The dangers of a phishing attack are numerous, but ransomware attacks are becoming some of the most common. A ransomware attack is most often accomplished when an employee falls victim to a phishing email, unknowingly providing malicious software access to the company’s network. This malicious software then locks you out of your network or steals information, controlling either until a ransom is paid. Though rarely publicly divulged, these attacks have become very common and victim companies often have little recourse other than paying the ransom.

And just like other aspects of your business, your cyber risk extends beyond your organization as well. The interconnectedness of construction projects with the supply chain provides further areas for exposure to cybersecurity issues. Specifically, vendors, third parties, and fourth parties, can cause an exposure – you have limited insight into their controls and processes and are reliant on them.

With all this in mind, it is easy to see that as technology proliferates in the construction industry, the threat landscape and opportunities for attackers expand. There is no need to throw the baby out with the bathwater, however. With a little planning, the implementation of a few best practices, and some smart investing you can take full advantage of the latest technology available while also dramatically reducing your cyber risk.

Cybersecurity Best Practices

I. Internal Best Practices

Some practices that you can implement to manage and reduce cybersecurity and privacy risks include the following:

• Penetration Testing/Vulnerability Assessment -- Find the holes before the bad guys do.
• Increase Visibility -- Install a Security Information and Event Management system and/or enlist Security Operations Center services to monitor your systems.
• Protect Your Data -- Install Data Loss Prevention systems to prevent exfiltration or accidental data exposure.
• Patch, Remediate and Repeat -- Ensure that your patch management system can detect and remediate vulnerabilities for all applications, on all your systems.
• Multi-Factor Authentication -- Adds layers of security that protects against compromised credentials by providing additional information.

Give strong consideration to cybersecurity insurance. There are a host of issues that the insurance company will ask about, so before you invest in insurance, be prepared to explain your cybersecurity hygiene and protocols. Do you have network segmentation? What about end point detection and response? Do you have 24/7 network monitoring? What type of network backups do you have in place? What third party risk management controls do you have in place?

A myriad of coverage types exist, including general cyber-risk policies, but you may need other coverage and should consult with an experienced broker to ensure you are protected. Other, additional coverage extensions include but are not limited to: Voluntary Shutdown Coverage (coverage in the event the insured decides to shut down their computer network to prevent the proliferation of a computer attack); Bricking Coverage (coverage for the replacement costs associated with computer hardware rendered useless due to a computer attack); Reputational Harm Coverage (for income loss lost as a result of adverse publicity associated with a computer attack); Overlapping Coverage (select which policy is triggered first when more than one policy overlaps); and Computer Crime (including invoice manipulation).

II. Supply chain/Vendor Best Practices

As for risk outside of your organization, the panel had the following recommended steps for construction firms to take both before and after selecting a vendor:

During Selection Process

• Establish a programmatic approach
• Identify vendor criticality and risk rating
• Conduct due diligence based on risk rating
• Review remote access to the company’s network
• Evaluate data and monetary processing
• Review vendor maturity
• Evaluate contractual requirements regarding cybersecurity

Post-selection

• Conduct “tabletop” exercises (incident scenarios) that include vendors and third parties
• Implement continuous monitoring
• Ensure clear lines of communication with your vendors
• Create a vendor contingency plan

Data privacy laws extend through your supply chain, and you may be responsible. Be sure to have experienced consultants and legal advisors to assist you and ensure you are protecting your business.

III. Attack Response

If you do become a victim of a cybersecurity attack, the panel recommended the following four-step action plan:

1. Fire up your incident response plan (if you don’t have one, get one now!);
2. Use the right tool for the right job (know when to bring in third-party forensics, legal, insurance);
3. Restore to a secure site;
4. Know your rights and responsibilities (what are your reporting requirements?).

The human is the weakest link and therefore, cyber and information security training programs should be relevant and current. Give due consideration and priority to ensuring you have relevant, period, and specific role-based training. Consider email phishing tests, computer based training, and internal communications.

Final Takeaways

• Cyber risk should be part of your overall enterprise risk management and should be reviewed as a key business risk at least annually.
• Monitor and measure security and availability of systems through continuous vulnerability and risk assessments.
• Train, train, train your staff via information security training awareness and phishing campaigns.
• Work with professionals to obtain the proper cyber insurance, evaluate vendor risks, and protect your systems.