Cyber Security and Cyber Threats in the Construction Industry

You Are Not Immune!

By Bud LaRosa, CFO

When it comes to cyber threats in the construction industry there are two types of companies: those who have been hacked and those who could be. Cyberattacks from hackers is a growth industry and construction is not immune. Many contractors think that because they are small they will not be a cyberattack victim. This thinking is short sighted. Small businesses are actually appealing to hackers! Small businesses typically have a moderate amount of data with minimal security, setting them up to be a hacker’s ideal prey. Sixty percent of small business that are hacked go out of business within the following six months. So it goes without saying, the danger is real.

But, large contractors are also not immune to the threat. In fact, the data breach that hit Target stores in 2013 stemmed from an Advanced Persistent Threat (APT) attack on their mechanical contractor. In short, hackers gained access to Target via an employee of the mechanical contractor who had access to Target’s electronic billing system. Between Target and the associated financial institutions, I have seen estimated damages of up to $400 million for this breach alone. Turner, AECOM and Whiting-Turner are just a few other larger contractors who have been victims of hackers and the negative publicity that goes with it.

How Do Attacks Occur?

Cyber threats facing contractors are typically exposures associated with computers, electronics or communication systems that fall into one of these three categories:

1. Data Breaches
   • An intentional or unintentional release of secure or private/confidential information to an untrusted environment.
2. Malfunction of, or injury to, computers
   • Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
3. Failure of electronic or communication system
   • Any circumstance, event or sequence of events that causes a system or systems to stop working.

The most common causes of data breaches for contractors are lost laptop or other mobile devices, hacked systems, malicious insider or code form an external source, loss or improper disposal of paper records and failure of electronic backup(s).

How to Protect Against Cyber Predators

Best practices for contractors in regards to mitigating potential damages from a cyber event include:

• Maintain a risk transfer instrument (insurance policies). Social Engineering coverage can usually be found on an Errors & Omissions (E&O) policy while standalone Cyber Liability policies are available for other risks.  Be forewarned though – cyber liability policies are manuscript (meaning they are not standardized from one carrier to the next) and can have a wide variation in coverage and cost. Coverages you want to look for include Third Party such as Privacy/Network Liability, Regulatory Liability, Media Liability and Technology E&O as well as First Party such as Theft/Fraud, Crisis Management, Business Interruption, Data Restoration, Notification Costs and Cyber Extortion.

Strategies for buying Cyber Liability coverage include making sure you have adequate limits/sub limits, retroactive coverage, vendors’ errors and omissions, making sure Personal Identification Information (PII) is  broadly defined, liability associated with handling data of others, loss of data not just theft or unauthorized access, crisis management coverage,  align cyber insurance with contractual indemnity, scrutinize prior consent provisions (i.e. Crisis Management) and strategize additional insured coverage with vendors.

• Constantly update firewall, anti-viral software and software patches.
• Adhere to a proper background screening for both new hires AND vendors (remember that Target’s breach was from their mechanical contractor).
• Engage a reputational risk advisor and outside council specializing in cyber security/litigation now to be prepared for what could happen later.
• Provide periodic training to your employees.
• Develop an incident response plan.
• Implement and enforce the use of a Written Information Security Program (WISP). The attorney general stated early in 2017 that Massachusetts will be moving from education to enforcement of this protocol. This means that any and all employers with personal identifying information of an employee are required to have a WISP.  http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
• Hold an internal meeting with a cross-section of employees to identify vulnerabilities in order to:
  • Assess the risks to your entity
  • Identify the systems data and hardware that require protection
  • Define the key players who are responsible for maintaining security and leading the response plan when an attack occurs
  • Communicate the plan to executives and management AND get them to champion the initiative
  • Monitor and report on the plan’s effectiveness

Why Are Construction Companies and Contractors Easy Cyber Prey?

Construction companies collect a lot of data that could be of interest to hackers. Many companies have access to its client’s intellectual property and certainly have access to architectural drawings and specifications. Contractors also have access to a wealth of current and past employee data including social security numbers and banking data. Like the aforementioned Target breach, contractors may also provide hackers access to client software and data systems.

When people think of cyber security they generally focus on technology, but it is much more than that. According to the International Telecommunication Union (ITU), “cybersecurity is the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and user’s assets. Organization and user’s assets include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment.”

The onus is on you to see that your company is protected. There are many threats and the landscape is continually changing. It is impractical to think anyone can avoid all risks at any time­as evidenced by the breaches you see in the news on a weekly basis.  You can, however, make your company less desirable to hackers. At the start of this blog I identified the two types of contractors. With that as the back drop, think of cyber security like the joke about two men and a tiger. Two men are walking through a forest. Suddenly, they see a tiger in the distance, running towards them. They turn and start running away. But then one of them stops, takes some running shoes from his bag, and starts putting them on.

“What are you doing?” says the other man. “Do you think you will run fast than the tiger with those?”

“I don’t have to run faster than the tiger,” he says. “I just have to run faster than you.”

If you are diligent with cyber security, most hackers will move on to easier prey.