COVID-19 is still around even though many people are back to pre-pandemic behavior patterns. Companies are less likely to require or even request employees to wear masks unless they want to. Even customer-facing workers are less likely to wear a mask than wear a smile. But one aspect of the pandemic protocols is still in effect: many employees are working remotely, often from home.
And that continues to present security and other problems to companies across industries. Remote workers need access to company files, digital resources, and even personal data. In return, they transmit data and files back to the company’s servers or cloud providers. This two-way traffic can be a source of concern to IT professionals and a source of revenue for criminal elements.
The ability to share digital data effectively is a critical factor that also impacts the success of digital transformation in the design and construction industry. This includes both the ability to share data within different departments in the same company, among remote and in-office employees and contractors, or across multiple companies involved in the same project.
New research from Dodge Construction Network, together with Trimble, reveals owners, architects, engineers, general contractors, and specialty trades are using digital workflows to share project information. The findings show, though, that internal connections are far more common than external ones, with nearly half of all respondents (48%) sharing 50% or more of their project data internally using digital workflows, and nearly one quarter (24%) doing so with other stakeholders on their projects.
Architects lead the industry in their use of multicompany digital workflows, with one third deploying them. Engineers are deepening their engagement with workflows for specific design practices with 83% of users planning additional investments in digital workflows. General contractors that focus on vertical (building) construction are using more digital workflows for their construction operation processes and reaping greater benefits than those who largely engage in civil (infrastructure) construction. Specialty trade contractors are currently using digital workflows most frequently for administrative tasks, but their biggest planned investments are for using workflows that will help them with construction operations and crew management.
Despite the differences in their degree of use and how they engage with digital workflows, owners, architects, engineers, general contractors, and specialty trade contractors all report the same key benefits from their use: More informed decision making and increased efficiency of internal processes, resulting in improved project outcomes, higher quality, and faster delivery.
Protecting IT Resources
With the growing trend to digital workflows, remote workers—employees and subcontractors, alike—have access to more company data than ever before. How can companies and their IT departments and professionals secure that data? Education, knowledge of the potential for security breaches, and concern for the company’s success are often cited.
Still, while fear of what could go wrong is the greatest motivator when it comes to getting remote workers to protect their employer’s information, it tends to work best when employees also have a solid understanding of the severity of potential security threats, including the knowledge of what to do when the worst happens.
“Employees need to feel this is a big deal if it happens, so the number one thing employers can do is to clearly communicate what the threats are and how serious they could be,” says Robert Crossler, associate professor in the Carson College of Business at Washington State University. “Because for most people this is not their job. Their job is to make something or sell something, not to make good security choices, even if it is critical for their organization.”
Two approaches are considered best. Protection motivation theory posits organizations can encourage secure behaviors through fear appeals, threat messages, and knowledge of the ability to respond to a particular threat. The practice, which often uses surveillance to monitor employee actions, has been used effectively for decades to deter people from engaging in risky behaviors at work and to discourage unhealthy practices such as smoking.
The second approach is stewardship theory. Stewardship theory is a form of reciprocal agreement that tries to motivate the employee through a sense of moral responsibility that is not forced. In this approach, management attempts to get the employee to buy into the organization’s overall vision while giving them organizational support to act independently when confronted with a security threat.
Although working from home would seem to require relying on concepts more consistent with stewardship theory, the study showed that an approach that relied on the fear and threats emphasized in protection motivation theory was far more effective at preventing employees from violating security policy than a strictly stewardship-based approach.
Researchers found promoting a sense of collectivism, a concept from stewardship theory that emphasizes the mutual benefits of good behavior for both the employee and the employer, helped increased the efficacy of protection motivation theory-based methods.
“Basically, what we found was that the more workers felt that their organization’s resources were their own, the more likely they were to respond in the desired way,” Crossler recalls. “Instilling a sense of collectivism in employees is only going to help enhance people’s likelihood of protecting security policies.”
In some cases, a protection motivation theory approach to IT security could back-fire and result in security misbehaviors. As a result, companies should consider removing or reducing surveillance practices that are a common aspect of protection motivation theory. Where such removal is impracticable, employers should consider providing employees with contextual reasons for performing such monitoring.
Ancient Texts
Passwords have been around since long before the dawn of the internet but remain the primary way of protecting data. Most companies mandate their remote workers to use them on their local computer as well as to access company data. But what makes a good password?
Passwords should be longer than 12 characters. With modern computing, it isn’t difficult for hackers to use brute force techniques to guess all iterations of a less than 12-character password within a reasonable amount of time.
Passwords should involve a high level of complexity. Users should create passwords with upper- and lower-case letters, which are unique characters to a computer and more difficult to process. In addition, mixing numbers as well as symbols into a password exponentially increases the number of iterations it would take for a computer to use a brute force method to crack it.
If possible, consider creating a passphrase that contains multiple longer words and swapping letters with numbers or special characters to make it easier to memorize longer, more complex passwords.
The Math of Passwords
If a password is comprised of only lowercase letters, and is six characters long, then the total number of password variations possible is 308,915,776. That may sound like a lot, but when a single computer can guess millions of passwords per second, it would only be a matter of minutes before it managed to guess the correct password.
Adding upper case characters into the mix increases the number of possible password variations to 19,770,609,664 — a significant increase in possibilities that makes the computer work much harder to guess the password.
By introducing the possibility of numerals as well as special characters–@#$%^&*–and increasing the length of a password beyond 12 characters, the number of potential password variations increases exponentially, making it less likely that an attacker will rely on simple password guessing.
The most popular passwords that are cracked and stolen during breaches often involve a variation of the word “password,” some string of numbers, or a variation of popular words. A popular element in television crime shows is having police forensics crack the bad guy’s computer password by doing research on the owner of the password and guessing variations of important names and dates, like first names or birthdates of family members, or hobbies.
Here are a few additional tips Washington State University IT professionals recommend to make logins safe:
- Never use the same password for more than one login. This prevents an attacker from accessing all of a user’s accounts should their password be compromised.
- Be wary of any link in emails that request a user to click or login. These can be used to steal usernames and passwords.
- Do not share passwords. This should be considered common sense.
- Activate the option for multi-factor authentication (such as a confirmation email or text message) on every account where it is available. This adds an additional layer of protection in case a password becomes compromised, and in addition can alert a user to when someone is attempting to access their accounts.
- Use a password manager to keep track of different passwords. BitWarden, 1Password, LastPass, or KeePass are some options but be careful that the password used to access a password manager is a strong one.
Be aware that even security organizations can be hacked. In 2022, LastPass had such an incident. An unauthorized party gained access to a storage service, which LastPass used to store archived backups of production data. Based on their investigation, “An unknown threat actor accessed a cloud-based storage environment leveraging information obtained from an incident in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service,” LastPass reported.
To date, LastPass has determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. However, due to the strength of their encryption, it is highly unlikely that the hacker will be able to decrypt the data to a usable level.
Strong security measures may make logging into work-related platforms more time consuming but having accounts breached is far more intrusive than the extra seconds it requires to login.
Want to tweet about this article? Use hashtags #construction #infrastructure #5G #cloud