10 tips for identifying weaknesses & minimizing your company’s exposure
Sponsored by: Sedgwick LLP

Businesses in the construction industry would be well served to identify their vulnerabilities in data privacy and cybersecurity and correct them before suffering a breach or cyberattack. Internet-connected solutions and remotely accessible systems such as building information modeling (BIM) and project management software are useful tools but also opportunities for hackers to launch a cyberattack.

Construction businesses often have architectural drawings and specifications, corporate banking accounts, and employee information including full names and social security numbers along with bank account data used for payroll. Spearphishing attacks commonly target employee payroll information and ransomware attacks may steal intellectual property and other proprietary assets.

Ransomware is a form of malware that encrypts critical data on affected systems (often through a phishing email). The encrypted data is then held hostage until the victim pays the untraceable cryptocurrency ransom in order to recover the decryption key.

You can prepare for and minimize your exposure to cybersecurity threats by implementing thorough, careful preventive measures. To help you get started, below are some key questions to use in evaluating your company's current state and identify weaknesses to correct.

  1. Data assessment—What data do you have, both in sensitive regulated personally identifiable information and key confidential business information, and do you need to keep it?

    One of the first steps a company should take is to assess what types of data it collects and maintains as well as where that data is stored. The company can then identify the related risks that must be addressed and protections to institute. This assessment should also be used to evaluate whether the business has satisfied both its regulatory and contractual obligations. Once there is an understanding of the scope of the data and related risks, it’s advisable to seek the assistance of an information security professional. There are many reputable vendors who can help assess the strengths and weaknesses of the cybersecurity of a company and the networks it uses.

  2. Access to information—Who has access to your information and log-in credentials to your networks, and to what companies’ information and networks do you have access?

    Credentials, logins, and related permissions and rights associated with such credentials can all be used to hack in to a business's system and take critical information. Carefully document who has access to administrative and security rights as well as who has access to your systems. Give access to systems based on needs of the job. Carefully track active and inactive users and implement a system to immediately terminate credential, logins, and access rights when an employee (or vendor) no longer needs access.

  3. Encryption—How robust is your data encryption? Encryption converts data into a code to make it unreadable. Encrypting data makes it less enticing to a cyber-criminal because the data's value is lost if it cannot be decoded or read by the cyber-criminal. Encrypting data also may provide a safe harbor in the event of a data breach because many states' laws and federal laws exclude sensitive information from the definition of a breach if the information subject to the breach was encrypted.
  4. Plan—Do you have an up-to-date privacy and data security plan and assessed whether it is in compliance with current laws, regulations and contractual requirements?

    A key to successful mitigation of cyberattacks depends on the preparation of an incidence response plan (IRP) identifying which stakeholders will assume responsibility for promptly addressing incidents. An IRP can be tailored to your organization’s structure and capabilities in order to achieve the best possible outcome. Make sure to keep your IRP updated with current employees and phone numbers that can reach a person at all hours. Rarely do cyberattacks occur between the hours of 9 to 5 when we are all in the office.

  5. Team—Do you have a breach response team identified, with both internal members and external specialists? When a data breach occurs, you should have your partners identified in advance. Compliance with data breach regulations requires operating on a very short timeline. Florida, for example, imposes a 30 day deadline from the time the incident is discovered to notify affected individuals. Having a forensic vendor identified and under contract who can immediately deploy its investigative resources is critical to "stop the bleeding" and to investigate what occurred. Selecting an attorney in advance to immediately retain to shield communications with attorney client privilege is critical. Vetting a public relations team ahead of time would also well serve a business so that it can control public-facing communications from the outset.
  6. Business continuity—Do you have a business continuity and back-up plan that can keep you in operation in the event of a ransomware or business-disruption attack?

    Cybersecurity attacks that cripple a business's systems can cost it enormously. Regular backups of data and having alternative operating plans and systems in the event of a cybersecurity attack may help a business minimize its business losses.

  7. Vendor management—Do you have a vendor management process and contract review that addresses vendor data security, indemnity and breach response?

    Vendors unknowingly may be an avenue for cyber-criminals to attack a business by failing to implement robust security practices, regular training, or access controls. Sloppy contracts may leave you "holding the bag" while your vendor escapes responsibility for the costs that a data breach they caused by lax security practices may impose on you. Review your agreements with vendors. Consider contractually requiring vendors to comply with specified data security standards, bearing the cost of a data breach or cyberattack that their conduct permits, and/or requiring a vendor provide proof of cyber liability insurance.

  8. Training—Have you had any employee training for a cyber incident? Businesses should keep in mind that often their greatest vulnerability is their employees. Password and other credential sharing has been identified as the initial source of most cyberattacks involving access to company networks. Routinely training (and testing) employees on the importance of strong passwords and the risks of sharing credentials and opening phishing emails, and what to do when they suspect such an incident has occurred, can dramatically improve a company’s cybersecurity.

    There are numerous resources available for businesses to assist in improving their cybersecurity programs. One of the most widely recognized is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which is intended as a tool for organizations to self-assess their level of preparedness to prevent, detect and respond to cyberattacks, then outline a plan to improve security processes.i

    There are also other organizations that offer information and training that are without charge to join. InfraGard, a non-profit organization designed to promote information sharing between private-sector companies and the FBI, provides training and regular updates to its members, primarily in the critical infrastructure sector.ii The FTC also offers free information and guidance for businesses on data security and privacy best practices.iii

  9. Accuracy of representations—Have you made representations about your cyber and data security on your website or in contracts, and if so, have you recently confirmed those are consistent with your current practices?

    The Federal Trade Commission rigorously pursues actions against companies that make representations about the security of its data and then fail to live up to those promises.iv Be sure the public-facing representations your company makes about its cybersecurity and privacy practices are accurate and regularly assess such representations for consistency with your actual practices.

  10. Insurance—Have you assessed whether your current insurance will apply in the event of a data breach or other cyber incident discussed above and consulted with a broker knowledgeable about cybersecurity insurance?

    The policies offered to cover cybersecurity events are being developed; there is not a standard policy at this time. Different insurance companies offer different types of policies to cover cyber incidents, with different types of coverage, triggers, and exclusions. Be sure to work with a broker well-versed in your business's needs and with insurance for cybersecurity and data privacy.

  11. References
    i https://www.nist.gov/cyberframework
    ii https://www.infragard.org/
    iii https://www.ftc.gov/news-events/press-releases/2016/08/ftc-blog-post-ou…
    iv https://www.ftc.gov/news-events/press-releases/2016/05/hand-held-vapori…, https://www.ftc.gov/news-events/press-releases/2016/01/dental-practice-…, https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100…

    Sedgwick LLP logo

    If you are concerned that your business needs help with combatting cybersecurity threats or responding to a security incident, the Sedgwick Cybersecurity team can assist you. Contact Sedgwick at sedgwickresponder@sedgwicklaw.com, or contact Cinthia Motley 312-849-1972 or cinthia.motley@sedgwicklaw.com.