Documents, data, information, confidentiality, security… These buzz words are regularly making it into the board room of contractors across the country. Do you include these words along with words like employees and subcontractors? Like every other industry, contractors are becoming increasingly concerned about the risks associated with keeping networks secure, data safe, and information confidential.

Every industry also is confronted with three areas of focus – internal security, employee behavior, and vendor management. Contractors differ, however, from many industries with a higher than average risk from employees and subcontractor management.

A knowledgeable IT team can effectively manage the internal security risk via best practices and ongoing maintenance and management. However, the employee and subcontractor risk takes more than just an effective IT team. Those 2 areas of risk take an interaction between training, culture, and project management.

Employees are generally the weakest link in document and data security. In the construction world, these risks are heightened due to the significant off-site work and mobile connectively. Managing this risk starts with training and behavior. Topics should include password protection, use of USB sticks and other external devices, downloading unapproved software, and clicking on unknown email links. Employee behaviors are also important including care when working on confidential documents on an airplane, in a coffee shop, or on a job site. This includes an awareness of surroundings when discussing confidential company information. This awareness is more than a checklist or once/year training program. It requires a cultural shift that reinforces employee activity impact on data security and the risks associated with these activities and behaviors.

Subcontractors and vendors add an additional layer of complexity and risk. Reaching your own IT team and employees is step one, but reaching those of a subcontractor is more complex. This complexity also leads to great risk that is more challenging to control. Many subcontractors and vendors don’t have security and IT experts on staff so might not be fully able to address all the internal security questions, not to mention employee behaviors. At the same time, every contractor shares documents, data, systems, and information with many third parties. Understanding the subcontractor cyber risk plan is just as important as understanding and managing your own plans and policies. One weak link through a vendor can negate the hard work inside your own organization. Fortunately, it is possible to deploy various models to score and monitor the cyber risk of vendors. This allows you to prioritize areas of focus with highest risk and could then include targeted discussions around some basic practices to decrease the risk not only for your organization but for the vendor as well. Some basic areas of discussion could include threat monitoring, encryption, and perhaps even a short term, outsourced security review.

A comprehensive cyber security plan needs to include a three-pronged approach including internal IT system controls, employee behavior, and finally subcontractor evaluations. Additional risks will continue to emerge in this area, however, a three-pronged approach will ensure that all key vulnerabilities are part of the standard risk management procedures.