Construction and contracting companies are experiencing new risks due to an increased level of cyber attacks on middle market organizations. Contractors, both large and small, hold vast amounts of information that is of interest to cyber criminals – from employee data to project-related intellectual property, as well as homeland security implications for design data on critical infrastructure. Understanding the threats may help contractors identify vulnerabilities and better manage recovery efforts following a data breach or a cyber attack.
Cyber attacks can happen in a variety of ways, ranging from data breaches with significant legal and brand damage implications, to ransomware-oriented attacks resulting in long-term business interruption. Based on our experience working with construction firms in the region, we have observed the following cyber security related concerns:
- Viewing cyber readiness as an IT issue instead of a business risk management concern
- Assuming internal and/or external IT resources have taken the necessary precautions to protect the company on a cyber level
- Having lax policies and procedures for handling sensitive data such as design specifications, blue prints, CAD drawings, and project-related confidential information
- Using Excel spreadsheets that contain sensitive data such as employee private identifiable information
- Lacking ongoing end user cyber and information privacy training and validation
- Working with outdated software and hardware systems
- Extensively utilizing the internet and mobile-based devices for storing and transmitting project data without proper security safeguards
Here are key steps that construction companies should take to effectively manage cyber risks:
- Conduct an independent cyber and information privacy risk assessment at least once every 2-3 years
- Identify potential vulnerabilities and develop an effective multi-year remediation plan
- Review and update applicable policies and procedures, including an effective incident response plan, on an annual basis
- Establish an ongoing end user training program
- Purchase a proper cyber insurance policy
- Conduct phishing and penetration testing exercises on an annual basis to validate overall readiness levels
These steps are outlined by all major U.S. governmental and professional associations as good baseline, minimally acceptable practices intended to reduce – not eliminate – potential cyber risks. Having an ongoing set of cyber protection efforts in place will enable construction and contracting firms to be well equipped to manage and reduce cyber risks.
Given the critical nature of cyber and information security readiness, October has been designated as Cyber Security Awareness Month to increase everyone’s attention to this topic. In order for us to assist you with addressing your cyber needs and help reduce vulnerabilities in your organization, contact us to arrange for a Complimentary Cyber & Information Security Health Check.
Contact the author:
Information contained in this alert should not be construed as the rendering of specific accounting, tax, or other advice. Material may become outdated and anyone using this should research and update to ensure accuracy. In no event will the publisher be liable for any damages, direct, indirect, or consequential, claimed to result from use of the material contained in this alert. Readers are encouraged to consult with their advisors before making any decisions.