As the COVID-19-based shutdowns continue to force companies and their employees to adapt to new work environments and protocols, everyone must recognize the unique risks and challenges these uncertain times pose from a data privacy and cybersecurity standpoint. This is especially important now that many employees are, for the first time, working from home daily in an effort to protect against the spread of the novel coronavirus.

While many construction projects continue marching along, much of the way these projects are administered is transforming with the ever-growing virtual work environment. Just as everyone washes their hands and keeps their distance to protect health and safety, employees and companies alike should continue to take precautionary measures to avoid undue risks to the data in their control.

During the ordinary course of project bidding and project administration, many employees are likely to come into possession of confidential and/or proprietary information that must be safeguarded. For instance, contractors will often have confidential blueprints or other drawings saved to their networks as a necessary resource through the duration of a project. The contractor will likely also have stored confidential financial or personal information relating to the owner, their own employees and/or subcontractors (i.e. banking information, social security numbers and other types of personal identifying information). While the duty to protect this information (both in hard copy and electronic form) is not something new, the current transition to more remote work has both heightened the risks—with more devices susceptible to attacks—and highlighted the importance of being prepared.

Any adjustment to data practices can raise concerns about newer and more creative phishing attempts, potential data breaches, increased vulnerability to ransomware and malware and other threats both to employees’ privacy and to employers’ data. Businesses can minimize risks due to vulnerable work-from-home setups or practices by prioritizing the most sensitive risk points.

For employees working remotely, here are examples of steps businesses can take to help make home workspaces, project trailers and personal devices more secure.

Update, implement and/or review policies on data security and confidentiality

The importance of having a plan applies equally to the protection of data as it does to the construction work taking place in the field. For those contractors who do not have policies and procedures developed for handling confidential and proprietary data, now is the time to make that investment and begin implementation. For those with existing policies in place, now is the time to review them. Management should send regular updates and reminders to employees to maintain their security hygiene and explain how the policies apply to the work-from-home environment.

Utilize encryption when transmitting confidential data

Encryption is the process that scrambles readable text being transmitted so it can be read only by the person with the password or decryption key required to access it. There will undoubtedly come a time where a remote employee will need to share some set of confidential data with another remote employee. It could be simply sending a specific set of drawings, a budget, banking information or details for an upcoming proposal. When that time comes, encryption is a necessary and useful tool to reasonably ensure that confidential data is protected during transit.

Clarify personal device etiquette

While the safest option would be for all remote employees to use a corporate device, the reality is that many employees are working from personal devices and connecting to company networks via a virtual private network (VPN). For these employees, access through the VPN is necessary to do their jobs.

For instance, project managers need uninterrupted access to internal documentation systems as well as access to project specific information typically stored on internal networks, and accounting professionals need to be able to access the systems to process payments received from owners and outgoing payments to employees and subcontractors. Performing these tasks on personal devices increases the access points and, thus, the risk that hackers or other nefarious actors can penetrate the internal systems.

To minimize the risk of such penetration, companies should consider utilizing multi-factor authentication before granting access to the VPN. Companies should also remind employees to avoid using personal devices for personal reasons while logged into a company’s VPN. In addition, companies should consider investing in software that provides encryption for data on personal devices as well as the capability for remote-wiping of data in the event a device is lost, stolen or otherwise compromised. Likewise, employees who need to print or scan using a personal device should be discouraged from emailing confidential documents to their personal email. Instead, companies can adjust IT policies to allow personal printer drivers to be installed on company devices.

Secure home Wi-Fi networks

There are several ways to make a home Wi-Fi network more secure. In addition to password-protecting the network, it is also a best practice to not use any personally identifiable naming in the network names. With schools closing, children, roommates and spouses may be using the same Wi-Fi network in the home. If possible, create a separate network login (many routers have guest networking capabilities or include a 5G option that can be separated out) to minimize the risk of becoming victim to vulnerabilities in less-secure devices. These steps should be taken now and continue to stay in place even after the lockdowns begin to lift.

Keep watch for phishing schemes

This is a good time to be on high alert for phishing attempts. Phishing emails attempt to collect personal information or get users to download malware onto their devices. Currently, there is an uptick in schemes where the phisher imitates the CDC, WHO or other COVID-19-related authorities. It is tempting to click on links to get all the information possible on the pandemic, but once a phishing attack is successful, the hacker has the potential to access all sorts of information stored on the network (e.g., banking information, projections, drawings, etc.).

Several years ago, there was an uptick in hacking attempts focused on stealing blueprints, so this risk should not be discounted. A great way for companies to minimize the risk of their employees clicking these links is to provide a company resource page where employees can safely navigate real information about COVID-19. Also, as mentioned above, periodic updates or warnings should be sent out to personnel to keep everyone on alert.

Vet videoconference services

More than ever, videoconferencing technology has become a vital piece of the work-from-home puzzle; however, confidential conversations on Zoom, Google Meet or similar resources should be used with caution due to the potential for security issues on these platforms. Internet trolls and would-be hackers have seized on this increased reliance on videoconferencing and have been “Zoombombing” meetings that were intended to be private. These uninvited guests can hijack the meetings, forcing them to shut down or, worse, allowing them to quietly obtain whatever information is being shared. Fortunately, Zoom offers a number of precautionary measures such as setting passwords, utilizing waiting rooms or creating unique IDs for each meeting, but since many of these services are new, additional unknown vulnerabilities may still exist. Further, these third-party services collect data, so a thorough review of privacy and data use policies is recommended.

Securely dispose of physical documents

Given the increased reliance on digital work, protecting the confidentiality of hard-copy documents might be overlooked, but it is equally important to have similar safeguards in place. Whether it is personal copies of the drawings or pricing information, these documents deserve the same protections as those on electronic devices. Unfortunately, however, most employees will not have shredders readily available to dispose of confidential documents as they would in the office. Therefore, if employees have private documents in need of disposal, they should be kept in a secure location until they can be safely shredded and/or disposed of in an appropriate manner.

As project management and administration continues to rely on the virtual work environment, these measures can help minimize unnecessary risks to their data and their employer’s data.