Why Do GC’s Gamble with Construction Jobsite Security?
Every company large and small now lives on digital data. That includes AEC firms. And before ground is broken at jobsites, most projects are now highly digital as they create and model plans. So construction jobsite security management is an important part of the built environment, using the same tools and methods common in other industries.
My career includes cyber security experience at big companies like Visa and Fidelity as well as startups. Now I’m working with construction firms that are frequent targets of cyber attacks. And that’s on top of the extensive theft, vandalism and criminality found on construction jobsites. Some recent examples:
https://www.wcctv.com/construction-site-theft-statistics-and-how-to-avoid-becoming-one/
https://www.constructiondive.com/news/builders-mutual-data-breach-cyberattack/695634/
Cyber security has developed inclusive models that can apply to any firm, including AEC firms. So why isn’t construction jobsite security management more like cyber security management?
jobsite entry controls
Cyber Security Basics
The basic tenets of information security are confidentiality, integrity and availability (“CIA”). Every element of an information security program implements one or more of these principles. Together they are called the CIA Triad:
- Confidentiality: The mechanisms to control access to data—whether intentional or accidental. Maintaining confidentiality ensures people without proper authorization can’t access important assets. Effective confidentiality also ensures that those who need to have access have the necessary privileges.
- Integrity: The mechanisms to keep data protected from change and therefore reliable and trustworthy.
- Availability: The mechanisms to make sure data is available to authorized users when it is needed.
Within CIA, the “Three A’s” framework controls access to computer networks and resources, enforces policies, and audits usage:
- Authentication: Who has access to the information resource and how was access to the digital resource granted? (Could be a network, database, anything digital)
- Authorization: Who granted access permission to the information resource and said what policies applied?
- Accounting: The log of every security transaction needs to be accurately recorded and protected from changes.
Once these high level concepts are applied, Infosec expands to include almost all aspects of digital work and life. Refer to the Appendix below for an example. Every aspect of life today incorporates some of content of this table!
Construction Jobsite Security Management Basics
Security checklists describe both risks to assets and personnel on a site, and the processes that mitigate those risks. Security and safety can be hard to separate.
A good summary of jobsite security basics can be found at this link. And here’s another; most checklists will be very similar.
Customizing security and safety plans for a project is determined by the details of the project’s built environment (the totality of business, design, technology and environmental factors of a project.
Comparing Construction Jobsite Security Management to Cyber Security
Convert the word “data” in the CIA triad to “built environment” and you have a good starting point for comparing data security to jobsite security:
- Confidentiality: The mechanisms to control access to the built environment. Maintaining confidentiality ensures people without proper authorization can’t access important assets within the built environment and have the necessary privileges.
- Integrity: The mechanisms to keep the built environment protected from unauthorized change and therefore reliable and trustworthy.
- Availability: The mechanisms to make sure the built environment is available to authorized users.
“Three A’s” framework maps nicely as well:
- Authentication: Who has access to the built environment and how was access granted?
- Authorization: Who granted access permission and determined what policies applied?
- Accounting: The log of every security transaction needs to be accurately recorded and protected from changes.
To control access in the AEC industry, company networks have a firewall connected to a directory identifying those allowed inside. If you are going to be trusted inside the network, you must first be onboarded and your identity confirmed. Otherwise, you’re assumed to be a member of the public. Firewall policies determine what you can do if you are allowed inside. Monitoring software watches what is happening in the network to look for unexpected behavior.
Every entry and exit and every change to the firewall rules is logged. Otherwise, if a breach occurs, you would have no evidence to determine what went wrong to determine who or what is at fault and plan for future prevention.
Construction Jobsite Security Management to Infosec Roles and Responsibilities
Design, estimating and Preconstruction in general will make certain assumptions about safety and security plans. Once the jobsite team is in place, final safety and security plans and methods are finalized and responsibilities distributed among superintendent, field engineer, and safety manager.
A superintendent or field engineer at a jobsite gate checks the names of workers, subcontractors and vendors. The gate is like a firewall, and the access control list is created when workers and subcontractors are onboarded to a project. The superintendent monitors activity. The jobsite’s daily log records all onboarding, entry and exit events.
Among a field management team,the site superintendent is responsible for security risks via construction jobsite security management: Access control, asset damage, theft and crime prevention. The site safety manager is responsible for the health and well-being of workers and their proper training and preparation for dangerous work. The project manager is concerned with whether workers and materials are showing up as expected and milestones completed. Back at HQ, risk and compliance managers will have to deal with any accidents, incidents or security breaches.
So the entire jobsite management team relies on daily log data. The following table performs the comparison in more detail and demonstrates how the field relies on HQ departments:
Table: Cyber Security Categories vs Construction Jobsite Security Management
| Info Security Category | Jobsite Security Category | Jobsite Security Responsibility |
| Application & Interface Security | Tool and equipment security & safety | Superintendent and Safety Manager |
| Audit Assurance & Compliance | Safety and regulatory inspections | Field Ops and Risk/Compliance Manager |
| Business Continuity Management & Operational Resilience | Bonding and insurance | Risk/Compliance Manager |
| Change Control & Configuration Management | Project Management | Project Manager |
| Data Security & Information Lifecycle Management | IT | IT Manager |
| Datacenter Security | IT | IT Manager |
| Encryption & Key Management (passwords) | IT | IT Manager |
| Governance and Risk Management | Project Management | Preconstruction and Field Ops Management |
| Human Resources | Induction, Onboarding, Training | HR Manager |
| Identity & Access Management | Daily log books | Superintendent |
| Infrastructure & Virtualization Security | Project material and physical asset security & safety | Superintendent and Safety Manager |
| Interoperability & Portability | BIM, VDC | Project Manager |
| Mobile Security | Mobile physical (civil) jobsite management | Superintendent and Safety Manager |
| Security Incident Management, E-Discovery, & Cloud Forensics | Safety management | Risk/Compliance and Safety Manager |
| Supply Chain Management, Transparency, and Accountability | Subcontractor and vendor management | Project Manager |
| Threat and Vulnerability Management | Physical jobsite management | Superintendent |
Summary –
Why are security risks tolerated that would never ever be tolerated in the digital world?
I believe the short answer is: All construction jobsite security management (not to mention safety) reduces immediate productivity. It’s a fact of life. And the difference between safety and security management is often blurred. The responsibilities often distributed randomly among jobsite superintendents, safety and project managers. And most construction sites are visited by employees of many firms: GCs, subs, vendors, visitors, owners, inspectors, etc.
So in a tight margin industry like construction, where jobsites only exist for a limited time, if the cost of security puts margin at risk, then most GC’s will gamble and hope for the best.
Infosec management processes apply to both security and safety. But most construction companies don’t have such a comprehensive model for jobsites within the built environment. My guess it’s because of the enduring office/field divide I’ve written about in the past.
Gambling with risk will continue until jobsite security is automated to a much greater degree and priced for any size construction projects. Safe Site Check In was founded to increase automation and lower security/safety costs. Construction tech (“contech”) requires ease of use, a solid tech stack and affordability. Adoption of solutions like ours needs to speed up.
David Brian Ward is a CEO and Founder of Safe Site Check In LLC, a digital jobsite management platform launched in 2020 for the Construction industry. With over 40 years of experience in the technology industry, having launched and grown several successful companies. Mr. Ward is a now a SaaS entrepreneur and innovation leader in the Construction industry.