to react when there is a poten-
tial breach. First, it identifies the breach and where it origi-
nated from, then it figures out the impact. Finally, it notifies
all responsible parties about the impact to its business units
and work to remediate the breach.
Its president sees these procedures and processes as extremely
important in today’s E&C environment. “Going forward, it’s
going to be the de facto standard,” he said. “We’re all going to
need to have stated—and understood—cybersecurity policies,
systems and services in place.”
If We Don’t Have a Good Answer, We Can’t BidFor one large general contractor that works nationally, regular
training, monitoring, awareness and protocols ensure that attacks
do not create major disruptions. “We had an ‘ethical’ hacker on our
website just last week, asking for a bounty,” a company manager
pointed out. “It’s not that unusual, but we have the systems in
place to manage it.”
With about 17 active cybersecurity projects on its to-do list, the
company hopes to tackle all of them within the next 18 months.
Some of the initiatives include updating all equipment firmware and
all software programs. The company also plans to take a “long hard
look” at its password policy and how users are authenticated. “We’re
also starting a phishing campaign,” the manager said, “where we do
‘fake’ phishing attempts that test our users.”
When asked whether its serious approach will give the general
contractor a more competitive position in the marketplace, he said,
“People want to know how we’re protecting information, and if we
don’t have a good answer, we can’t bid.”
Employee training is also critical. Consider that all staff members
should know not only how to handle sensitive data but also how
to recognize potential threats (i.e., phishing emails) before they
turn into major problems. This applies to everyone in the organi-
zation—from the CEO to the summer intern—all of whom must
be onboard and complying with the firm’s security policies.
Finally, these business and personnel best practices must be
shared. Call it “Cybersecurity in the Workplace.” Fix the tools, ad-
dress personal behavior and require commitment from the supply
chain. Prequalification criteria need to include cybersecurity.
People want to know how we’re protecting information, and if we don’t have a good answer, we can’t bid.
5
What Goes Into a Good Cybersecurity Defense?In January, the U.S. Department of Defense (DoD) released ver-
sion 1.0 of the Cybersecurity Maturity Model Certification (CMMC)
framework, which will require DoD contractors and subcontractors
to obtain third-party certification of their cybersecurity maturity.
The DoD created the CMMC to combat malicious cyberattacks in
the DoD’s supply chain, as such attacks threatened economic se-
curity and national security. We will likely see similar moves taken
in the private sector—yet another reason why E&C firms need to
shore up their cybersecurity approaches sooner rather than later.1
Cybersecurity defenses have become competitive differentiators in
the market. Fortunately, all contractors can employ measures to
stand apart from their competition with clients. Examples of mea-
sures that significantly improve contractors’ posture and propel
their reputation as a market leader in cybersecurity include:
� Multifactor Authentication: This is a security system that
requires multiple different credentials before verifying a
user’s identity.
� Mobile Device Management (MDM): Security software
that contractors can use to monitor, manage and secure
the mobile devices used by employees.
� Good Cybersecurity Hygiene: Installing patches, running
updates, enforcing password discipline and employee
training.
� Due Diligence of Third Parties: Your business partners’
cybersecurity measures directly impact your company. For
example, GCs should always vet the cyber preparedness of
the subcontractors they work with.
1 Tackling Increased Cybersecurity Requirements In The Defense Industrial Base, The National Law Review, https://www.natlawreview.com/article/tackling-increased-cyberse-curity-requirements-defense-industrial-base
Getting a Leg UpWhether instituting multifactor authentication, patching software
systems, implementing mobile device management policies, or
working with third-party cybersecurity consultancies, a growing
number of E&C firms are now taking cybersecurity seriously and
giving it priority. With cyberattacks inflicting catastrophic dam-
age—and with states like California enacting new data protection
laws—companies of all sizes should view cybersecurity not as a
burden, but as a differentiator.
To get you started, companies that want to improve their cyberse-
curity stance, the first step is to identify and understand their cur-
rent vulnerabilities. They need to take a good, hard look at where
they are, where they should be, and how to get there. An inde-
pendent set of expert eyes can be invaluable at this point, as the
vulnerabilities aren’t readily obvious to an untrained eye. It is crit-
ical to embrace these experts as part of the IT team and not create
conflict between the current group and the specialty consultant.
Next, put a plan in place that includes training your team; com-
pleting a cybersecurity readiness assessment; and talking to team
members, subcontractors and business partners about the poten-
tial risks.
Today, as COVID-19 continues to disrupt business and everyday
life, creating a new and uncertain operating environment, cyber-
criminals are working hard to turn the crisis into an opportunity.
There has been a proliferation of malicious sites preying on indi-
viduals searching for information about the virus, seeking finan-
cial assistance from public and private programs, exploiting virtual
meeting spaces and invading corporate systems from work-from-
home offices.
6
Interestingly, the best practices for addressing COVID-19 are the
same actions needed to combat cybersecurity threats on a corpo-
rate level:
1. Transparency – The more that is known, the better pre-
pared everyone can be.
2. Testing – Baseline assessments are critical for knowing
current vulnerabilities or uncovering existing breaches.
3. Hygiene – Managing updates, patches, password protec-
tion and policies provides frontline defenses.
4. Accountability – Hold the company fully accountable
for its behavior and hold other businesses to the same
standard.
As you work through these steps, keep in mind just how quickly
a single cybersecurity incident can bring a company to its knees.
For example, what would happen if your accounting system were
hijacked for a week? Alternatively, what if sensitive client data
was stolen by cybercriminals? These are painful and extremely
expensive events that cause prolonged reputational damage, but
proactive E&C firms can effectively avoid these negative impacts
while also positioning themselves as cybersecurity-conscious or-
ganizations and teams in our connected world. Those that move
quickly and succeed at establishing a strong program will not
only meet projects’ growing cybersecurity requirements but also
be poised and positioned as the benchmark clients use to assess
the adequacy of others.
7
Patrick NordPatrick is a Principal Consultant with Archetype SC and an accomplished analyst who loves data and the
problems they describe. At Archetype SC, Patrick brings his expertise to defining and documenting client
challenges and needs and working with our team to develop solutions. He can be reached at
Paul CormierPaul is a Principal Consultant with Archetype SC. With more than 25 years as an administrator and
entrepreneur in the interior and manufacturing industries, Paul Cormier brings a wealth of experience in
finance, technology and business development to the Archetype SC team. He can be reached at
Archetype SC solves complicated business challenges with technology. They work with companies to find
solutions that are creative, innovative and focused on making things easier for their clients. They are known
in their communities as much for the information they share with peers, as for the solutions they provide to
our clients. Archetype SC is built by people who are motivated to empower others to achieve technology
independence. Learn more at www.archetypesc.com.
Jay SnyderJay is the technology practice leader with FMI. Jay has been in the engineering and construction industry
throughout his entire career. He has industry experience as a construction project executive; corporate
director of planning, design and construction for a health care system; founder and managing partner of a risk
management tech startup company; and as a valued business consultant. He can be reached via email at
FMI Consulting has a deeper understanding of the Built Environment and the leading firms across its value chain than any other consulting firm. We know what drives value. We leverage decades of industry-focused expertise to advise on strategy, leadership & organizational development, operational performance and technology & innovation.
PRACTICE AREAS
Strategy � Market Research � Market Strategy � Business Development � Strategic Planning
Leadership & Organizational Development � Leadership & Talent Development � Succession Management � High-performing Teams � Corporate Governance � Executive Coaching
Performance � Operational Excellence � Risk Management � Compensation � Peer Groups
Technology & Innovation � Market Accelerator � Partner Program � Tech Readiness Assessment � Sourcing & Adoption
SECTOR EXPERTISE
� Architecture, Engineering & Environmental � Building Products � Chemicals � Construction Materials � Contractors � Energy Service & Equipment � Energy Solutions & Cleantech � Utility Transmission & Distribution
SERVICES
� M&A Advisory � ESOP Advisory � Valuations � Ownership Transfer
EXECUTIVE EDUCATION
� Acquisitions in the Construction Industry � Ownership Transfer & Management Succession
FMI Capital Advisors, a subsidiary of FMI Corporation, is a leading investment banking firm exclusively serving the Built Environment. With more than 750 completed M&A transactions, our industry focus enables us to maximize value for our clients through our deep market knowledge, strong technical expertise and unparalleled network of industry relationships.
Exclusively Focused on the Built Environment
FMI is a leading consulting and investment banking firm dedicated exclusively to the Built Environment.
We serve the industry as a trusted advisor. More than six decades of context, connections and insights lead to transformational outcomes for our clients and the industry.
Who We Are
FMI CLIENT HIGHLIGHTS
73%
ENR Top 400LARGEST
CONTRACTORS
ENR Top 200SPECIALTY
CONTRACTORS
65%
ENR Top 100DESIGNFIRMS
57%
ENR Top 200ENVIRONMENTAL
FIRMS
56%
ENR Top 100CM FOR
FEE FIRMS
58%
TRAINING PROGRAMS
Over 10,000 industry leaders have completed FMI training programs, which span the entire management spectrum, from new managers to senior executives.
� Emerging Managers Institute � Field Leader Institute � Project Manager Academy � Construction Executive Program � Leadership Institute � Leading Operational Excellence � Construction Selling Skills � Market & Selling Strategies � Ownership Transfer & Management Succession � Acquisitions in the Construction Industry
FMI PEER GROUPS
FMI manages nearly 50 individual peer groups across the industry. Connecting businesses through network-ing, expanding visions and providing feedback.
� Organizational Structure and Development � Human Resources � Business Development � Information Technology � Operations Management � Financial Management
RALEIGH223 South West St.Suite 1200Raleigh, NC 27603919.787.8400
DENVER210 University BoulevardSuite 800Denver, CO 80206303.377.4740
TAMPA4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364
PHOENIX76 E. Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8180
HOUSTON1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400
FMINET.COM
FMI CLIENT HIGHLIGHTS
73%
ENR Top 400LARGEST
CONTRACTORS
ENR Top 200SPECIALTY
CONTRACTORS
65%
ENR Top 100DESIGNFIRMS
57%
ENR Top 200ENVIRONMENTAL
FIRMS
56%
ENR Top 100CM FOR
FEE FIRMS
58%
TRAINING PROGRAMS
Over 10,000 industry leaders have completed FMI training programs, which span the entire management spectrum, from new managers to senior executives.
� Emerging Managers Institute � Field Leader Institute � Project Manager Academy � Construction Executive Program � Leadership Institute � Leading Operational Excellence � Construction Selling Skills � Market & Selling Strategies � Ownership Transfer & Management Succession � Acquisitions in the Construction Industry
FMI PEER GROUPS
FMI manages nearly 50 individual peer groups across the industry. Connecting businesses through network-ing, expanding visions and providing feedback.
� Organizational Structure and Development � Human Resources � Business Development � Information Technology � Operations Management � Financial Management
RALEIGH223 South West St.Suite 1200Raleigh, NC 27603919.787.8400
DENVER210 University BoulevardSuite 800Denver, CO 80206303.377.4740
TAMPA4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364
PHOENIX76 E. Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8180
HOUSTON1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400
FMINET.COM
Raleigh (headquarters) 223 S. West StreetSuite 1200Raleigh, NC 27603919.787.8400
Tampa4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364
Houston1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400
Phoenix 7639 East Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8108
Denver210 University BoulevardSuite 800Denver, CO 80206303.377.4740
WWW.FMINET.COM