Construction contractors are rapidly adopting not only equipment automation technology, but software used to run their quote-to-cash operations. Software also now is used to administer projects that deliver revenue, store documents and digitize workflows with external parties collaborating on a project from subcontractor to general contractor to owner.
So ensuring this software is safeguarded against malicious actors and that your contracting business is shielded from other liabilities is an important consideration when it comes to selecting, configuring and managing your technologies. This is more important than ever as according to risk management firm Kroll, construction contractors saw an 800 percent increase in data breaches in 2021 and in past years almost 70 percent have reported being victims at one point of internal theft.
1. On-Premise Construction Tech Left Unguarded
A significant percentage of contractors are running account and general ledger software that is sold as a perpetual license and run on a contractor’s own server or in a hosted environment. More than 10,000 companies for instance use Sage Construction and Real Estate, with many migrating their instance to a subscription-based cloud service. Many also use Quickbooks Desktop.
In the early days of business software moving to the cloud, the supposition was that moving mission-critical data and processed outside the four walls of the business would create security risk. Yet on-premise solutions are highly vulnerable and one reason construction is the number one target for ransomware attacks. There are a few reasons for this.
Applications enable remote administration of on-premise systems like ConnectWise and Kaseya have been used to install ransomware on on-premise software systems.
These software products are also often updated infrequently, and if a contractor stops paying for updates, choosing to run indefinitely on an old version, malicious actors have plenty of time to figure out and exploit vulnerabilities across a large installed user base with identical vulnerabilities. That is how 40,000 customers of enterprise resource planning (ERP) software giant SAP, including 2,500 with systems that provided access directly over the public internet, found themselves vulnerable to the RECON SAP bug that enabled even technically unskilled people to create user profiles in the software with unlimited access permissions.
2. Open Source Tech Embedded in Software
On-premise software sold on a perpetual license presents a unique risk profile because unlike multi-tenant software-as-a-service (SaaS) applications, user organizations are all running their own instances of the software. This means that the vendor is generally not, absent a managed services contract with a defined service level agreement (SLA) for identifying and fixing vulnerabilities in the software, responsible. Each software customer organization is responsible for getting these patches in place.
There is similar ambiguity in terms of who is responsible for security when software vendors embed open source software libraries in their product.
Open source software or components are licensed under the Open Source Initiative (OSI) which enables a software developer to use them while disclosing what these licensed components are to their buyers. The software developer gets full access to the source code and can make improvements that are then available to other members of the open source user community. This community also commonly identifies potential exploits and shares them with each other.
Most any business software will make some use of open source technology, including on-premise, perpetual license software. The RECON SAP vulnerability occurred in the Java component of the SAP Net Weaver Application Server. But as many construction SaaS software vendors are less than five years old, and as more mature ones are building net new platforms in the cloud to replace perpetual on-premise products, they are using open source heavily to compress development timelines and get functionally rich, agile and highly performant software to market faster and more cheaply.
Many venture-funded and even many bootstrapped construction SaaS companies use open source tools and many of these have been hacked. Argo, a tool used to manage containers in a cloud environment, e-commerce tool Magento, now Adobe Commerce, the ElasticSearch Database, MySQL, Linux operating system, MongoDB, the Redis in-memory data structure store and others have all been hit.
A U.S. Senate investigation found that after one egregious data breach blamed on a security hole in Apache Struts, an open source technology, that the company in question had not been following its own patch management practices to apply patches to close the vulnerability.
3. Vulnerabilities From Internal Fraud
While malicious acts from outside the company including ransomware attacks are concerning, internal theft by employees is more frequent. Project owners are mandating use of digital multi-company workflows, increasing visibility and preventing waste and mismanagement between companies. But within a contracting business with a very small or perhaps non-existent accounting department, the right enterprise software approach can keep the business safe.
Construction is particularly vulnerable to internal fraud and theft, even when trained professionals are minding the store. The dynamic and constantly shifting nature of construction means contractors are just more vulnerable than many other businesses to common tactics including the creation of fake vendors or subcontractors, payments to non-existent employees and side deals or kickbacks from subs or suppliers.
As processes and workflows in enterprise software are changed frequently, as is sometimes the case as workflows are altered to meet specific contract requirements, it can be hard to track who is authorizing which payments, who is responsible for adding new vendors to the system and for instance making sure the same person is not responsible for both tasks.
The risks are real, but according to experts so are the mitigation tactics contractors of various sizes and levels of sophistication can use.
Protecting On-Premise Construction Software
According to John Meibers, vice president and general manager at Deltek and ComputerEase, contractors running software on-premise can get help protecting their instance of software as well as ensuring they can recover quickly if they are hit by ransomware or other types of malicious acts.
“The best defense is a reliable, easy-to-restore backup,” Meibers said. “If the hackers get in, if I don’t need the data, I don't have to pay.”
But many contracting businesses have thin enough information technology functions that they may not be 100 percent sure if they have backups or not, or how frequently those backups are occurring. Ensuring backups take place and that they are frequent enough to minimize data loss are important, he said.
“It’s one thing to think you have a backup, and another thing to know,” Meibers said. “When you are in a cloud hosting environment, with a cloud provider, that backup is a contractual feature. We have customers that host our solutions in cloud data centers. In a cloud hosted environment, making sure you have reliable backup is a little easier, on premise it may be a little harder. But the goal is to make sure you can be back up and running in a couple hours.”
Just as there is a difference between the results and tools used by a do-it-yourselfer and a professional contractor, running your enterprise software in a professionally managed data center enables a contractor to mitigate risk and gain contractually guaranteed performance and security assurances.
“Any size contractor can probably manage to get this handled in a professional hosting solution,” Meibers said. “If you are going the DIY route, use the best backup solutions you can possibly afford. But then, the only way you know you actually have a backup is through regular practice. You need to be able to prove it is a good backup. And frequency is important. In a cloud environment, you can have multiple full backups daily, and data centers strategically placed across the country.”
The time period between backups determines how much data is lost if there is a catastrophic failure or ransomware attack, and this along with time to restore can be subject to a service level agreement (SLA) with a hosting provider.
“Time to restore should typically within the two to four hour range,” Meibers said. “We also need to pay attention to how long backups are stored. In our case, we store daily backups for 30 days but then more complete backups that take place every month further back. In our environment, we complete multiple full backups per day—every two hours within the day—so you can restore back to where you were two hours ago.”
Meibers obviously advocates for cloud hosting a way to wrap enterprise software in a professional layer of protection and assure adequate backups. Having redundant data means you are less concerned about data loss.
“But you need to backup your people, too,” Meibers said. “If you want to have full protection, you can’t have just one person administering your software and backups and security. You need a team to cover vacations, illness, different times of day if you work across time zones and in case of resignation.”
Due diligence with open source
Under the terms of their open source license, construction software vendors should disclose in contracts with their customers what open source technologies are built into their product. And according to Pemeco Managing Director Jonathan Gross, contractors should ask questions of software vendors and carefully vet how they manage their open source components.
“Contractors buying software should ask for and get a list of all the open source components and understand what license agreements they are subject to and how those impact them as a user,” Gross, an attorney and software selection consultant said. “They should come to understand what requirements they are then subject to, and also understand about development and vulnerabilities when dealing with multiple open source libraries."
Gross also encourages contractors to inquire whether software vendors are compliant with any applicable standards like SOC2 and ISO/IEC 20071:2013 and how they go about patching both their own code and open source code
“Make sure to ask how frequently they apply security patches and how they identify vulnerabilities to be patched,” Gross said. “If a software vendor has to take a system down to patch it, finding out the frequency and how much notice you get is also important.”
Contractors should also, according to Meibers, ask software vendors about their penetration testing processes for both code they develop internally and open source code and patches to open source code.
“I know we do pen testing of every new piece of code we put in place, and have a team dedicated to this,” Meibers said.
Across the board, Gross said, the term “caveat emptor” applies.
“Even with multi-tenant SaaS software where you may think things are highly standardized, contract negotiations are fair game,” Gross said. “The standard contract will be 70 to 80 percent in favor of mitigating the vendor’s risk at the expense of the customer. So it is contingent on the customer to seek clarity about things like, if the system goes down, what are the vendor’s obligation to get it back up, how much data are they allowed to lose. There should be definitions around uptime, a recovery point objective and a recovery time objective. Some of them may be patched or updated on an ad hoc basis rather than a routine cycle.”
Construction Software with Preventive and Detective Controls
Multi-user construction software should enable each user to be assigned specific access permissions so a single employee can not complete all the business process steps required to defraud the company.
“You have to have that separation of duties process in place and have a software product that enforces that," Meibers said. “When a certain employee logs in, he or she can create a vendor, but not also approve an invoice and issue payment to that vendor. Different people should do those things in a company of any size."
Here, again, the principal of caveat emptor applies as contractors vet different software vendors.
“Contractors should ask about the permission levels they can set per user,” Meibers said.
This approach to preventive control may come baked into enterprise software, but often needs to be configured or can even be disabled by someone knowledgeable about the software—that means both preventive controls to prevent fraud and detective controls to enable it to be discovered after the fact are important.
“In multi-tenant software, some of those securities are already built in there,” Meibers said. “But even in a multi-tenant solution, typically it will be on the individual company to set their business rules. So software should also enable a company to set an alert or an audit trail. This enables a contractor to set alerts when a certain transaction size is processes, when new vendors or added or other triggering events. It should also record who entered what data, paid an invoice or made that journal entry.”