Article by Daimon Geopfert (Principal) and Denise Bendele (Partner), RSM US
On a daily basis, we are learning the hard and expensive lesson that the free exchange of commercial, governmental and personal data is a gold mine for internet hackers. When even the U.S. Department of Defense has been compromised by hackers, it’s pretty clear that American businesses must take aggressive steps to protect themselves.
That includes construction companies, which can be particularly vulnerable. It’s worth remembering that Target, which was the victim of a cyberattack in 2013 that compromised more than 110 million records and cost millions to resolve, was hacked by a heating, ventilation and air-conditioning contractor.
Because most contracting companies are small and lacking in resources to protect themselves, they often tend to be targeted by unauthorized breaches. According to the NetDiligence 2016 Cyber Claims Study, the majority (87 percent) of reported breaches occurred in organizations with revenues less than $2 billion. Small businesses are often more affected because they are typically slower to react, have less formal controls and don’t have formal security personnel.
As construction companies increasingly adopt digital technology, the threat of a cyber invasion grows. With the amount of work now being completed online and on computers or tablets -- including building information modeling, invoices, building automation services and everyday correspondence about projects -- construction companies are open to innumerable cybersecurity threats and liability.
Targets and their risks
The steady rise in the value of data over the past 10 years has made hacking an increasingly popular and profitable enterprise. It’s the data, not the size of a target, which holds the value for the hacker. While contractors usually do not have the volumes of consumer data that can be found in financial or health-care companies, construction companies large and small may be vulnerable to breaches by criminals in a number of ways:
- Bank account information. Online bank accounts are especially attractive to hackers. If the proper controls are not in place, hackers can simply set themselves up in the system as a vendor and create payments to themselves or install a virus on the system used to manage the account, enabling them to transfer funds out.
- Payroll, cost accounting and other systems. These programs may include valuable information for hackers, such as Social Security numbers and other human resources-related information.
- Competitive intelligence. Intellectual property, proprietary designs, financial reports, pricing and customer data could all be targets for hackers or other companies who are seeking a competitive advantage.
And it’s not always the contractor’s data a hacker may be after. As previously mentioned with the Target breach, a contractor could be targeted simply because an attacker thinks they can utilize their access to another company. While the contractor might not be directly damaged from this, they could incur serious liability if damage is done to another organization because of their weaknesses.
Points of entry for hackers
For unprotected construction companies, there are numerous entry points for hackers. In an effort to make operations lean and more cost effective, many contractors are utilizing cloud-based programs, such as Gmail or Google Drive, which can open the door for hackers.
Whether it is mobile apps installed on job site tablets, the use of wearable devices, or simply reading email on personal smartphones, every employee who accesses data through the cloud remains at risk.
Currently, the majority of breaches involve some sort of social engineering, in which a hacker uses human interaction to obtain or compromise information in a company’s systems. This could mean an employee opens an email with an attachment or a link that downloads malware, or a poisoned document attached to an email or a link to a fake web page with a log-on asking for credentials. Phishing by means of fake email can plant malware on a computer system and give cyber thieves access to proprietary information. Making matters worse, however, is the threat of ransomware. Ransomware can evade security software, allowing attackers to extract ransom payments from small businesses, which suddenly find themselves unable to access their own financial data and customer records until the ransom is paid.
Implementing a program
For contractors, there is much that needs to be done to enhance protection from hackers.
- Take inventory of your network systems, hardware, software and data, identify connection points and map out the flow of data.
- Conduct a risk assessment to pinpoint areas of vulnerability, including any bring-your-own device (BYOD) policies and any third parties (such as vendors or service providers) with access to your network.
- Implement internal controls and protections, such as strong passwords and other authentication procedures, encryption, firewalls, limited physical access to hardware, and segregation of duties.
- Develop an incident response plan that establishes communication protocols and details the roles and responsibilities of management, employees and outside consultants in the event of a breach. It is important that the plan takes into account more than just technical issues, such as forensics provider, insurance policies or how the company would pay a ransomware demand.
- Provide training to everyone who has access to the company’s information systems, handles sensitive information or plays a role in the company’s incident response plan. Once you’ve implemented your plant, you’re not finished. You must constantly monitor your information systems for unusual activity using anti-virus and anti-malware software, intrusion prevention systems and other measures to ensure that breaches are detected as quickly as possible.
The level of cybersecurity a contractor needs depends on the company’s particular risk profile. An IT consultant can help by examining the company’s information systems and identifying any potential security gaps.
Although there are many security issues contractors should address, we have identified several areas that commonly have vulnerabilities:
- Password management: Generic, blank or a default password is the most common mistake contractors can make. Web applications and remote desktop make it easy to access company systems in the field, but with easy or default passwords, it only takes a couple of minutes for a hacker to compromise the network. Companies need to ensure administrator accounts have complex passwords and utilize a two-factor authentication system.
- Servers: Some companies run services on servers with administrative rights. If the service is compromised, the attackers would have administrative rights in the system. It is important to ensure that high-risk systems that store sensitive data, such as invoices, employee health benefits, etc., are segmented into a different part of the environment than what employees utilize in the field. Most importantly, all systems should be up to date and fully patched.
- Security monitoring: Contractors often rely on an off-the-shelf anti-virus program to protect their systems However, a managed service that actively looks for hacker or malware activity provides much greater protection.
Among the tools contractors can use to protect against cyberattacks is cyber liability insurance. However, because general insurance often doesn’t include this specialty, a contractor may find it necessary to visit with an industry broker or consultant.
When meeting with such a broker, a contractor needs to first determine what costs and types of incidents should be covered. The broker then can place the contractor with the right insurance company. Policies will differ from contractor to contractor, but most plans address data breaches, intellectual property rights infringement, extortion liability and network security. Many also include media liability, which covers some damages incurred by employees who are using social media devices for business activities.
Because most contracting companies have limited funds to spend on cyber protection, it is important that owners initially focus on those systems that are most important to overall operations and those that are most susceptible to hacking.
For best protection, all small businesses need to make workers in the office and in the field constantly aware of the potential for hacking. Policies need to be enacted to protect data, such as the requirement that computer records are backed up regularly. Project managers should establish what online connections will be allowed by both the project owner and contractors during a project’s tenure.
Today, America’s online marketplace is vulnerable because protections do not match the arsenal that hackers have at their disposal. Contractors should waste no time in adopting all the online protections that are affordable. An aggressive conversation should be underway between company owners and IT professionals, insurance representatives, accountants and bonding agents. Unfortunately, a cyberattack is not a matter of if, but when.
WE SPECIALISE IN SERVING REAL ESTATE & CONSTRUCTION BUSINESSES
Each industry is unique and the hallmark of a great business partner is the ability to understand and identify the needs and goals of each business in its own context. Our vertical industry units are designed to help companies grow through tailored services with insightful, practical and effective advice.
Learn more about our Real Estate & Construction industry unit!