Editor's note: Phil Casto is senior vice president for risk services at Chicago-based insurance firm HUB International, and has extensive experience in the construction, manufacturing and petrochemical industries.
Years ago, a thief had to physically sneak onto a construction site in order to steal something valuable, like copper pipes or a jackhammer. Today, all that thief needs to do serious damage is an internet connection and a smart phone.
As the world has digitized and automated, it has become more and more important to protect your data. Construction businesses that adopt technology solutions — from drones, with their real time monitoring and data collection, to automated onsite and back-room processes and digital tools for managing resources — also leave the door open to cyber risk.
In many cases, the contruction firm doesn’t even know there has been a breach until the damage has been done.
One of the biggest concerns is social engineering, where a cyber criminal poses as a member of the management team or an important vendor, using business email compromise tactics and causing the release of large sums of money or information that can be monetized. Often the criminal has sent a bogus invoice, which the contractor may unknowingly pay.
The worst part is, construction companies may think they don’t need to worry, either because they don’t realize how much data they have online or because they have an insurance policy that includes cyber coverage. The fact is that cyber claim costs are skyrocketing, and cyber insurance premiums are predicted to rise 30% to 40% in the next year.
Cybersecurity is a concern for every construction business, no matter how small. According to Verizon’s 2019 Data Breach Investigations Report, 43% of cyberbreach victims are small- or medium-sized businesses. Take steps to protect your data and lessen your cyber risk with these tips:
- Train your employees. Experts estimate that 88% of data breaches are caused by human error. Cybercriminals know this and exploit it to get at your company’s sensitive data. Employees with little to no background in information security easily succumb to phishing emails or unknowingly contribute to the distribution of malware. It’s critical to incorporate cybersecurity training with your annual safety training. Make sure to share specific examples, such as tips for handling confidential information, the ways cybercriminals exploit emails through phishing links, and the proper process for reporting a suspected cybersecurity incident.
- Keep software up to date. Your organization’s data is at greater risk if you’re using old software and obsolete applications. Many exploits come from vulnerabilities that may have been overlooked in a program’s outdated coding. Whether your software comes from an established third-party vendor or a custom application created by your IT team, make sure you patch vulnerabilities and update them regularly.
- Use multi-factor authentication. Multi-factor authentication is about adding a layer of security to the login process. One well-known example is the security system used by most banks where a user is required to sign in with a password and a system-generated code sent to their mobile phone. In other words, MFA requires the user to provide more than one credential to gain access to an application or other program. It makes it harder for criminals to gain access to sensitive data like construction invoices, contracts, and other financial and legal documents. It’s a good idea to require multiple credentials, such as a system-generated code, a pin code or a keycard scan, for any employees working with sensitive or confidential information.
- Dispose of technological assets properly. You can’t just throw your old equipment into the dumpster. Laptops, mobile devices or tablets hold valuable company data and must be fully wiped. Even printers and copy machines record data today, so they will need the same treatment. And if you are leasing any equipment, you’ll also need to wipe them before returning them to the equipment lessor.
- Boost yourself with an annual checkup. Cyber security plans are as fundamental as fire safety plans. You must constantly review and practice. Since situations change over time, firms should periodically undergo audits of their cybersecurity environments to ensure you’re still covering all vulnerabilities adequately.
- Purchase a cyber insurance policy. Many construction firms, especially smaller ones, believe they don’t have any real cyber risk. In addition, they are put off by the cost of a stand-alone cyber policy and opt for an insurance policy that blends cyber with professional liability insurance. Those firms that are taking active steps to manage their cyber risk soon realize that the limited coverage offered by these policies is not enough.The good news is, managing your cyber risk will make your organization a more attractive risk to insurers, and an appropriate policy will be more than worth the cost when you have been compromised.