While mobile and cloud technologies are moving swiftly onto jobsites and offices across the construction trades, financial software has been slow to be adopted into the constellation of Internet-based business tools. The reason seems clear enough: despite excitement about the benefits of anytime-anywhere computing, users in the construction industry are simply unsure about the security of these applications, with confidence ranging from total and unquestioning to absolutely zero. Many companies aim for the middle by piecing together a few ad hoc safety measures around their use and hope for the best. A 2015 survey of construction companies, however, found that over 20% of respondents were unsure whether their companies had any cloud security policies or procedures at all. In AGC’s 2016 Construction Outlook Survey, less than half of respondents indicated they have mobile security policies in place, and 40% cited security concerns as their primary reason for not using cloud-based software. In all of this uncertainty, many just aren’t willing to take the gamble these technologies appear to represent.
The idea of the cloud itself is often not a solid concept. The term can have wide uses, and debates get caught up in what counts as “true” cloud and what doesn’t. In broad strokes, the National Institute of Standards and Technology officially defines cloud computing as, “a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction.” JB Knowledge translates all this to mean, “computing, storage and data transmission that is available, anywhere, anytime, on any device, in any capacity or location desired.” Put even more plainly, it’s simply computing over an Internet connection, which includes software-as-a-service (SaaS) as well as mobile applications that sync with some other server like your office computer.
So are cloud accounting programs and jobsite mobile apps secure? To help see through some of the haze to answer this question, there are several things that construction companies should know.
1. Data Security Begins at Home
What often alarms users most about the notion of sending their data onto the cloud or using mobile devices is the mental image of data just floating around “out there” rather than in the “lockbox” their desktop computer appears to be. One of the biggest threats to data security, however, isn’t hackers looking to ransom your data or corporate spies peaking in from outside — it’s an internal breach performing an act called exfiltration, or, the movement of data out of a system. In other words, if infiltration is the breaking and entering, then exfiltration is the act of burglary. In a study published last year, Intel found that over 40% of instances of data exfiltration were performed internally, whether that was with physical media like USB drives or with various Web-based methods like email.
Internal breaches aren’t always sinister either. Certainly they can happen when a disgruntled employee has extensive, unmonitored access to company data even after he’s been escorted off the premises. Alternatively, though, exfiltration can also result simply from a careless or untrained employee who saves her password in her browser or who leaves his tablet behind at the airport. Such accidental cases account, according to Intel, for about half of internal data loss incidents. The Cloud Security Alliance (CSA) ranks insufficient password security and access management as the number two threat to cloud computing for 2016, several places above “malicious insiders.”
Even external breaches such as phishing attacks come down in large part to employee education and accountability, making company-wide use policies and training essential for company-wide security. Hoping for the best and trusting “common sense” simply doesn’t work, because phishing attempts do. Verizon’s annual study of global data breaches showed that 23% of recipients open phishing messages, and campaigns of just 10 malicious emails have a 90% chance of snaring a victim. These emails don’t even need to target the CIO or database administrator to get what they want or to deal a devastating blow to a business. James Benham, CEO of JB Knowledge, has boasted about penetrating entire on-premise networks just by sending the receptionist a cat video, which downloaded a script onto her computer. Preventative measures that companies should take include utilizing spam filters, implementing security awareness and establishing a response plan.
As cybersecurity and cloud gurus will say, threats simply exist — whether you’re cloud, mobile or on-premise — which is why data security always begins at home, with business-level and user-level practices. “In the absence of these standards,” reports the CSA, “businesses are vulnerable to security breaches that can erase any gains made by the switch to cloud technology.” One way construction companies can take responsibility for their security is by restricting and auditing access rights, thus making sure that no one has more access than they need and that a process is in place to swiftly revoke access from terminated employees. This isn’t about not trusting your people; it’s about not trusting the bad guys who could otherwise have free reign of the whole system just by breaking in through any one door. Companies are also advised to implement and communicate Internet-use and mobile-device policies to all employees, regardless of whether they supply devices or have a BYOD program.
2. Your Data Doesn’t Live on the Cloud
For all of the security risks that exist just on your Internet-facing devices — including computers loaded with traditional installed software — users should have a realistic picture of where their data lives when it’s not being accessed on their machines. Far from the nebulous-sounding, unprotected airspace evoked by the word “cloud,” the servers that store and host client data are actually maintained under much more robust security than you would see in most construction company offices. Public data centers can practically be bunkers — with concrete walls, steel doors, continuous monitoring and top-tier firewalls. Even in smaller-scale operations, server rooms that are designed to house client data are secured with restricted access and continually monitored for suspicious activity. What’s more, data are typically housed not just at a single site but are, as a best practice, backed up continuously on additional servers at geographically diverse data centers, hedging against data loss in case of physical disaster.
To replicate all of these safeguards, contractors can begin by building disaster-resistant server rooms, hiring a cybersecurity staff and contracting an on-site security company, or alternatively, they can outsource their data storage to experts the same way we outsource our money storage to our bank or a credit union. When users need to access and work with their data, they “withdraw” it through a secure, encrypted, authenticated Internet connection until they sign off. Unless a user makes the ill-advised move of then saving that data to his device’s hard drive, where it becomes vulnerable to some of the exfiltration described above, the data “returns” to the safety of its off-site servers. The shortcoming of this metaphor, however, is of course one of the cloud’s biggest benefits — next to security: despite “withdrawing” the data, the data never actually leaves the data center servers. Instead, users at a single company have the ability to collaborate, even while accessing the servers from multiple locations simultaneously.
3. Encryption Is Key
While data can largely be secured at rest with the kind of standards described above, between end-users and vendor or third-party data centers, the other side of the coin concerns securing data in flight. When it comes to protecting data in transit, encryption is the key — or rather, it’s the lock. Encryption is the process of translating data into an unreadable form that requires a decryption key to render it back into a usable form. It’s the same basic principle that you may have used to pass secret messages during class that only your best friend knew how to decode. Fortunately, just like with the security measures and processes used by data centers, companies will find that most vendors employ best practices as a standard.
In one sense, encryption begins with a secure transfer channel. The prime example currently is transport layer security (TLS) encryption, which allows a user to send information safely from her device to the Web application on the cloud. TLS consist in two parts: (1) encoding the data and then (2) establishing a friendly connection between the client and the server. You and your classmate can’t go out in the hall to tell each other jokes about your teacher, so how are going to communicate? First, you write down your message in a code you both know, and second, you flash him a secret look so that only he knows the wadded up paper you’re about to throw at his desk contains a coded message. That way, only he receives the message and only he can translate it. On the Internet, there’s no equivalent to an empty hallway you can use to communicate sensitive data without the risk of eavesdroppers, but encryption protocols effectively create secure means of passing data right behind the backs of people who would gladly confiscate it.
For even better security, though, encryption goes even beyond the process of transmission. Presently the gold standard for at-rest encryption is AES-256, which stands for Advanced Encryption Standard 256-bits, meaning it has a decryption key that’s 256 binary digits (0s and 1s) long. The result is a decryption process that takes several dozen steps of translating, transposing and recoding, making it the trusted encryption algorithm of banks and governments. If we continue the metaphor, after your friend gets your secret note and works out the decoded message, how do you prevent the teacher from confiscating it and reading what you said about her? At-rest decryption would have your friend translate it from your shared secret code into his own private code. Of course all of this, thankfully, is far more complex and dynamic, using an algorithm that the CSA’s Quantum-safe Security Working Group projects will remain safe for the next 20 to 30 years. Properly implemented, AES-256 has had no reported cases of being cracked.
4. Your Data Belongs to You (As Long As Your Contract Says It Does)
A final concern that contractors might encounter is the proposition of not merely entrusting the security of their data to someone else but ultimately giving sensitive data — including employee and customer information — over to another party. This does and should raise a series of questions, and any company that considers implementing some form of cloud computing owes it to both its employees and its clients to be sure of the answers. Along with peace of mind about data security, complete ownership of your own data is a reasonable expectation. However, just as construction companies should do their due diligence in ensuring data safety and investigating the security standards of their cloud provider, ownership of data shouldn’t be taken for granted. Neither should it be taken for granted what “ownership” means.
The first question companies should ask is, Who has access to my data? The obvious answer may be “Amazon” or “Foundation Software,” but there’s a big difference between your vendor’s IT department and their marketing department. Of course a service agreement isn’t going to provide a manifest of everyone who will get to see a piece of your data along with their position titles, but you might be able to look for a confidentiality clause that mentions access only for employees with a “need to know” in order to fulfill the vendor’s service obligations. To help illuminate who has access to your data, another important question to ask is, What are they allowed to do with my data? This should be spelled out in the service agreement. A standard agreement will allow for the sharing of content with third parties only as required to provide the services contracted or in order to comply with subpoenas or other court orders, but these should come with due notification, and the vendor should express its legal commitment in writing to protect the confidential information it receives.
Trust is a virtue, but when it comes to vendor use of your data, trust should be verified. Without legal assurance, contractors are right to be concerned about the possibility that their information could not only be held but used. That doesn’t mean that a vendor will sell your financial information to corporate spies or auction off employee social security numbers to identity thieves, but a bad agreement might grant them the right to mine your data for marketing lists. Companies should especially be wary of free cloud services and free mobile applications, because their revenue is coming from somewhere if not product sales, and one of their income sources could very well be client data.
A final test of ownership poses the question, What happens with my data in the end? Unlike the traditional desktop software we used to install from floppy disks and CDs, mobile and cloud applications place you in an ongoing relationship with the vendor, but at some point that relationship might reach an end. So what happens to all of your data on their servers? If the data truly is yours, the agreement should provide for transition services within a specified window of time following termination to make sure the data gets back to you in one piece. Think of closing a bank account; you expect them to pay out a standard currency you can take to any other bank, not a private banknote only recognized at Chase branches. In the same way, vendors should agree ahead of time to provide a standard database format. Following the return of your data, there should also be an expressed commitment to delete it from their servers.
The principle here is so much the same as in the rest of the construction business: Get it in writing. In the end, ownership of your data should be clear and explicit, affirming all rights, title and interest.
Are cloud accounting and mobile jobsite applications secure? The answer is, they can be, in a similar way to how our hard drives and our filing cabinets can be. Each of these require reasonable and responsible measures to be taken by companies that handle sensitive data, understanding that the dynamic environment of the Internet requires continual adaptation — that firewall you installed in 2008, unlike the lock on your old cabinets, isn’t going to cut it. One way users of cloud technology are helped, however, is with the best practices implemented by cloud service providers, which can make data on their servers far more secure than they would be when kept on site. Further, current encryption technology creates a secure channel for data to pass safely between points even amid the perils of the Internet. Lastly, contractors and their financial professionals should be able to rest assured that their data will be handled responsibly by their vendor and will retain complete ownership from beginning to end.
 JB Knowledge, The 4th Annual Construction Technology Report (2015), 26.
 Association of General Contractors, 2016 Construction Outlook Survey Results (2016), 8.
 JB Knowledge, 24.
 Intel Security, Grand Theft Data: Data Exfiltration Study: Actors, tactics, and definitions (2015), 4.
 Cloud Security Alliance, The Treacherous 12: Cloud Computing Top Threats in 2016***(2015), 11.
 Verizon Enterprise Solutions, 2015 Data Breach Investigations Report (2015), 13.
 Cloud Security Alliance, The Treacherous 12: Cloud Computing Top Threats in 2016 (2015), 5.
 “Quantum-safe Security Working Group,” The Cloud Security Alliance, accessed March 23, 2016, http://cloudsecurityalliance.org/group/quantum-safe-security/