Contractors face growing, evolving cyber threats
As the construction industry adopted more digital processes and information-sharing platforms in recent years, the tech world experienced another trend.
In 2022, the United States saw the number of cyberattacks jump 57 percent over the previous year due partly to agile hackers and ransomware gangs targeting workplace collaboration tools, such as Teams, One Drive and Google Drive. Roughly 40 percent of attacks in 2022 hit small businesses, according to Accenture, and only 14 percent of those companies were prepared to defend themselves.
Overall, 83 percent of organizations experienced at least one data breach in 2022, according to IBM, and the cost of recovering from a successful cyberattack hit a record high of $4.35 million per incident.
Consequently, security experts insist that cybercrime is a rapidly evolving threat that no business – whether you are a Fortune 500 enterprise or a small construction contractor – can afford to ignore.
“My concern for small and mid-size construction businesses is you don’t have to be a target to be a victim,” said Christopher (Scott) Martin, who leads the Cyber Practice at RCM&D. “The problem is there are economies and ecosystems in Eastern Europe, Russia and South America that develop ransomware and malware and sell it to criminal gangs who cast a wide net, seeing what data they can access. There are office parks in certain areas of the world where this is what they do as their business.”
Once a hacker gains access to a company’s computer system, they can conduct a ransomware attack and lock up the company’s devices and data until a bitcoin ransom is paid. Or, hackers can “lay dormant and live off the land” in a company’s systems, said Kevin O’Brien, Chief Information Officer at Advance Business Systems. “They can maintain a foothold for weeks, months, even years and siphon information out of your environment. They potentially could learn your entire book of business, your financials, your bank information and even move laterally go into your customers’ sites. That’s how this turns into a gigantic snowball effect.”
Hackers can then monetize the information they access on the dark web “which is like eBay for criminals,” O’Brien said. “Personal identification information, protected health information, financial information all carry a value and can be sold.”
Protecting a company from cyberattacks requires layered and customized security measures, constant monitoring, continuous upgrades and education for all staff members, according to cybersecurity professionals. Planning appropriate measures typically starts with conducting a cyber vulnerability assessment.
Advance Business Systems conducts both free and paid, in-depth analyses (which typically last 20 hours for a small company) to identify security gaps or vulnerabilities that could allow hackers to access a company’s server, virtual private network, Cloud accounts or other systems.
“We look at the online security posture of a business from an adversary’s view,” O’Brien said.
Numerous common situations can create those gaps, O’Brien said. They include security weaknesses in old or DIY websites, failure by a staffer or internet service provider to install all software upgrades or plugins, and company practices that don’t produce strong password protection or multi-factor authentication in order to access e-mail or shared files. The addition of a new camera system, card access system or other Internet of Things devices to a company’s network may not have been properly secured. And then there are the risks of “data sprawl” or the placement of company files on a variety of platforms – including personal Google Drives and Dropboxes – which can increase a company’s cyber vulnerability.
The vulnerability assessment produces a gap analysis of the company’s online security and a list of proposed measures to “minimize the attack surface” for hackers, O’Brien said.
Companies can address risks through updated technologies, safe computing policies (such as a data governance policy that specifies where files must be stored) and cyber training for staff. However, those efforts need to be ongoing.
“Definitely the most difficult aspect of managing cyber risk is keeping pace with the evolving threat environment. It’s a giant game of whack-a-mole,” Martin said, noting that hackers keep developing new malware and attack strategies. A global study by Web Arx Security concluded that 300,000 pieces of new malware are created daily.
More and more companies are purchasing cyber insurance which can cover the costs of responding to and recovering from a cyberattack.
“We are also seeing most contracts these days requiring some aspect of cybersecurity, privacy, liability coverage to be carried by the parties contracted,” Martin said.
Insurance policies, however, can’t reverse the loss of productivity or impact on business relations caused by a cyberattack. Insurance policies aim to make clients ‘whole’ but not fund improvements, so companies often incur uncovered expenses purchasing up-to-date technology after an attack.
And beginning in 2021, cyber insurance became harder to get. Due to rising rates and severity of cyberattacks plus flaws in the previous insurance pricing model, underwriters imposed more stringent criteria for qualifying for insurance, increased policy rates (as much as 50 to 100 percent increases for renewals), increased deductibles and reduced coverage.
Consequently, Martin urges companies to engage in an ongoing practice of reviewing and updating their cybersecurity. Typically six months before a cyber policy is set to renew, RCM&D urges clients to complete a self-assessment questionnaire that covers 12-16 cybersecurity areas. RCM&D also uses BitSight – an external scanning technology that assesses an organization’s domain for known cyber vulnerabilities and security gaps.
“It is very similar to your personal credit score where there is a range from 250 to 900 and it assesses your cyber risk hygiene,” Martin said, adding that underwriters use BitSight scores when determining insurance rates.
The goal of the entire review “is to identify any issues or red flags before we get to an underwriter’s desk and give ourselves time to implement technologies or solutions that would put us in a Grade A exposure,” he said. “In a market where you are getting hit with rate increases, retention increases and reduction in coverage, we want to minimize that impact as much as possible.”
The added benefit of regular cybersecurity reviews and continuous upgrades, according to Martin and O’Brien, is clients also experience a decline in data breaches.