By PATR ICK NORD, PAUL CORMIER AND JAY SNYDER

Leveraging Cybersecurity as a Market Advantage

2

Let us take a moment to understand the magnitude of the threat. By

Accenture’s count, the total cost of cybercrime per company increased

from $11.7 million in 2017 to $13 million in 2018—an increase

of 12%. According to the Internet Crime Complaint Center (IC3),

financial losses associated with cyberattacks reached $2.7 billion in

2018, with the most devastating threats including investment scams,

business email compromises and romance fraud.

As the number and types of cyberattacks continue to proliferate

worldwide, the impacts of these crimes are being felt by everyone

from individual consumers to global corporations. Unlike five to

10 years ago, when most cyberattacks targeted large organizations,

financial institutions and computer networks, cybercriminals now

target smaller organizations in industries that wouldn’t have tradi-

tionally been on their radar. The emergence of cloud computing

Engineering and construction firms need every edge they can get in their competitive business environment. Let us provide context for the growing

risk of cyberthreats and share stories of contractors who have successfully pursued cybersecurity as an advantage in their market.

Leveraging Cybersecurityas a Market AdvantageBy PATR ICK NORD, PAUL CORMIER AND JAY SNYDER

Cybercriminals now target smaller organizations in industries that wouldn’t have traditionally been on their radar. The emergence of cloud computing and the Internet of Things (IoT), notably, can unknowingly expose companies across all industries to threats that they didn’t worry about when their IT infrastructure was housed within their office.

and the Internet of Things (IoT), notably, can unknowingly expose

companies across all industries to threats that they didn’t worry

about when their IT infrastructure was housed within their office.

In this article, we will explore the key reasons E&C must pay at-

tention to cybersecurity, advise which steps to take to establish a

good cybersecurity front, and show how three different firms are

practicing improved security measures as an advantage when po-

sitioning in their market.

The Threats Are Vast and ExpandingAs mentioned, the hacking industry is vast, expanding and growing

at a ferocious pace. A veritable playground, the web provides

resources, data and information that are even used by hackers and

other cybercriminals to set up research and development (R&D)

departments. The threat is real, organized, incentivized and adept at

pouncing on low-hanging fruit.

Specific to E&C companies, the threat is exacerbated by the indus-

try’s increased use of technology. Ten to 15 years ago, it wasn’t un-

usual to see companies running their businesses with only landline

analog phones forms (do you remember “Goldenrod”?), pencils

and an occasional spreadsheet (usually housed on a single com-

puter hard drive). Except for “dumpster divers” seeking sensitive

data that was disposed of without being shredded and the internal/

employee threat, these methods were considered safe.

3

As E&C firms adopted enterprise solutions, cloud-based applica-

tions, mobile devices and smartphones, this sense of security di-

minished. Concurrently, cybercriminals realized they didn’t need

an elaborate plan to disrupt well-respected companies like Target,

Yahoo! or Equifax; they could prey on smaller entities and their

supply chain that often neglect maintaining the most up-to-date

cybersecurity infrastructures and policies. Industries already un-

der direct attack like heathcare, energy/utilities and state/local gov-

ernments, to name just a few, have a new avenue to vulnerabilities,

E&C firms and the built environment’s supply chain.

From our perspective, E&C is particularly vulnerable to cyberse-

curity threats because of the industry’s general lack of awareness or

sense of urgency around this risk. Put simply, most E&C compa-

nies lack the experience needed to identify, prioritize and mitigate

cyberthreats because, in the past, the risks weren’t prevalent, and

cybersecurity experts weren’t focused on the industry. As a result,

the typical construction firm’s IT staff provides support and ex-

pertise more along the lines of a “help desk”—a group that keeps

employees online and that prepares technology equipment for de-

ployment to the field. These folks are not trained on cybersecurity,

nor do they have the resources they need to be able to identify and

address these risks.

Here’s the good news: E&C firms that do make cybersecurity a

priority have a definitive leg up on their competitors that choose

to ignore it until a catastrophe occurs. By implementing policies,

processes and resources to address this issue, companies can posi-

tion themselves as both forward-thinking and proactive. To illus-

trate the value of prioritizing cybersecurity for E&C firms, here are

three stories about firms that were impacted by cyberthreats and

turned these events into an opportunity to dramatically improve

their business security and lower their risk, readying them to po-

sition cybersecurity as a market advantage.

To this point, by simply ensuring that all operating systems, soft-

ware and third-party applications are up to date and running on

the latest software versions, E&C firms will have taken the first

precautionary step needed to ward off the latest threats.

Battling RansomwareAfter falling prey to a Megacortex ransomware attack in 2019, one

solar installer was left to sort out all its files—a process that took

weeks to recover from. Originating through phishing emails, the

attack was devasting for the firm. “All of our files were encrypted,”

the company’s owner said. Fortunately, the firm had already

completed a cybersecurity vulnerability assessment prior to the

attack and was already starting to work on the items of highest

priority.

Since the attack, the company has been taking proactive steps to

combat any future breaches.

“We’ve probably done 20 things already to make things better,” said

the owner. For instance, it improved its password policy; refined its

account accessibility privileges (limiting them only to those users

who need access to certain accounts); and began using the Barracu-

da email filtering program.

The typical construction firm’s IT staff provides support and expertise more along the lines of a “help desk”—a group that keeps employees online and that prepares technology equipment for deployment to the field. These folks are not trained on cybersecurity, nor do they have the resources they need to be able to identify and address these risks.

4

The solar installer now also takes a more calculated approach

to working with new business partners, knowing that its vul-

nerabilities are not just limited to the space within its four

walls. “We collaborate electronically and share sensitive data,

so we want to work with partners that have good processes

and programs in place,” he said. “We’ve invested in a sophis-

ticated IT practice and we now have a road map that supports

our digital transformation.”

The De Facto StandardFor one commercial contractor, combatting cyberthreats has

meant disconnecting an employee’s laptop from the corpo-

rate network in order to address a ransomware or phishing

threat (usually by reformatting the laptop). Fortunately, these

quick moves have kept the company from experiencing an

enterprise wide cyberattack.

“We’ve had employees click on unsavory links or websites

and inadvertently download ransomware,” said the compa-

ny’s president.

To minimize these occurrences, the company has developed

internal policies outlining how to react when there is a poten-

tial breach. First, it identifies the breach and where it origi-

nated from, then it figures out the impact. Finally, it notifies

all responsible parties about the impact to its business units

and work to remediate the breach.

Its president sees these procedures and processes as extremely

important in today’s E&C environment. “Going forward, it’s

going to be the de facto standard,” he said. “We’re all going to

need to have stated—and understood—cybersecurity policies,

systems and services in place.”

If We Don’t Have a Good Answer, We Can’t BidFor one large general contractor that works nationally, regular

training, monitoring, awareness and protocols ensure that attacks

do not create major disruptions. “We had an ‘ethical’ hacker on our

website just last week, asking for a bounty,” a company manager

pointed out. “It’s not that unusual, but we have the systems in

place to manage it.”

With about 17 active cybersecurity projects on its to-do list, the

company hopes to tackle all of them within the next 18 months.

Some of the initiatives include updating all equipment firmware and

all software programs. The company also plans to take a “long hard

look” at its password policy and how users are authenticated. “We’re

also starting a phishing campaign,” the manager said, “where we do

‘fake’ phishing attempts that test our users.”

When asked whether its serious approach will give the general

contractor a more competitive position in the marketplace, he said,

“People want to know how we’re protecting information, and if we

don’t have a good answer, we can’t bid.”

Employee training is also critical. Consider that all staff members

should know not only how to handle sensitive data but also how

to recognize potential threats (i.e., phishing emails) before they

turn into major problems. This applies to everyone in the organi-

zation—from the CEO to the summer intern—all of whom must

be onboard and complying with the firm’s security policies.

Finally, these business and personnel best practices must be

shared. Call it “Cybersecurity in the Workplace.” Fix the tools, ad-

dress personal behavior and require commitment from the supply

chain. Prequalification criteria need to include cybersecurity.

People want to know how we’re protecting information, and if we don’t have a good answer, we can’t bid.

5

What Goes Into a Good Cybersecurity Defense?In January, the U.S. Department of Defense (DoD) released ver-

sion 1.0 of the Cybersecurity Maturity Model Certification (CMMC)

framework, which will require DoD contractors and subcontractors

to obtain third-party certification of their cybersecurity maturity.

The DoD created the CMMC to combat malicious cyberattacks in

the DoD’s supply chain, as such attacks threatened economic se-

curity and national security. We will likely see similar moves taken

in the private sector—yet another reason why E&C firms need to

shore up their cybersecurity approaches sooner rather than later.1

Cybersecurity defenses have become competitive differentiators in

the market. Fortunately, all contractors can employ measures to

stand apart from their competition with clients. Examples of mea-

sures that significantly improve contractors’ posture and propel

their reputation as a market leader in cybersecurity include:

� Multifactor Authentication: This is a security system that

requires multiple different credentials before verifying a

user’s identity.

� Mobile Device Management (MDM): Security software

that contractors can use to monitor, manage and secure

the mobile devices used by employees.

� Good Cybersecurity Hygiene: Installing patches, running

updates, enforcing password discipline and employee

training.

� Due Diligence of Third Parties: Your business partners’

cybersecurity measures directly impact your company. For

example, GCs should always vet the cyber preparedness of

the subcontractors they work with.

1 Tackling Increased Cybersecurity Requirements In The Defense Industrial Base, The National Law Review, https://www.natlawreview.com/article/tackling-increased-cyberse-curity-requirements-defense-industrial-base

Getting a Leg UpWhether instituting multifactor authentication, patching software

systems, implementing mobile device management policies, or

working with third-party cybersecurity consultancies, a growing

number of E&C firms are now taking cybersecurity seriously and

giving it priority. With cyberattacks inflicting catastrophic dam-

age—and with states like California enacting new data protection

laws—companies of all sizes should view cybersecurity not as a

burden, but as a differentiator.

To get you started, companies that want to improve their cyberse-

curity stance, the first step is to identify and understand their cur-

rent vulnerabilities. They need to take a good, hard look at where

they are, where they should be, and how to get there. An inde-

pendent set of expert eyes can be invaluable at this point, as the

vulnerabilities aren’t readily obvious to an untrained eye. It is crit-

ical to embrace these experts as part of the IT team and not create

conflict between the current group and the specialty consultant.

Next, put a plan in place that includes training your team; com-

pleting a cybersecurity readiness assessment; and talking to team

members, subcontractors and business partners about the poten-

tial risks.

Today, as COVID-19 continues to disrupt business and everyday

life, creating a new and uncertain operating environment, cyber-

criminals are working hard to turn the crisis into an opportunity.

There has been a proliferation of malicious sites preying on indi-

viduals searching for information about the virus, seeking finan-

cial assistance from public and private programs, exploiting virtual

meeting spaces and invading corporate systems from work-from-

home offices.

6

Interestingly, the best practices for addressing COVID-19 are the

same actions needed to combat cybersecurity threats on a corpo-

rate level:

1. Transparency – The more that is known, the better pre-

pared everyone can be.

2. Testing – Baseline assessments are critical for knowing

current vulnerabilities or uncovering existing breaches.

3. Hygiene – Managing updates, patches, password protec-

tion and policies provides frontline defenses.

4. Accountability – Hold the company fully accountable

for its behavior and hold other businesses to the same

standard.

As you work through these steps, keep in mind just how quickly

a single cybersecurity incident can bring a company to its knees.

For example, what would happen if your accounting system were

hijacked for a week? Alternatively, what if sensitive client data

was stolen by cybercriminals? These are painful and extremely

expensive events that cause prolonged reputational damage, but

proactive E&C firms can effectively avoid these negative impacts

while also positioning themselves as cybersecurity-conscious or-

ganizations and teams in our connected world. Those that move

quickly and succeed at establishing a strong program will not

only meet projects’ growing cybersecurity requirements but also

be poised and positioned as the benchmark clients use to assess

the adequacy of others.

7

Patrick NordPatrick is a Principal Consultant with Archetype SC and an accomplished analyst who loves data and the

problems they describe. At Archetype SC, Patrick brings his expertise to defining and documenting client

challenges and needs and working with our team to develop solutions. He can be reached at

patrick.nord@archetypesc.com

Paul CormierPaul is a Principal Consultant with Archetype SC. With more than 25 years as an administrator and

entrepreneur in the interior and manufacturing industries, Paul Cormier brings a wealth of experience in

finance, technology and business development to the Archetype SC team. He can be reached at

paul.cormier@archetypesc.com.

Archetype SC solves complicated business challenges with technology. They work with companies to find

solutions that are creative, innovative and focused on making things easier for their clients. They are known

in their communities as much for the information they share with peers, as for the solutions they provide to

our clients. Archetype SC is built by people who are motivated to empower others to achieve technology

independence. Learn more at www.archetypesc.com.

Jay SnyderJay is the technology practice leader with FMI. Jay has been in the engineering and construction industry

throughout his entire career. He has industry experience as a construction project executive; corporate

director of planning, design and construction for a health care system; founder and managing partner of a risk

management tech startup company; and as a valued business consultant. He can be reached via email at

jsnyder@fminet.com.

FMI Consulting has a deeper understanding of the Built Environment and the leading firms across its value chain than any other consulting firm. We know what drives value. We leverage decades of industry-focused expertise to advise on strategy, leadership & organizational development, operational performance and technology & innovation.

PRACTICE AREAS

Strategy � Market Research � Market Strategy � Business Development � Strategic Planning

Leadership & Organizational Development � Leadership & Talent Development � Succession Management � High-performing Teams � Corporate Governance � Executive Coaching

Performance � Operational Excellence � Risk Management � Compensation � Peer Groups

Technology & Innovation � Market Accelerator � Partner Program � Tech Readiness Assessment � Sourcing & Adoption

SECTOR EXPERTISE

� Architecture, Engineering & Environmental � Building Products � Chemicals � Construction Materials � Contractors � Energy Service & Equipment � Energy Solutions & Cleantech � Utility Transmission & Distribution

SERVICES

� M&A Advisory � ESOP Advisory � Valuations � Ownership Transfer

EXECUTIVE EDUCATION

� Acquisitions in the Construction Industry � Ownership Transfer & Management Succession

FMI Capital Advisors, a subsidiary of FMI Corporation, is a leading investment banking firm exclusively serving the Built Environment. With more than 750 completed M&A transactions, our industry focus enables us to maximize value for our clients through our deep market knowledge, strong technical expertise and unparalleled network of industry relationships.

Exclusively Focused on the Built Environment

FMI is a leading consulting and investment banking firm dedicated exclusively to the Built Environment.

We serve the industry as a trusted advisor. More than six decades of context, connections and insights lead to transformational outcomes for our clients and the industry.

Who We Are

FMI CLIENT HIGHLIGHTS

73%

ENR Top 400LARGEST

CONTRACTORS

ENR Top 200SPECIALTY

CONTRACTORS

65%

ENR Top 100DESIGNFIRMS

57%

ENR Top 200ENVIRONMENTAL

FIRMS

56%

ENR Top 100CM FOR

FEE FIRMS

58%

TRAINING PROGRAMS

Over 10,000 industry leaders have completed FMI training programs, which span the entire management spectrum, from new managers to senior executives.

� Emerging Managers Institute � Field Leader Institute � Project Manager Academy � Construction Executive Program � Leadership Institute � Leading Operational Excellence � Construction Selling Skills � Market & Selling Strategies � Ownership Transfer & Management Succession � Acquisitions in the Construction Industry

FMI PEER GROUPS

FMI manages nearly 50 individual peer groups across the industry. Connecting businesses through network-ing, expanding visions and providing feedback.

� Organizational Structure and Development � Human Resources � Business Development � Information Technology � Operations Management � Financial Management

RALEIGH223 South West St.Suite 1200Raleigh, NC 27603919.787.8400

DENVER210 University BoulevardSuite 800Denver, CO 80206303.377.4740

TAMPA4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364

PHOENIX76 E. Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8180

HOUSTON1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400

FMINET.COM

FMI CLIENT HIGHLIGHTS

73%

ENR Top 400LARGEST

CONTRACTORS

ENR Top 200SPECIALTY

CONTRACTORS

65%

ENR Top 100DESIGNFIRMS

57%

ENR Top 200ENVIRONMENTAL

FIRMS

56%

ENR Top 100CM FOR

FEE FIRMS

58%

TRAINING PROGRAMS

Over 10,000 industry leaders have completed FMI training programs, which span the entire management spectrum, from new managers to senior executives.

� Emerging Managers Institute � Field Leader Institute � Project Manager Academy � Construction Executive Program � Leadership Institute � Leading Operational Excellence � Construction Selling Skills � Market & Selling Strategies � Ownership Transfer & Management Succession � Acquisitions in the Construction Industry

FMI PEER GROUPS

FMI manages nearly 50 individual peer groups across the industry. Connecting businesses through network-ing, expanding visions and providing feedback.

� Organizational Structure and Development � Human Resources � Business Development � Information Technology � Operations Management � Financial Management

RALEIGH223 South West St.Suite 1200Raleigh, NC 27603919.787.8400

DENVER210 University BoulevardSuite 800Denver, CO 80206303.377.4740

TAMPA4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364

PHOENIX76 E. Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8180

HOUSTON1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400

FMINET.COM

Raleigh (headquarters) 223 S. West StreetSuite 1200Raleigh, NC 27603919.787.8400

Tampa4300 W. Cypress StreetSuite 950Tampa, FL 33607813.636.1364

Houston1301 McKinney StreetSuite 2000Houston, TX 77010713.936.5400

Phoenix 7639 East Pinnacle Peak RoadSuite 100Scottsdale, AZ 85255602.381.8108

Denver210 University BoulevardSuite 800Denver, CO 80206303.377.4740

WWW.FMINET.COM