Data Security Considerations for Construction Software#

Executive Summary#

Construction software handles sensitive information: employee personal data, payroll information, project details, financial records, and customer information. Data breaches can result in financial loss, regulatory penalties, and reputational damage. When selecting and using construction software, subcontractors should understand data security considerations and evaluate vendor security practices. This guide covers what to consider and what questions to ask.

The Context for ICI Subcontractors#

Small and mid-sized businesses are frequent targets of cyberattacks. According to various industry studies, a significant percentage of cyberattacks target small businesses, which often have fewer security resources than larger enterprises.

Construction companies may assume they are not attractive targets, but the data they hold is valuable:

• Employee Social Security numbers and personal information
• Bank account information for direct deposit
• Financial records and banking credentials
• Project information that may be commercially sensitive
• Customer data and contact information

Data breaches create costs: notification requirements, credit monitoring for affected individuals, potential regulatory fines, legal exposure, and lost business from damaged reputation.

Types of Data at Risk#

Employee Personal Information#

Data collected from employees:

• Social Security numbers
• Dates of birth
• Home addresses
• Bank account numbers (for payroll)
• Tax information
• Emergency contact information

This data can enable identity theft if compromised.

Payroll and Financial Data#

Financial information handled by construction software:

• Wage and salary information
• Tax withholdings
• Bank account details
• Financial reports
• Customer payment information

Financial data has obvious value to attackers.

Project Information#

Project-related data that may be sensitive:

• Customer information and contacts
• Project locations and details
• Pricing and bid information
• Contract terms
• Change order documentation

Some customers, particularly in government or security-sensitive industries, may have specific data protection requirements.

Business Operations Data#

Information about how the business operates:

• Vendor relationships and pricing
• Cost structures
• Business plans
• Employee performance information

Competitors would value some of this information.

Security Evaluation Criteria#

Data Encryption#

Encryption protects data from unauthorized access:

In transit: Data encrypted when moving between devices and servers (HTTPS/TLS).

At rest: Data encrypted when stored on servers and databases.

Questions to ask:

• Is data encrypted in transit and at rest?
• What encryption standards are used?
• How are encryption keys managed?

Access Controls#

Limiting who can access what data:

Authentication: How users prove their identity (passwords, multi-factor authentication).

Authorization: What each user is permitted to access based on role.

Audit trails: Logging who accessed what and when.

Questions to ask:

• Does the system support multi-factor authentication?
• Can access be restricted by role?
• Is there an audit log of data access?
• How are administrative accounts protected?

Infrastructure Security#

Protection of the systems that host data:

Physical security: Data center access controls.

Network security: Firewalls, intrusion detection, network segmentation.

System hardening: Secure configuration of servers and systems.

Patch management: Timely application of security updates.

Questions to ask:

• Where is data hosted?
• What physical security exists at data centers?
• How are systems kept updated with security patches?
• Are regular vulnerability assessments performed?

Backup and Recovery#

Protecting against data loss:

Backup frequency: How often data is backed up.

Backup security: Protection of backup data.

Recovery capability: Ability to restore from backup.

Disaster recovery: Plans for major incidents.

Questions to ask:

• How frequently is data backed up?
• Where are backups stored?
• How quickly can data be restored?
• Have recovery procedures been tested?

Security Certifications#

Third-party validation of security practices:

SOC 2: Service Organization Control report covering security, availability, processing integrity, confidentiality, and privacy.

ISO 27001: International standard for information security management systems.

Other certifications: Industry-specific certifications may apply.

Questions to ask:

• Does the vendor have SOC 2 or similar certification?
• Can you review the audit report?
• When was the last audit?

Vendor Security Assessment#

Questions to Ask Vendors#

When evaluating construction software, ask about security:

Data handling:

• Where is our data stored?
• Who has access to our data?
• How is data segregated from other customers?
• What happens to our data if we cancel?

Security practices:

• What security certifications do you hold?
• How do you handle security incidents?
• What is your vulnerability management process?
• Do you perform penetration testing?

Compliance:

• How do you comply with privacy regulations?
• What data protection commitments are in your contract?
• How do you notify customers of breaches?

Red Flags#

Warning signs about vendor security:

• Unable or unwilling to discuss security practices
• No security certifications or audits
• Data stored outside reputable cloud providers
• No multi-factor authentication option
• Unclear data ownership terms
• No incident response process

Due Diligence#

For sensitive applications, consider:

• Reviewing vendor security documentation
• Requesting SOC 2 or similar reports
• Understanding contractual security commitments
• Checking references about security practices

Internal Security Practices#

Access Management#

Protect access to your systems:

Strong passwords: Require complex passwords; consider password managers.

Multi-factor authentication: Enable MFA where available.

Least privilege: Give users only the access they need.

Offboarding: Remove access promptly when employees leave.

Employee Training#

Train employees on security:

Phishing awareness: Recognizing suspicious emails and links.

Password practices: Not sharing or reusing passwords.

Data handling: Appropriate handling of sensitive information.

Incident reporting: What to do if something suspicious occurs.

Device Security#

Protect devices that access business data:

Mobile devices: Passcodes, encryption, remote wipe capability.

Computers: Updated operating systems, antivirus software.

Physical security: Protecting devices from theft.

Network Security#

Protect network access:

Secure WiFi: Strong encryption, complex passwords.

Network segmentation: Separating sensitive systems.

VPN: Secure access for remote workers.

Privacy Regulations#

Regulatory Landscape#

Privacy regulations may apply:

State laws: California (CCPA), other states have privacy laws.

Canadian laws: PIPEDA and provincial privacy legislation.

Industry requirements: Some industries have specific requirements.

Compliance Implications#

Understand what regulations require:

• Data collection limitations
• Notice and consent requirements
• Data access rights
• Breach notification obligations
• Data retention and deletion

Software vendors and data handling practices must support compliance.

Incident Response#

Preparation#

Prepare for potential incidents:

Incident response plan: Who does what if a breach occurs.

Contact information: Vendor contacts, legal counsel, IT support.

Documentation: What records to preserve.

Response Steps#

If an incident occurs:

• Contain the incident
• Assess scope and impact
• Notify appropriate parties (potentially including regulatory agencies)
• Document actions taken
• Remediate vulnerabilities
• Learn from the incident

Vendor Incidents#

If a vendor experiences a breach affecting your data:

• Understand vendor notification obligations
• Assess impact to your business
• Notify affected individuals if required
• Document response actions

How Appello Approaches Data Security#

Appello takes data security seriously. The platform uses encryption for data in transit and at rest, supports access controls that limit data access by role, and is hosted on secure cloud infrastructure. Regular security assessments help identify and address vulnerabilities.

Prospective customers are welcome to discuss Appello's security practices during evaluation.

Conclusion#

Data security should be a consideration when selecting and using construction software. The sensitive data handled by these systems—employee information, financial records, project details—requires protection.

Evaluate vendor security practices, ask appropriate questions, and implement internal practices that protect access to systems and data. The investment in security reduces risks that could be far more costly than prevention efforts.

---

Related Reading:

• What to Look for in Construction Software as an ICI Subcontractor
• Questions to Ask Before Switching Construction Software