1. Home
  2. Knowledge Hub
  3. Contractors should build greater cybersecurity awareness

Contractors should build greater cybersecurity awareness

Nikki Ingram, CISSP, Cybersecurity Risk Engineer, Zurich North America May 31, 2019

Construction contractors need to recognize that they now face many of the same cyber risks challenging more data-intensive companies in other industries.

cyber security and construction

It seems a cyber attack affecting the operations of a major corporation, educational institution or local government entity makes headlines almost every week. Cyber criminals are constantly becoming more efficient at stealing personal data, infiltrating networks and launching ransomware attacks. And the cyber attacks reported in the media are but the tip of the iceberg since most events are not reported, especially those affecting mid-sized and smaller organizations. By one estimate, global malware attacks in 2018 topped 10.5 billion, with 206.5 million of those attacks being ransomware – an 11% increase over 2017.

Historically, the construction industry has not been at the top of cyber criminals’ hit lists, but that’s changing. Today, with technology permeating virtually all aspects of the construction business, contractors of all sizes now possess digital assets increasingly attractive to cyber criminals. If access to critical data or critical operations (such as safety systems) is available via a computer or mobile device, it is vulnerable. Construction companies should recognize the risks and take steps to mitigate them.

Barriers to recognizing cyber risk in construction

One potential barrier to full recognition of cyber risk is the fact that the primary focus of construction has always been physical and offline. The countless tasks involved in erecting a building or infrastructure project happen through the hands-on work of experienced project managers and skilled laborers. But as with all businesses, connectivity is becoming more critical to effective project design and implementation. Computer-aided design is pro forma in construction. In addition, job sites are employing new technologies such as drones, wearable technologies, robotics and increasingly sophisticated sensors for tasks such as water leak detection. Network connections aiding in the operation of cranes and other vital equipment offer great benefits, but also have vulnerabilities. And, of course, the Building Information Modeling protocols used in the planning, design, construction and operation of buildings and infrastructure are heavily dependent on technology and data.

Even before breaking ground, a cyber attack during the bidding process can cause a significant delay in submitting a proposal – a delay that could jeopardize a project worth millions. This is especially true with government contracts. Further, not having a formal cyber security program in place compliant with the minimum standards recommended by the National Institute of Standards and Technology (NIST) may disqualify a company from participating in the bidding process for federal, state and local government projects, as well as an increasing number of major, private organizations.

Cyber attacks can also disrupt supply chains at any stage in the construction process, creating business interruptions, throwing off completion schedules and conceivably resulting in late penalties. In addition, vendors and suppliers can become points of entry into a general contractor’s network if their own cyber security protocols are not robust.

Protecting your company from intensifying cyber risks is a two-step process

  • First, you should establish a cyber risk management program that starts with taking steps to assess potential weak points. This can be greatly aided by calling on the knowledge and expertise of a growing cadre of professional cyber risk engineers and specialists who understand the risks and who are aware of new and evolving threats.

  • Next, secure a cyber security insurance solution with the depth, breadth and flexibility to help mitigate your risks today and respond to the changing risks of tomorrow. Remember that while standard property coverages protect a wide range of property loss scenarios, from physical facilities and equipment to business interruption, they provide little or no cyber-specific coverages. A dedicated cyber insurance solution is recommended to cover the bases.

Dedicated cyber risk insurance solution

One example is the Zurich Cyber Insurance Policy, which helps companies in a wide range of business segments protect against the risks and potential costs they might face from a major cyber event. Zurich recently added a new, industry-specific construction endorsement that can expand the already broad coverages of its cyber insurance solution to address the particular risks faced by construction contractors, including the availability of bid protection in some cases.

Zurich’s cyber insurance solution also includes risk assessments provided by experienced Cyber Risk Engineers. The goal is to determine whether networks or individual computers have already been infected as a prelude to making recommendations for going-forward risk mitigation strategies.

True cyber resilience begins with the realization that a cyber attack is a matter of when, not if. Whether an attack amounts to more than an unsuccessful attempt or becomes a costly, disruptive event depends on the cyber resilience strategies your company has in place.

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy.

Comments with LinkedIn

You are logged in as (Logout)

Input is not correct!