In July, WCOE Regional Director – West (South), Brenda Radmacher, Esq., presented an extremely timely and informative webinar on cybersecurity risks and best practices for construction companies. The practice update below highlights some key points from Brenda’s presentation, her colleague Christy Hawkins, Esq.; and industry experts, Danette Beck, Head of Industry Verticals and National Construction Practice Leader, USI Insurance Services and Michael Corcione, Partner, Global Head of Cybersecurity and Privacy Risk Management, HKA.
The construction industry has seen an amazing evolution in recent years with the rapid adoption of new technologies. While all of these new technologies have the potential to make businesses more productive and efficient, they, like all new tools, also create new risks and liabilities. The modern construction business must be as vigilant and prepared for cyber threats as it is for the dangers of the construction site. The first danger to overcome, however, is the misconception that hackers aren’t interested in construction companies or small businesses. It is simply not true. Cybercriminals can now weave a very wide and indiscriminate net with their cyberattacks, tangling businesses they previously had no idea existed. Even more disturbing is the fact that the cliché of hackers living in their parents’ basements has been replaced by sophisticated state-sponsored hacker teams. For example, there is evidence that Russian government-backed hackers have infiltrated US government agencies and Fortune 500 companies as part of its war with Ukraine, as reported in a recent New York Times article. Although these attacks have primarily targeted specific agencies and companies, experts note that there is often “spillover”, with the malware used in the attacks spreading beyond the original targets.
Clearly, a construction company working on a large infrastructure project or a sensitive government facility could be a prime target for hackers. And it’s just as clear how a business that is content to run its day-to-day operations can find itself trapped in a massive fishing expedition. But with effective planning, due diligence and vigilance, these risks can be significantly reduced.
Why cybersecurity is important for construction companies
At the most basic level, cybersecurity should be a priority for any construction company, as there are laws that you are likely required to comply with. For example, the California Consumer Protection Act (CCPA) became effective in 2020 and applies to for-profit entities that collect personal information from California residents and meet one of the following thresholds: (i) At least $25 million in gross annual revenue, (ii) Buys, sells or receives personal information of at least 50,000 California consumers, households or devices for any business purpose or; (iii) derives more than 50% of its annual revenue from the sale of personal information.
And that’s only the tip of the iceberg. Since the CCPA came into effect, a growing number of states are considering comprehensive privacy laws. In 2022, 29 states have considered data privacy legislation.
Even if your business isn’t subject to data privacy laws like the CCPA due to your size or location, you’re still vulnerable to cyberattacks. That’s why the Cybersecurity & Infrastructure Security Agency recommends that organizations of all sizes “adopt a strong cybersecurity posture to protect their most critical assets. »2
Earlier, we mentioned indiscriminate WAN cyberattacks, the most common of which are email phishing scams. For those unfamiliar, this is when cybercriminals use email to obtain data from individuals or gain access to your network. These e-mail messages are most often sent by the thousands to addresses, which are often obtained through equally nefarious means. A 2019 study by cybersecurity firm KnowBe4 highlighted how vulnerable construction companies are to phishing attacks. They found “those who work in construction are the most vulnerable to phishing attacks among small and medium-sized businesses and the second most likely to fall into the phishing trap among large businesses. “3 The study, “Phishing by Industry 2019surveyed nine million users across 18,000 organizations with a phishing security simulation. The other sectors most vulnerable to phishing are hospitality, finance and healthcare.
Source: Ransomware Analysis | NordLocker′ | NordLocker