If your company uses email, has employees working from remote locations, or a network connected to third-party vendors (likely all three), your business could face increased risk of cyberattacks.
As predominantly small- and medium-size companies, home builders and trade contractors are especially vulnerable to cybersecurity issues, due to lack of resources, and they are disproportionately affected by hacking because they can’t easily absorb the financial losses of a security breach. Raymond Monteith has more than 25 years’ experience in risk consulting and providing risk evaluations and mitigation strategies. He has published research papers regarding community and organizational resilience and regularly presents his findings at national and international conferences.
Pro Builder: What are some common cyberattacks hackers use on construction companies?
Raymond Monteith: When we’re talking about actual attacks, they fall into four broad categories: internal and external threats that can be either malicious or unintentional.
The most common forms of attack these days are the result of hackers phishing or malware extortion. These are all malicious attacks with the goal of either financial gain, cyber espionage in some cases, and sometimes stealing intellectual property.
But, generally speaking, ransomware and business email compromise are what we would term “public enemies number one and two” right now. If you’re a threat actor, there’s certainly no better way to monetize illicit access to a network than by encrypting your victim’s files and demanding some sort of payment.
That and business email compromise disproportionately affect small- to medium-size enterprises, which can be significantly problematic because it’s not necessarily readily detected. With ransomware, you know you’re being held for ransom quite quickly, but business email compromise can lead to a threat actor actually taking over aspects of your operations, taking over accounts, and sending out a request for payment to your vendors and clients for a period of time. So it can be extremely expensive for an organization and damaging for its reputation.
PB: Why are small- and medium-size businesses affected disproportionately by cyberattacks?
RM: Very often those businesses don’t have large or sophisticated IT or risk management departments that are actively engaged in maintaining defensive security for the business. Also, the impact of the financial losses can be much more significant for a small- or medium-size enterprise than a larger organization, which may be able to absorb the financial impact.
PB: What should cyber risk training cover?
RM: We know that human activity is absolutely at the core of breach events. People working in your business are opening emails and interacting with your digital interface. Those are the people who are the key access points for a threat actor.
We also know that as much as 88% of all data breaches are the direct result of human error. So training is fundamental to any kind of cybersecurity program an organization would undertake.
What’s important for any organization to realize is that this isn’t just an IT issue. We don’t just leave it to the IT people to take care of and maintain the defensive perimeter. This is actually a cultural issue, and everyone in the organization is a stakeholder in prevention. That doesn’t mean every employee has to be a technical subject-matter expert, but they do need to have awareness of cyber risk issues.
What’s important for any organization to realize is that [cybersecurity] isn’t just an IT issue. ... This is actually a cultural issue, and everyone in the organization is a stakeholder in prevention.
An organization that isn’t embarking on an education program is really vulnerable. And it’s crucial that education is one aspect of a comprehensive, multifaceted risk management program. Such a program involves a series of defenses that need to be built and maintained. It’s important to be able to detect and analyze an event.
One way to think about this is the same way we would act to protect a physical entity or physical structure. You have perimeter defenses. As an example, you have a castle on a hillside ... so you have elevation. You have a moat, a castle wall, and then you have another series of walls, and somewhere in the center are the keys to the kingdom.
The more difficult that an organization makes it for a threat actor to engage, the more likely they're going to bypass your organization and go to a more vulnerable target. There are some very formal cybersecurity methods and frameworks established by the National Institutes of Standards and Technology that organizations across the U.S. and elsewhere use to establish a cybersecurity program.
PB: What is the recommended frequency for training employees?
RM: Many organizations will look—at minimum—at a quarterly training program, and there are certainly vendors available to do that. It's usually set up as on-demand training, and it's maybe a 20-, 30-, or 60-minute endeavor that individual employees will take at regular intervals. Quarterly is good because it keeps it front and center.
There are other options where it can be factored in ... things like safety meetings and toolbox meetings. There could be special training, lunch-and-learn webinars. There are all kinds of delivery tools available, but certainly keeping some form of regular training, keeping the conversation alive, and maintaining that culture is really important to the organization.
PB: What other defenses should be built.
RM: Clearly there should be very strong defenses built around technical controls and systems. There should be good physical security systems, and those should be tested. There should be ways of monitoring the effectiveness of your perimeter defenses. There are things available that outside parties can do like penetration testing, where they can actually determine if your defenses are holding and doing what they're meant to do.
Another important aspect is understanding it's not enough to just build a defense. You also need to understand when you're being probed or when you're under attack. There has to be a way of identifying an attack and analyzing the depth of potential penetration. And there has to be a way of containing that attack and eradicating it. You've got to be able to recover your systems and make sure there's no damage. And, if there is damage, you need to assess how extensive it is.
Then you have be able to remediate, recover, and learn from that. It's a cyclical process; it's not a one and done. The system constantly has to be renewed and refreshed because the threat environment isn't static, it's changing all of the time, so we need to change, too.
PB: How should businesses dispose of technology?
RM: The first thing to consider is to ensure that there is nothing that could be potentially recoverable on any piece of technology that you want to get rid of. So you want to make sure that they are absolutely inoperable before you start to get rid of them. That doesn't mean you turn them over to some recycler to do that for you because there's no guarantee your technology isn't going to be harvested.
The second consideration is that maybe the technology isn't working for you anymore, but it could work for someone else. So investigate with your vendors, the electronics companies you deal with, and see if there is any kind of program that may be available where you can contribute your expired hardware and technology.
As far as recycling or reusing, ensure that anything that you do offload is to a certified electronics waste recycler and that they're taking appropriate measures, not just taking the equipment from you and tossing it into the landfill.
PB: Can a construction company evaluate the security controls of the third parties it does business with?
RM: The data suggest that from at least the first half of 2019, data breaches exposed in excess of 4.1 billion records, and third-party violations accounted for over half of all data breaches, at least in the United States.
It's important that we're not just trusting our third-party vendors at face value, but that we're actually incorporating some sort of third-party risk management program, which really should be a discipline within any organization. It should be focused on analyzing and controlling risks associated with outsourcing activities to third-party vendors and external service providers.
It's important for an organization to understand that they need to have a comprehensive cyber policy that's developed for them by a specifically trained and knowledgeable insurance partner that really understands cyber coverage. It's not just a simple add-on to a policy.
That shouldn't be done on a case-by-case basis. In the context of home builders, where there can be a lot of trust-based relationships, sometimes we can lapse into an informality that could ultimately blow up and cause damage. So it's important for an organization, regardless of its size, to establish a vendor risk assessment framework. You have to be able to ask the important questions about what a third-party vendor does, what they do with data, and how they collect, store, transmit, process, and dispose of sensitive data.
What activities do they engage in that could have an impact on your organization? It's important to define a framework and then be prepared to hold a third-party vendor accountable to that framework. Agreements should be reviewed at least annually, and if there are any requirements for upgrading or improvements, that should be validated and reviewed as well.
PB: What's your recommendation concerning a construction company getting insurance protection against cyber incidents?
RM: Too many business owners make the mistake of thinking they don't need to have cyber coverage or that cyber is going to be covered under some sort of crime policy that they might have or under some other insurance component. It's important for an organization to understand that they need to have a comprehensive cyber policy that's developed for them by a specifically trained and knowledgeable insurance partner that really understands cyber coverage. It's not just a simple add-on to a policy.
Cyber policies have become extremely comprehensive, and in many cases they can be quite challenging. It can actually be challenging to get coverage because insurance carriers are imposing a greater level of control and requirements for organizations to implement before they will issue a policy.
So there are a certain number of absolute must-haves that insurance carriers are beginning to look for from their potential clients; things like intrusion detection and prevention solutions. Just as we talked about earlier: endpoint protection solutions, multi-factor authentication, email filtering systems, and comprehensive data backup facilities, and intervals.
Insurance companies are going to be asking questions about all of those things, and they may ask for evidence of a cybersecurity incident response plan. The absence of any one of those controls can sometimes lead to a denial of coverage. Sometimes carriers will be looking for evidence that those controls have been in place for a period of time and weren't just implemented the day before the policy starts.