Develop a strategy that focuses on three areas: administrative policies, operational protocols and technology security
by Jay Shelton
Wednesday, April 22, 2015

As use of technology continues to increase, contractors of every size and type have greater exposure to cyberattacks and data breaches. According to the Poneman Institute’s 2013 Cost of Cyber Crime study, there was an 18 percent increase in the number of cyberattacks in 2013. A report by Symantec on internet security found that 61 percent of small and midsize businesses experienced a cyberattack in 2013. The average cost of those attacks have increased 26 percent, yet surveys indicate only 31 percent of companies have cyber insurance. Larger companies can absorb the costs of cyberattacks for a while, but small and midsize companies cannot, and it can put them out 
of business.

Construction companies don’t always face the conventional type of cyber breaches that are constantly in the headlines. The cyber risk for midsize construction companies is more about loss of critical data through data corruption or cyber ransom and loss of confidential information of customers and employees like billing and payroll files. Every company that utilizes technology and the Internet should take preventive steps to assess their exposure to cyberattacks and data loss, and then create response measures to minimize the fallout from such an attack. The loss of data, network system replacement, business downtime, defense costs, lawsuits, victim theft monitoring and reputational impact can severely impact an organization’s bottom line.

Build the Right Strategy

Strategic management of a company’s cyber risk should be a critical part of business operations. There are a few steps that organizations can take to help mitigate cyber breaches. A company should look at preventive measures by starting with an assessment of the organization’s exposure. Ask yourself, “What would happen if we lost this data or had to shut down operations?”

From the assessment, develop a mitigation strategy that focuses on three areas: administrative policies, operational protocols and appropriate technology security. Administrative policies include assessing guidelines and procedures that limit access to confidential information related to customers, employees and others within the system. In addition, vendors should have appropriate safeguards in place to protect the data that companies send them. Some key administrative policies are: acceptable use policies which outline how company employees should use information, a record retention policy that would ensure the organization doesn’t keep records for longer than necessary and a clean desk policy that requires employees to properly secure records containing confidential information.

Operational protocols should include storing paper records containing confidential information in locked file cabinets, shredding records that contain confidential information and storing servers, laptops, flash drives or other sensitive equipment in a secure area. With technical security, companies should utilize malware and firewall software in addition to encrypting laptops, flash drives and data stored on servers and make sure to update system software regularly.

Plan the Right Response

Construction companies must also look at how they would respond to a 
cyberattack and data breach. It’s key to develop an incident response plan that outlines how the organization will respond to a breach. Much like a business continuity plan, this is not only a document that outlines the response, but a process that will evolve as the business changes. There are several elements that comprise an effective response plan.

  1. There should be an incident response team in place, with the roles and responsibilities of each team member outlined. It should list both internal and external team members, their detailed contact information, specific role and notification level.
  2. Companies must establish an incident notification protocol that contains the various triggers for notifying the response team, insurance carrier, law enforcement, outside forensic investigators and crisis and media management professionals.
  3. Breach response, which details the response procedures such as timing, affected individuals and government notification, should also address issuing a press release, internal communications, what’s posted on the company website and accompany remedies such as credit monitoring and identity theft resolution.
  4. Mitigation and remediation should cover investigation outcomes to correct vulnerabilities, harden the system from further breaches and review and improve the incident response team. For small and midsize construction companies, having a preset list of vendors who specialize in many of the technical areas will be essential for executing many of the key components in the IRP.
  5. It’s important to secure the appropriate amount of insurance coverage that will create a financial back stop should a breach occur. When determining what kind or how much cyber insurance to buy, always start by asking what is needed. One of the most important issues in purchasing cyber insurance is determining the appropriate limits of liability. The costs of responding to a data breach can be substantial. Estimates vary, but a recent study approximated the average organizational cost of a data breach was $201 per electronic record.

Given the lack of standardization in cyber insurance, buying an off-the-shelf policy can be disastrous. It’s important that small and midsize construction companies partner with experienced professionals to assist in placing and negotiating tailored coverage. At the very least, cyber insurance policies should cover both third-party claims and first-party losses. Most policies will also cover the costs of defending claims that result from data security breaches, regulatory investigations, judgments and settlements.

Some policies may even cover other items like the costs of notifying those affected by a data breach, credit monitoring, retaining public relations, forensic investigators, restoring lost or stolen data and pursuing indemnity rights when someone else has caused a breach. Some policies may also cover business interruption losses following a breach, costs of responding to “e-extortion” and “e-ransom” demands and even media liability claims.

Remember, it doesn’t matter the size or type of business, every company has data that cyber criminals may want. They will always focus their efforts on easy targets who don’t prepare for potential risk. Planning ahead for potential problems will cut down on both your time and cost. Putting up a good defense along with appropriate response measures will effectively reduce a company’s exposure and lower its cost.


Jay Shelton is the senior vice president of Risk Management Services at Assurance. He performs a full range of risk and insurance management functions, including policy selection and negotiation, broker and TPA management, claim management, risk identification, forecasting model development, trend analysis, OSHA and EPA compliance and the development of performance benchmarking. Shelton is a veteran of the United States Marine Corps, earned a Master of Business Administration from Notre Dame University and a Bachelor of Science degree in Criminal Justice from Indiana University.

April 2015