Contractors should build greater cybersecurity awareness
Nikki Ingram, CISSP, Cybersecurity Risk Engineer, Zurich North America May 31, 2019
Construction contractors need to recognize that they now face many of the same cyber risks challenging more data-intensive companies in other industries.
It seems a cyberattack affecting the operations of a major corporation, educational institution or local government entity makes headlines almost every week. Cybercriminals are constantly becoming more efficient at stealing personal data, infiltrating networks and launching ransomware attacks. And the cyberattacks reported in the media are but the tip of the iceberg since most events are not reported, especially those affecting mid-sized and smaller organizations. By one estimate, global malware attacks in 2018 topped 10.5 billion, with 206.5 million of those attacks being ransomware – an 11% increase over 2017.Historically, the construction industry has not been at the top of cybercriminals’ hit lists, but that’s changing. Today, with technology permeating virtually all aspects of the construction business, contractors of all sizes now possess digital assets increasingly attractive to cybercriminals. If access to critical data or critical operations (such as safety systems) is available via a computer or mobile device, it is vulnerable. Construction companies should recognize the risks and take steps to mitigate them.
Even before breaking ground, a cyberattack during the bidding process can cause a significant delay in submitting a proposal – a delay that could jeopardize a project worth millions. This is especially true with government contracts. Further, not having a formal cybersecurity program in place compliant with the minimum standards recommended by the National Institute of Standards and Technology (NIST) may disqualify a company from participating in the bidding process for federal, state and local government projects, as well as an increasing number of major, private organizations.
One potential barrier to full recognition of cyber risk is the fact that the primary focus of construction has always been physical and offline. The countless tasks involved in erecting a building or infrastructure project happen through the hands-on work of experienced project managers and skilled laborers. But as with all businesses, connectivity is becoming more critical to effective project design and implementation. Computer-aided design is pro forma in construction. In addition, job sites are employing new technologies such as drones, wearable technologies, robotics and increasingly sophisticated sensors for tasks such as water leak detection. Network connections aiding in the operation of cranes and other vital equipment offer great benefits, but also have vulnerabilities. And, of course, the Building Information Modeling protocols used in the planning, design, construction and operation of buildings and infrastructure are heavily dependent on technology and data.
Protecting your company from intensifying cyber risks is a two-step process:
Cyberattacks can also disrupt supply chains at any stage in the construction process, creating business interruptions, throwing off completion schedules and conceivably resulting in late penalties. In addition, vendors and suppliers can become points of entry into a general contractor’s network if their own cybersecurity protocols are not robust.
- First, you should establish a cyber risk management program that starts with taking steps to assess potential weak points. This can be greatly aided by calling on the knowledge and expertise of a growing cadre of professional cyber risk engineers and specialists who understand the risks and who are aware of new and evolving threats.
- Next, secure a cybersecurity insurance solution with the depth, breadth and flexibility to help mitigate your risks today and respond to the changing risks of tomorrow. Remember that while standard property coverages protect a wide range of property loss scenarios, from physical facilities and equipment to business interruption, they provide little or no cyber-specific coverages. A dedicated cyber insurance solution is recommended to cover the bases.
One example is the Zurich Cyber Insurance Policy, which helps companies in a wide range of business segments protect against the risks and potential costs they might face from a major cyber event. Zurich recently added a new, industry-specific construction endorsement that can expand the already broad coverages of its cyber insurance solution to address the particular risks faced by construction contractors, including the availability of bid protection in some cases.
Zurich’s cyber insurance solution also includes risk assessments provided by experienced Cyber Risk Engineers. The goal is to determine whether networks or individual computers have already been infected as a prelude to making recommendations for going-forward risk mitigation strategies.
True cyber resilience begins with the realization that a cyberattack is a matter of when, not if. Whether an attack amounts to more than an unsuccessful attempt or becomes a costly, disruptive event depends on the cyber resilience strategies your company has in place.