Kathryn Richter has been working within the construction industry for over 30 years, counseling and defending owners, contractors and design professionals, as well as serving as a mediator. Laurie Kamaiko is a partner in the New York City office of Sedgwick LLP. She is on the leadership team of the firm’s cybersecurity and privacy group and co-chair of its cyber insurance task force, as well as a member of its incident response team. Scott Lyon, CIPP/US, CIPT is a partner at Sedgwick LLP, is on the leadership team of the firm’s cybersecurity and privacy group and is head of the firm’s business and technology taskforce. Visit sedgwickllp.com.
Awide range of construction and design firms are involved in public and private projects, including government-sponsored infrastructure projects, making them attractive cyber targets, which imposes additional cybersecurity requirements. In addition to seeking personal information on customers and employees to use or sell, attackers may also seek to leverage a company’s access to its business partners’ confidential business information, intellectual property or plans and specifications.
A unique feature of the industry is the extent to which contractors, subcontractors, vendors and service providers are connected and share access to networks and information subject to confidentiality restrictions or regulatory protections. Increased reliance on technologies, such as remote monitoring, risk management and expense data analytics and building information modeling (BIM), may benefit your competitive advantage, but it also may increase vulnerability to cyberrisks and liabilities if they are not addressed from the outset.
In today’s environment, information security is no longer optional. Companies in the construction industry are all subject to state laws that mandate notification when there is unauthorized access to personally identifiable information of individuals (defined differently by different states, but includes at least a person’s name, plus a unique identifier, such as a driver’s license number, financial account(s) or Social Security number and other such information).
Increasingly, state laws and federal agencies also require that data security procedures be in effect, and litigation and regulatory inquiries are increasingly instituted against entities that have not paid attention to their data security or have misrepresented their processes and protections. Involvement in government projects also subject design and construction firms to additional cyber and data security requirements.
A Target for Cybercrime
One of the biggest cybersecurity myths is the belief that “nobody would be interested in our data.” Too often, companies assume that only financial institutions, healthcare providers and government entities are the targets of cyberattacks. As a result, these businesses may not implement adequate security procedures and incident-response plans or scrutinize those of their vendors. However, these companies are desirable targets because of who they know, the data they possess and their susceptibility to attacks.
Indeed, one of the most “cyber attractive” aspects of companies in the construction industry is their relationship as a known and trusted vendor to other entities, as well as to their own vendors. The well-known Target store breach, which resulted in the disclosure of over 70 million customer records, provided a lesson to companies in all industries that data security must include awareness of vendor security and access.
Target’s attackers were able to access the network where it stored its customer credit card information using network credentials provided to the company’s HVAC vendor.
Companies in the construction industry are also a target for funds-transfer fraud, a rising risks for businesses that often wire transfer funds to vendors. Con artists monitor businesses to identify external business partners and internal accounting personnel. Using information found on the company website and publicly available, they may impersonate a business partner and submit fraudulent invoices or payment instructions.
These and other types of attacks seeking to steal commercial information, such as bids on projects, intellectual property or personally identifiable information, often involve “spear phishing,” where an attacker will target a company by spoofing or impersonating a key employee or known associate in an email, then tricking the recipient into opening a malware-infected attachment or visiting a malicious website. The resulting intrusion of malware on company networks can allow the cybercriminal to access information or disrupt operations.
Construction companies and design firms are also targeted because of the access they have to certain types of information. In the case of companies working on government or infrastructure projects, competitors may seek access to a company’s network to exfiltrate proprietary information or trade secrets in order to gain a competitive advantage when submitting bids for critical projects. Foreign hackers, often suspected to be government sponsored, are usually financially motivated, but may also be associated with suspected political and terror-related objectives, such as gathering intelligence from government contractors. Inside information on suppliers, vendors and customers and their business plans can be extremely valuable to a competitor willing to exploit weaknesses in your company’s security processes.
Attackers also increasingly use ransomware, a form of malware that encrypts critical data on affected systems. The encrypted data is then held hostage until the victim pays the untraceable cryptocurrency ransom to recover the decryption key. Construction companies are susceptible to these attacks because rendering plans, schematics, accounting records or other key electronic records inaccessible for an extended period of time can result in a missed deadline, breach of contract or overdue payment. Thus, many companies consider themselves forced to quietly pay such ransom to preserve their business operations and reputations. Unfortunately, ransomware attacks are lucrative for cybercriminals—security researchers have reported that there were more than four times the number of ransomware attacks in 2016 than in the previous year.
An Enterprise-Wide Plan
One of the first steps to take is to assess what types of data your company collects and maintains, as well as where that data is stored. The company can then identify the related risks that must be addressed and the protections to institute. This assessment should also be used to evaluate whether the business has satisfied both its regulatory and contractual obligations. Once there is an understanding of the scope of the data and related risks, it is advisable to seek the assistance of an information security professional.
Often, a company’s greatest vulnerability is its employees. Password and other credential sharing have been identified as the initial source of most cyberattacks involving access to company networks. Routinely training and testing employees on the importance of strong passwords and the risks of sharing credentials and opening phishing emails, and what to do when they suspect such an incident has occurred, can dramatically improve cybersecurity.
Ultimately, while increased security can make it more difficult for attackers to access your network, mistakes or unknown vulnerabilities can still result in security incidents. The key to successful mitigation of these attacks depends on the preparation of an incidence response plan (IRP), identifying which stakeholders will assume responsibility for promptly addressing incidents and limiting the information available to the attacker by eliminating unnecessary personal information and restricting access to sensitive and confidential information. An IRP can be tailored to your organization’s structure and capabilities in order to achieve the best possible outcome.
One of the most widely recognized resources is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is intended to be a tool for organizations to self-assess their level of preparedness to prevent, detect and respond to cyberattacks and then outline a plan to improve security processes.
Some organizations offer information and training without charge to join. InfraGard, a nonprofit organization designed to promote information sharing between private-sector companies and the FBI, provides training and regular updates to its members, primarily in the critical infrastructure sector. The FTC also offers free information and guidance for businesses on data security and privacy best practices.
Cybersecurity threats are an underappreciated but growing concern for the construction industry. Planning and preparation are the keys to a strong defense, ensuring that adequate internal controls are in place and employees are trained to recognize and respond to threats. Companies can also substantially benefit from drawing upon the specialized knowledge and experience of legal professionals in this field before a security incident occurs, as well as advising on required responses after a suspected breach. In an increasingly interconnected marketplace, the importance of a robust, mature cybersecurity program simply cannot be understated.
Top 10 Data & CyberRisk Checklist
- What data do you have in sensitive, regulated and personally identifiable information and confidential business information? Do you need to keep it?
- Who has access to your information and login credentials, and to what companies’ information and networks do you have access?
- How robust is your data encryption?
- Do you have an up-to-date privacy and data security plan? Is it in compliance with current laws, regulations and contractual requirements?
- Do you have a breach response team identified, with both internal members and external specialists?
- Do you have a business continuity and backup plan that can keep you in operation in the event of a ransomware or business-disruption attack?
- Do you have a vendor management and contract review processes that address vendor data security, indemnity and breach response?
- Have you had any employee training for a cyber incident?
- Have you made representations about your cyber and data security on your website or in contracts? If so, have you recently confirmed those are consistent with your current practices?
- Have you assessed whether your current insurance will apply in the event of a data breach or other cyber incident and consulted with a knowledgeable broker?