A Blueprint for Protection

Often, cybersecurity protections are too focused on IT, and don't take into account that from a practical and regulatory perspective, control of these risks requires enterprise wide involvement and commitment. Leadership engagement and employee awareness and training prove crucial to every business' cyberdefense. Several organizations have put together resources for companies as they create and implement cybersecurity policies. The National Institute of Standards and Technology created one of the key frameworks of standards and best practices for managing cybersecurity risk in infrastructure industries, which includes construction . Regulators scrutinizing company practices both before and after a cybersecurity incident often look to whether frameworks such as NIST's were followed.

A comprehensive strategy would include the following functions:

1. Identify: One of the first steps is developing an understanding of the data your company collects and maintains , as well as where it is stored , and who has access to it. This includes assessing what personal information and other valuable information you collect—on employees, customers and vendors—and deciding whether collecting all of that information is necessary. It involves prioritizing where you are most vulnerable. Also important is to identify access to critical operating systems that, if subject to a denial of service attack or other compromise, would significantly affect the company's ability to continue its business functions. This assessment should also be used to evaluate whether the business has satisfied both its regulatory and contractual obligations.

2. Protect: This includes everything that goes into protecting your data—both paper and electronic—from controlling access to data and the networks on which these are maintained, to employee awareness and training , to properly disposing of data when you no longer need it. Often, a company's greatest vulnerability is its employees. Password and other credential sharing have been identified as the initial source of most cyberattacks involving access to company networks. Routinely training and testing employees on the importance of strong passwords and the risks of sharing credentials and opening phishing emails, and what to do when they suspect such an incident has occurred, can dramatically improve cybersecurity.

3. Detect: Most people think of software when they think of detection. IT tools are definitely important for monitoring processes and procedures, but current technology often fails to block many cyberattacks. Again, employees play a crucial role in detecting anomalies and threats.

4. Respond: This involves an incidence response plan (IRP) that spells out the appropriate activities to take when a breach is detected. It identifies which stakeholders will assume responsibility for promptly addressing incidents. A key piece of this function is determining how a cybersecurity event is communicated inside and outside of the organization: who should know and when, and what cybersecurity consultants to call when an incident is suspected to have taken place, including forensics and legal. It may be necessary to notify law enforcement, affected individuals, and business partners. Consult your attorney to make sure you comply with laws and regulations, as well as contractual obligations.

5. Recover: How quickly a company can recover from a cyberattack often depends on how prepared it was, and what back up and other continuity plans it had in place before the attack. In a recent survey of the Ponemon Institute, only 39% of the companies represented in the research reported being able to deploy advance backup and recovery operations, even though their use reduced the average cost of cybercrime by nearly $2 million. It's not enough to create cybersecurity strategies. They have to be implemented, monitored and reviewed regularly.

Each company should create a cybersecurity framework that fits its unique risks, threats and vulnerabilities. Most construction projects require extensive collaboration between an array of people and entities, from architects and engineers to suppliers, contractors and government agencies. These relationships include the role of companies as a known and trusted vendor to other entities, as well as a business partner to their own vendors; however, the web of interconnected businesses also creates a web of access points, and is one of the reasons construction companies are especially vulnerable to cybercrime.

Before outsourcing any business function—from payroll and web hosting , to call center operations and data processing— be sure to perform the necessary due diligence to validate the company's data security practices. Put your security expectations in writing and verify compliance. And make sure your service providers notify you of any security incidents they experience, even if the incidents have not led to an actual compromise of your data.

F ollowing industry standards and best practices for cybersecurity shows that you recognize the importance of your customers' data and are committed to its safety. In many cases, preparedness is the best defense.

Knowing how cybercriminals operate can help you build effective plans. Here are some of their techniques:

Funds-Transfer Fraud

Companies in the construction industry are also a target for funds-transfer fraud, a rising risks for businesses that often wire transfer funds to vendors. Con artists monitor businesses to identify external business partners and internal accounting personnel. Using information found on the company website and publicly available, they may impersonate a business partner and submit fraudulent invoices or payment instructions.

Spear Phishing

These and other types of attacks seeking to steal commercial information, such as bids on projects, intellectual property or personally identifiable information, often involve “spear phishing,” where an attacker will target a company by spoofing or impersonating a key employee or known associate in an email, then tricking the recipient into opening a malware-infected attachment or visiting a malicious website. The resulting intrusion of malware on company networks can allow the cybercriminal to access information or disrupt operations.

Ransomware

Attackers also increasingly use ransomware, a form of malware that encrypts critical data on affected systems. The encrypted data is then held hostage until the victim pays the untraceable cryptocurrency ransom to recover the decryption key. Construction companies are susceptible to these attacks because rendering plans, schematics, accounting records or other key electronic records inaccessible for an extended period of time can result in a missed deadline, breach of contract or overdue payment. Thus, many companies consider themselves forced to quietly pay such ransom to preserve their business operations and reputations. Unfortunately, ransomware attacks are lucrative for cybercriminals—security researchers have reported that there were more than four times as many ransomware attacks in 2016 as in the previous year.

Kathryn Richter is a partner in the San Francisco office of Sedgwick LLP and has been working within the construction industry for over 30 years. Laurie Kamaiko is a partner in the New York City office of Sedgwick LLP. Scott Lyon is a partner in the Orange County office of Sedgwick LLP. Visit sedgwickllp.com. The views expressed here are the authors' own.

SAN FRANCISCO—Cyberthreats against American businesses are increasing in scale, sophistication and severity, with global costs to businesses projected to exceed $2 trillion by 2019. Construction companies are not immune, and can be especially attractive targets if they frequently contract with government agencies, are involved in government-sponsored projects or partner extensively with other businesses. Companies in the construction industry that work on the same project are often extensively interconnected, sharing access to networks and highly confidential information. This makes them an attractive target for those seeking proprietary information and confidential business secrets such as bids, plans and specifications, which can be extremely valuable to competitors, domestic and foreign.

Despite the risk and the staggering costs of data breaches and cyber attacks, both as a business loss and a compliance risk under applicable contractual and governmental security requirements, many companies do not have a plan in place for dealing with them. According to the PwC Global Economic Crime Survey 2016, only 37% of respondents reported having a fully operational incident response plan in place. Almost a third had no plan at all, with 14% of respondents not even intending to implement one.

For construction companies, information security is no longer optional. State laws mandate notification when personally identifiable information of individuals is accessed without authorization, including that of employees , as well as consumers. Personally identifiable information is defined differently by different states, but includes at least a person's name plus a unique identifier, such as a driver's license number, financial account or Social Security number.

More and more state laws and federal agencies also require that companies implement data security procedures, and more and more companies are being sued or subjected to regulatory fines when companies ignore these procedures or misrepresent their processes and protections. Government contractors can be subject to additional cyber and data security measures as well.

A Blueprint for Protection

Often, cybersecurity protections are too focused on IT, and don't take into account that from a practical and regulatory perspective, control of these risks requires enterprise wide involvement and commitment. Leadership engagement and employee awareness and training prove crucial to every business' cyberdefense. Several organizations have put together resources for companies as they create and implement cybersecurity policies. The National Institute of Standards and Technology created one of the key frameworks of standards and best practices for managing cybersecurity risk in infrastructure industries, which includes construction . Regulators scrutinizing company practices both before and after a cybersecurity incident often look to whether frameworks such as NIST's were followed.

A comprehensive strategy would include the following functions:

1. Identify: One of the first steps is developing an understanding of the data your company collects and maintains , as well as where it is stored , and who has access to it. This includes assessing what personal information and other valuable information you collect—on employees, customers and vendors—and deciding whether collecting all of that information is necessary. It involves prioritizing where you are most vulnerable. Also important is to identify access to critical operating systems that, if subject to a denial of service attack or other compromise, would significantly affect the company's ability to continue its business functions. This assessment should also be used to evaluate whether the business has satisfied both its regulatory and contractual obligations.

2. Protect: This includes everything that goes into protecting your data—both paper and electronic—from controlling access to data and the networks on which these are maintained, to employee awareness and training , to properly disposing of data when you no longer need it. Often, a company's greatest vulnerability is its employees. Password and other credential sharing have been identified as the initial source of most cyberattacks involving access to company networks. Routinely training and testing employees on the importance of strong passwords and the risks of sharing credentials and opening phishing emails, and what to do when they suspect such an incident has occurred, can dramatically improve cybersecurity.

3. Detect: Most people think of software when they think of detection. IT tools are definitely important for monitoring processes and procedures, but current technology often fails to block many cyberattacks. Again, employees play a crucial role in detecting anomalies and threats.

4. Respond: This involves an incidence response plan (IRP) that spells out the appropriate activities to take when a breach is detected. It identifies which stakeholders will assume responsibility for promptly addressing incidents. A key piece of this function is determining how a cybersecurity event is communicated inside and outside of the organization: who should know and when, and what cybersecurity consultants to call when an incident is suspected to have taken place, including forensics and legal. It may be necessary to notify law enforcement, affected individuals, and business partners. Consult your attorney to make sure you comply with laws and regulations, as well as contractual obligations.

5. Recover: How quickly a company can recover from a cyberattack often depends on how prepared it was, and what back up and other continuity plans it had in place before the attack. In a recent survey of the Ponemon Institute, only 39% of the companies represented in the research reported being able to deploy advance backup and recovery operations, even though their use reduced the average cost of cybercrime by nearly $2 million. It's not enough to create cybersecurity strategies. They have to be implemented, monitored and reviewed regularly.

Each company should create a cybersecurity framework that fits its unique risks, threats and vulnerabilities. Most construction projects require extensive collaboration between an array of people and entities, from architects and engineers to suppliers, contractors and government agencies. These relationships include the role of companies as a known and trusted vendor to other entities, as well as a business partner to their own vendors; however, the web of interconnected businesses also creates a web of access points, and is one of the reasons construction companies are especially vulnerable to cybercrime.

Before outsourcing any business function—from payroll and web hosting , to call center operations and data processing— be sure to perform the necessary due diligence to validate the company's data security practices. Put your security expectations in writing and verify compliance. And make sure your service providers notify you of any security incidents they experience, even if the incidents have not led to an actual compromise of your data.

F ollowing industry standards and best practices for cybersecurity shows that you recognize the importance of your customers' data and are committed to its safety. In many cases, preparedness is the best defense.

Knowing how cybercriminals operate can help you build effective plans. Here are some of their techniques:

Funds-Transfer Fraud

Companies in the construction industry are also a target for funds-transfer fraud, a rising risks for businesses that often wire transfer funds to vendors. Con artists monitor businesses to identify external business partners and internal accounting personnel. Using information found on the company website and publicly available, they may impersonate a business partner and submit fraudulent invoices or payment instructions.

Spear Phishing

These and other types of attacks seeking to steal commercial information, such as bids on projects, intellectual property or personally identifiable information, often involve “spear phishing,” where an attacker will target a company by spoofing or impersonating a key employee or known associate in an email, then tricking the recipient into opening a malware-infected attachment or visiting a malicious website. The resulting intrusion of malware on company networks can allow the cybercriminal to access information or disrupt operations.

Ransomware

Attackers also increasingly use ransomware, a form of malware that encrypts critical data on affected systems. The encrypted data is then held hostage until the victim pays the untraceable cryptocurrency ransom to recover the decryption key. Construction companies are susceptible to these attacks because rendering plans, schematics, accounting records or other key electronic records inaccessible for an extended period of time can result in a missed deadline, breach of contract or overdue payment. Thus, many companies consider themselves forced to quietly pay such ransom to preserve their business operations and reputations. Unfortunately, ransomware attacks are lucrative for cybercriminals—security researchers have reported that there were more than four times as many ransomware attacks in 2016 as in the previous year.

Kathryn Richter is a partner in the San Francisco office of Sedgwick LLP and has been working within the construction industry for over 30 years. Laurie Kamaiko is a partner in the New York City office of Sedgwick LLP. Scott Lyon is a partner in the Orange County office of Sedgwick LLP. Visit sedgwickllp.com. The views expressed here are the authors' own.