3 Steps AEC Companies Should Take to Prevent Ransomware

This post was written in collaboration with Nick Espinosa.

In our recent infographic we reported that almost one in six construction companies reported a ransomware attack within the past year. So, yes, ransomware is a serious problem for construction companies.

The question then becomes: why are construction and engineering companies being targeted with such frequency? For two reasons: first is a distributed workforce. For years, construction and engineering firms had a very distributed workforce and therefore distributed technology, which introduces potential cyber risk in various ways many companies either don’t understand or simply can’t account for. The pandemic exacerbated this situation as most companies scrambled to move their onsite workforces home, oftentimes choosing speed and convenience over cybersecurity concerns.  

The second reason is because the C&E world relies so heavily on mobile devices, like iPads and phones, to access critical data and also to set up local networks on isolated jobsites. These devices and networks may not always fall under total control of the IT department, which is usually understaffed, so they might not be implementing the latest security updates, app filtering, encryption, and threat defense when they are deployed.  

In addition, C&E has always been a bit of a traditional industry and not all of those working in it are technology-savvy. Since C&E firms are so schedule-driven, any successful ransomware that impacts work has a higher chance (74% vs. 42.5% for other industries) of being paid off just so firms can stay on schedule. This creates a target-rich environment for potential attackers.  

So now that you recognize you are a target, what can you do about it? There are pages and pages of guidance out there that will outline every little step you can take to help avoid being hit by a ransomware attack, but we are going to boil it down to three: Deploying Identity Management, Restricting Data Access, and Ransomware Recognition.

Prevent Ransomware

Identity Management

Identity management, and all it encompasses, is one of the leaders in the fight against ransomware. Essentially, a good identity management solution will encompass policies like:

• Multi-factor authentication (MFA), so no single stolen username and password will allow an attacker to gain access to an account
• Single sign on (SSO) that allows users to easily gain access to company assets online but also will cut them from said assets if a threat is detected‍
• Policies that govern behavior to make sure that no attackers can impersonate a user from anywhere in the world

For example, if a hacker gets access to a user’s password via one of the many methods they typically use such as phishing, credential stuffing, or brute force attacks, the identity management solution will identify the targeted user and cut them off from all company assets thus protecting the critical data.  

In the construction industry, we tend to believe that identity management with MFA is primarily in the form of a VPN. The first factor of authentication being the employee logging onto the machine and the second factor being the employee initiating a VPN with a separate random password. This is not actually considered a complete identity management solution as these passwords may be easier to compromise and also because this type of methodology does not understand the behavioral characteristics of the users.  

Further, VPNs can slow down connectivity, especially at lower-bandwidth locations. So, in order to utilize the VPN securely, employees might be willing to accept extremely slow download and upload speeds which can significantly impact their productivity. Because of perceived performance impact, and because most companies have a policy that allows their users to skip VPN use, in many cases VPNs are not used consistently thereby undermining the very purpose for which they are employed.

More modern identity management solutions leverage other approaches for easy and secure access, such as MFA using either an authenticator app on a mobile device or physical hardware token; integration with passwordless authentication that uses unique identifiers such as biometrics to secure the login; and also software-defined perimeters, which leverage all of the above as well as limit the ability of the user to only gain access to the exact information they need instead of being able to see the entire company network from their mobile device. In this manner you alleviate the need for VPN and force a lightweight MFA on the employees, which is required to access the data, improving security.  

Restricting Data Access

The second way to help prevent ransomware is to restrict who has access to data. While this may not completely prevent a potential breach, it will limit the damage.

Once a bad actor has access to the system their goal is to spread out vertically and horizontally taking control of as many files as possible on as many computers and servers as possible. If the individual who was their entry point has unlimited access to all of the files in the system this becomes a relatively easy feat. But the more files that are restricted due to limited access greatly increase the difficulty and time required to perpetrate the attack, providing the organization more time to react and control the breach.  

That is why leading organizations are implementing file-level access control across their most critical files as well as creating data loss prevention (DLP) plans with digital rights management (DRM), which ensures that if any data is stolen from the company, the attackers cannot open it on their own computers since the data is locked to the registered computers of the company.

In this way, you can manage who has access and for how long they have access, in order to reduce the risk of exposure. An effective system allows for easy management of file access, with the ability to share, collaborate on, and remove access as needed without requiring heavy IT involvement. It is a simple way to push responsibility down to employees without over-burdening them with security protocols.  

Ransomware Recognition

The final aspect is the most technical, ransomware recognition. This is really a category of several different automated techniques that are leveraged to quickly identify and isolate potential ransomware. It is a combination of:

• Unusual behavior detection. The system detects an abnormality, such as an individual purging a large number of files or locking files that shouldn’t be locked, in a short period of time.
• Ransomware signatures. Detecting a typical footprint or pattern associated with malicious attacks on a system.
• Presence of ransom notes. Identifying the presence of the note that outlines the threat to the system and the payment amount and procedures.
• Zero-day monitoring. A zero-day threat is a vulnerability that no one knows exists until it is exposed. Once discovered the threat detection system has less than 24 hours to understand the threat and what it does, create an inoculation, and then push that update to the company’s threat detection system. Behavior-based ransomware detection also utilizes AI to detect suspicious actions in near-real-time. By analyzing file operation behaviors, such as file encryption, mass deletion, and mass renaming, it detects a ransomware attack immediately and can then act to try and stop the infection or even act as a self-remediation tool against the threat, which is a typical feature for enterprise-level threat detection systems.  

The key for comprehensive ransomware detection is to have all of these factors working in tandem. Because different attacks will enter through different points and will operate differently, having the broadest coverage will help identify the breach more effectively.  

Recover from Ransomware

Data Backup and Recovery

The bad news: in 2020 73% of all ransomware attacks were successful. So, no matter what you do, how good your defenses are, and how vigilant you and your entire company is, there is no 100% guarantee that you won’t suffer a breach.

The good news: 24% of attacks were intercepted before they could encrypt any data. So don’t give up hope!

With ransomware, you need to plan for the worst which makes it imperative to have the right mechanisms in place in the event you are the victim of an attack. One of the most important capabilities you need is an effective contingency plan that includes backup and recovery. Even if you pay the ransom, some files may be recoverable even if the attackers give you a decryption key or they could also be maintaining persistence in your network, which means once the ransomware incident is over they can re-infect the network.

While most companies have a backup and recovery plan, many of them take an all-or-nothing approach. What that means is that even if only a segment of their files is compromised or deleted, they still need to recover and replace large sections of their overall content in order to restore it. This can take days if not longer to complete, meaning that even a small breach can significantly impact your operations.  

Today, forward-leaning companies are using selective file restoration with backups both on-premise for faster recovery and also in the cloud since cloud based backups are much harder to compromise given how data is backed up there. This allows companies to only roll back impacted files and not the entire system worth of files.

For example, in a company that is able to stop the ransomware attack before it completes encrypting everything, organizational projects that were impacted will have their files rolled back more quickly. Conversely, files unaffected by the breach will remain in their current state. Thus, the majority of the organization can continue with operations while only the impacted segment will need to recover, reducing your downtime and lost time.  

Ransomware attacks can be a scary proposition but they do not need to be overwhelming. By following these three simple preventive measures and having a good Contingency Plan, you can vastly reduce the threat and impact of ransomware on your organization. Remember, as a construction company it is not if, but when an attack will happen. The average ransom payment for an attack in the construction industry is $312,000. It’s usually much less expensive to implement good cybersecurity practices that will also ensure your company doesn’t grind to a halt during projects. So the question is: can you afford not to act?  

Learn More  

To learn how Egnyte is helping construction and engineering firms defend against ransomware visit Egnyte’s Ransomware Detection webpage or read "How to Prevent Ransomware: A Simple Guide for Protection."  

An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small businesses up to the Fortune 100 level. Nick founded Windy City Networks, Inc in 1998 at age 19 and was acquired in 2013. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations, was launched. A nationally recognized speaker, he is a member of the Forbes Technology Council, a TEDx Speaker, a regular columnist for Forbes, an award winning co-author of a bestselling book “Easy Prey,” the host of “The Deep Dive,” a nationally syndicated radio show, on the Board of Advisors for Roosevelt University College of Arts and Sciences as well as their Center for Cyber and Information Security and is the Official Spokesperson for the COVID-19 Cyber Threat Coalition. Nick is known as an industry thought leader and sought after for his advice on the future of technology and how it will impact every day businesses and consumers.

‍