Mobile and Cloud Security: What Contractors Should Know

Mobile and cloud technologies are moving swiftly onto jobsites and into offices across the construction trades. Though accounting software has previously been slow to merge with these internet-based business tools, excitement about the benefits of anytime-anywhere computing has begun to catch on.

According to a recent survey conducted by Associated General Contractors of America in collaboration with Sage Construction and Real Estate, 85% of construction contractors use or plan to use cloud-based solutions. In comparison, back in 2012, a Sage survey found that only 16% of construction workers believed cloud computing was important to their business. [1]

In simple terminology, “the cloud” refers to servers that are accessed over the internet. In a larger sense, the cloud also refers to the software and databases that run on those servers.

So, are cloud accounting programs and jobsite mobile apps secure? To help answer this question, there are several things that construction companies should know.

Mobile & Cloud Security for Contractors: Top Takeaways

1. Implement Strict Access Control Measures:
   • Restrict and audit user access rights.
   • Implement and communicate internet and mobile device use policies.
   • Regularly revoke access for terminated employees to prevent unauthorized entry.
2. Ensure Regular Data Backups for Safety:
   • Ensure consistent data backups to prevent total loss.
   • Use geographically diverse servers for data redundancy and disaster recovery.
3. Use Proactive Automatic Monitoring Systems:
   • Employ systems that automatically detect and alert suspicious activity.
   • Respond promptly to potential security threats.
4. Provide Comprehensive Employee Security Training:
   • Provide extensive security awareness and phishing prevention training.
   • Educate employees to reduce risks from carelessness and social engineering attacks.
5. Utilize Robust Cloud Server Security:
   • Utilize secure, encrypted internet connections to access data.
   • Benefit from physical security measures like concrete walls, steel doors, and continuous monitoring.
6. Implement Advanced Data Encryption Techniques:
   • Use TLS 1.3 for securing data in transit.
   • Implement AES-256 encryption for data at rest to ensure high-level security.
7. Ensure Clear Vendor Agreements for Data Protection:
   • Ensure vendor contracts specify data access, usage, and ownership terms.
   • Verify provisions for data return and deletion after service termination.
8. Maintain Stringent Physical Security in Data Centers:
   • Cloud servers are protected by robust physical security measures.
   • Continuous monitoring and top-tier firewalls safeguard data from physical and digital threats.

1. How Does Construction Mobile Security Protect My Data?

One of the biggest threats to data security is an internal breach. The term internal breach refers to a hacker “breaking into” your data servers.

During an internal breach, a hacker can perform an act called exfiltration. Exfiltration is any unauthorized transfer of information from an information system. So, if a hacker were to export your data onto their own server, that would be exfiltration.

And there’s a catch: internal breaches aren’t always sinister. Exfiltration can also result simply from a careless or untrained employee who saves her password in her browser or who leaves his tablet behind at the airport.

Such accidental cases account, according to Intel, for about half of internal data loss incidents.[2] The Cloud Security Alliance (CSA) ranks Insufficient Identity, Credential, Access, and Key Management as the number one threat to cloud computing for 2023.[3]

Even external breaches such as phishing attacks come down in large part to employee education and accountability, making company-wide use policies and training essential for company-wide security.

Hoping for the best and trusting “common sense” simply doesn’t work anymore, phishing has officially outgrown our antiquated fail-safes.

Verizon’s annual study of global data breaches showed that 23% of recipients open phishing messages, and campaigns of just 10 malicious emails have a 90% chance of snaring a victim.[4]

These emails don’t even need to target the CIO or database administrator to get what they want or to deal a devastating blow to a business.

James Benham, CEO of JB Knowledge, has boasted about penetrating entire on-premise networks just by sending the receptionist a cat video, which downloaded a script onto her computer.[5]

Preventative measures that companies should take include utilizing spam filters, implementing security awareness and establishing a response plan.

As cybersecurity and cloud gurus will say, threats simply exist — whether you’re on the cloud, use mobile or operate on-premise — which is why data security always begins at home, with business-level and user-level practices. “In the absence of these standards,” reports the CSA, “businesses are vulnerable to security breaches that can erase any gains made by the switch to cloud technology.”[6]

One way construction companies can take responsibility for their security is by restricting and auditing access rights, thus making sure that no one has more access than they need and that a process is in place to swiftly revoke access from terminated employees.

This isn’t about not trusting your people; it’s about not trusting the bad guys who could otherwise have free reign of the whole system just by breaking in through any open door.

Companies are also advised to implement and communicate internet-use and mobile-device policies to all employees, regardless of whether they supply devices or have a BYOD program.

So, what does this all mean?

It means that your mobile construction solution is able to protect your data through three key avenues:

1. Limited Use: Users are able to control who can access info within their company system. When this ability is limited, data is better protected because fewer individuals have open access to it, and there are fewer security risks as a result.
2. Back-ups: When data is consistently backed up, or saved to an alternative server, users can be assured they will not lose everything if a data breach occurs. Instead, when consistent backups of information are performed, users can simply refer to the backup if the system information is lost.
3. Automatic Monitoring: Depending on the type of security in place, the mobile system may come with automatic monitoring of a company’s information and activity. This can help to alert the user if suspicious activity is detected before a breach has time to occur.

2. Where Is Your Data Stored if You Store it on the “Cloud”?

For all of the security risks that exist just on your internet-facing devices, users should have a realistic picture of where their data lives when it’s not being accessed on their machines.

The cloud servers that store and host client data are maintained under much more robust security than you would see in most construction company offices. Public data centers – facilities that centralize the shared IT operations and equipment that store and process data – are practically bunkers. They feature elements like concrete walls, steel doors, continuous monitoring and top-tier firewalls.

Even in smaller-scale operations, like server rooms that are designed to house client data, are secured with restricted access and continually monitored for suspicious activity.

What’s more, data is not just housed at a single site but is also backed up continuously on additional servers at geographically diverse data centers, hedging against data loss in case of physical disaster.

Contractors can begin to safely store their data by building disaster-resistant server rooms, hiring a cybersecurity staff or contracting an on-site security company.

Alternatively, they can also outsource their data storage to experts the same way we outsource our money storage to our bank or a credit union.

When users need to access and work with their data, they “withdraw” it through a secure, encrypted, authenticated internet connection until they sign off. Unless a user makes the ill-advised move of saving that data to his device’s hard drive, where it becomes vulnerable to some of the exfiltration described above, the data “returns” to the safety of its off-site servers.

The shortcoming of this metaphor, however, is one of the cloud’s biggest benefits: the data never actually leaves the data center servers. Instead, users at a single company have the ability to collaborate, even while accessing the servers from multiple locations simultaneously.

3. What is Data Encryption?

While data can largely be secured at rest with the kind of standards described above, between end-users and vendor or third-party data centers, the other side of the coin concerns securing data in flight.

Encryption in flight is meant to protect data that is in transit. Encryption at rest maintains protection at the remote destination. In general, data is typically less vulnerable at rest than in transit.

When it comes to protecting data in transit, encryption is the key — or rather, it’s the lock.

Encryption is the process of translating data into an unreadable form that requires a decryption key to render it back into a usable form. It’s the same basic principle that you may have used to pass secret messages during class that only your best friend knew how to decode.

Fortunately, just like with the security measures and processes used by data centers, companies will find that most vendors employ best practices as a standard.

In one sense, encryption begins with a secure transfer channel. The industry standard is transport layer security (TLS), currently at version 1.3, which allows a user to send information safely from their device to the web application on the cloud. TLS 1.3 consists of two parts: (1) encoding the data and then (2) establishing a friendly connection between the client and the server.

You and your classmate can’t go out in the hall to tell each other jokes about your teacher, so how are going to communicate? First, you write down your message in a code you both know, and second, you flash him a secret look so that only he knows the wadded-up paper you’re about to throw at his desk contains a coded message. That way, only he receives the message and only he can translate it.

On the internet, there’s no equivalent to an empty hallway you can use to communicate sensitive data without the risk of eavesdroppers, but encryption protocols effectively create secure means of passing data right behind the backs of people who would gladly confiscate it.

For even better security, though, encryption goes even beyond the process of transmission. Presently the gold standard for at-rest encryption is AES-256, which stands for Advanced Encryption Standard 256-bits, meaning it has a decryption key that’s 256 binary digits (0s and 1s) long.

The result is a decryption process that takes several dozen steps of translating, transposing and recoding, making it the trusted encryption algorithm of banks and governments.

If we continue the metaphor, after your friend gets your secret note and works out the decoded message, how do you prevent the teacher from confiscating it and reading what you said about her?

At-rest decryption would have your friend translate it from your shared secret code into his own private code.

Of course, all of this, thankfully, is far more complex and dynamic, using an algorithm that the CSA’s Quantum-safe Security Working Group projects will remain safe for the next 20 to 30 years.[7] Properly implemented, AES-256 has had no reported cases of being cracked.

4. Who Owns My Construction Company’s Data?

A final concern among skeptics is the proposition of not merely entrusting the security of their data to someone else but ultimately giving sensitive data — including employee and customer information — over to another party.

This does (and should) raise a series of questions, and any company that considers implementing some form of cloud computing owes it to both its employees and its clients to be sure of the answers.

Along with peace of mind about data security, complete ownership of your own data is a reasonable expectation. However, just as construction companies should do their due diligence in ensuring data safety and investigating the security standards of their cloud provider, ownership of data shouldn’t be taken for granted. Neither should it be taken for granted what “ownership” means.

The first question companies should ask is, who has access to my data? The obvious answer may be “Amazon” or “Foundation Software,” but there’s a big difference between your vendor’s IT department and their marketing department.

Of course, a service agreement isn’t going to provide a manifest of everyone who will get to see a piece of your data along with their position titles, but you might be able to look for a confidentiality clause that mentions access only for employees with a “need to know” in order to fulfill the vendor’s service obligations.

To help illuminate who has access to your data, another important question to ask is, what are they allowed to do with my data? This should be spelled out in the service agreement.

A standard agreement will allow for the sharing of content with third parties only as required to provide the services contracted or in order to comply with subpoenas or other court orders, but these should come with due notification, and the vendor should express its legal commitment in writing to protect the confidential information it receives.

Trust is a virtue, but when it comes to vendor use of your data, trust should be verified. Without legal assurance, users are right to be concerned about the possibility that their information could not only be held but used.

That doesn’t mean that a vendor will sell your financial information to corporate spies or auction off employee social security numbers to identity thieves, but a bad agreement might grant them the right to mine your data for marketing lists.

Companies should especially be wary of free cloud services and free mobile applications because their revenue is coming from somewhere if not product sales, and one of their income sources could very well be client data.

A final test of ownership is the question, what happens with my data in the end? Unlike the traditional desktop software, we used to install floppy disks and CDs, mobile and cloud applications place you in an ongoing relationship with the vendor, but at some point, that relationship might reach an end.

So, what happens to all of your data on their servers?

If the data truly is yours, the agreement should provide for transition services within a specified window of time following termination to make sure the data gets back to you in one piece.

Think of closing a bank account: you expect them to pay out a standard currency that you can take to any other bank. You do not expect a private banknote only recognized at Chase branches.

In the same way, vendors should agree ahead of time to provide a standard database format. Following the return of your data, there should also be an expressed commitment to delete it from their servers.

The principle here is so much the same as in the rest of the construction business: get it in writing. In the end, ownership of your data should be clear and explicit, affirming all rights, titles and interests.

5. Are Cloud Accounting and Mobile Jobsite Applications Secure?

Are cloud accounting and mobile jobsite applications secure? The answer is, they can be, in a similar way to how our hard drives and our filing cabinets can be. Each of these require reasonable and responsible measures taken by companies that handle sensitive data.

These companies must understand that the security of cloud accounting and mobile jobsite applications is not a guaranteed default setting but a result of proper implementation and adherence to security practices.

Companies must prioritize data security by establishing secure access management protocols. This includes restricting and auditing access rights, ensuring that employees have only the necessary level of access and promptly revoking access for terminated employees.

Implementing comprehensive internet-use and mobile-device policies, as well as providing regular security awareness training to employees, can significantly reduce the risk of internal breaches and phishing attacks.

Furthermore, it is important to remember that cloud servers and public data centers often have stringent physical security measures in place, such as concrete walls, steel doors, continuous monitoring, and top-tier firewalls. Data is not only stored at a single site but also backed up on geographically diverse servers, minimizing the risk of data loss due to physical disasters.

Embrace Cloud Technology

While there are many legitimate concerns about the security of cloud accounting and mobile jobsite applications, it is possible to mitigate risks and ensure data security through proper implementation of security measures.

By adopting best practices, prioritizing employee education, implementing encryption, and reviewing service agreements, construction companies can embrace the benefits of cloud technology while safeguarding their sensitive data.

Ultimately, the benefits of cloud technology outweigh the alternatives, and it is the responsibility of each company to take proactive steps toward data security and establish a solid foundation for the adoption of these technologies.

And if you’re needing trustworthy, time-tested cloud-solution, FOUNDATION® accounting software has a Hosted version that gives you instant access to your database at any internet-ready workstation and provides automatic backups and updates from a team of experts. Contact a specialist for a demo!

[1] https://builtworlds.com/news/cloud-adoption-is-rising-in-the-aec-but-what-are-we-missing-sage-weighs-in/#:~:text=In%20all%2C%2085%25%20of%20construction,purveyor%20of%20cloud%2Dbased%20solutions.

[2] http://www.forconstructionpros.com/article/12141674/6-steps-to-secure-networks-as-you-innovate-construction-management-systems

[3] Cloud Security Alliance, The Treacherous 12: Cloud Computing Top Threats in 2016 (2015).

[4] https://cloudsecurityalliance.org/blog/2022/06/25/1-threat-to-cloud-computing-insufficient-identity-credential-access-and-key-management/

[5] Intel Security, Grand Theft Data: Data Exfiltration Study: Actors, tactics, and definitions (2015).

[6] JB Knowledge, The 4th Annual Construction Technology Report (2015).

[7] Association of General Contractors, 2016 Construction Outlook Survey Results (2016).