Using everything from BIM software to mobile devices, workers in the field and managers in the office are sharing information with ease, but there’s a downside. More information connections can create more risk, especially if sensitive information is involved.
  • A construction firm discovers that intruders have accessed its computer network, but the extent of the breach is unclear. 
  • An employee’s tablet disappears from a jobsite; customers’ financial information is stolen from the device and sold. 
  • Cyber thieves hack into a contractor’s systems as a sophisticated first step in accessing a business partner’s information.
Cyber attacks are on the rise, both in frequency and in the cost to remediate the consequences. The Ponemon Institute’s 2015 Cost of Data Breach Study reported that the average total cost of a data breach in the United States is $6.5 million. Criminal or malicious attacks are the most frequent cause of a breach—and also the most costly.

A breach’s impact can branch out in many directions. For instance, expenses could include the cost of notifying customers of a breach and providing them with credit monitoring services. Less often contemplated is the possibility that a network shutdown could disrupt job scheduling or in some cases bring the business to a halt for days or even weeks.

Even if no sensitive information was accessed during a data breach, the forensic costs associated with investigating and making that determination can be significant. The Ponemon study found that average detection and escalation costs for a breach (such as forensics and crisis team expenses) jumped from $420,000 in 2014 to $610,000 in 2015.

That’s just the effect on the firm. What about the potential impact to customers and business partners? If a breach to the business causes them to lose income or compromises their data, they are likely to file lawsuits alleging financial injury or privacy injury. 

Another potential consequence of a data breach is regulatory costs. If the federal or state government investigates the firm to determine whether it has complied with security requirements, the business could face investigative costs as well as fines or penalties.

If the firm collects, stores or transmits private information, it has a cyber security exposure. Fortunately, going on the offensive with three key questions enables companies to address many potential issues before a breach occurs.

1. How Secure Are  Information Systems?
The first step is to understand and address potential system weaknesses before cyber criminals find them. Penetration testing is an important tool for doing so.

Penetration testing involves bringing in experts who will scan the computer system, looking for security weaknesses that could potentially be exploited. This testing also typically attempts to exploit those weaknesses to determine the potential for a breach. Because improperly performed penetration testing can be damaging to a system, it’s important to hire an experienced firm with a proven track record. And because threats change so quickly, repeat this testing annually.

2. How Can the Chances of a Data Breach Be Minimized?
A written information security policy essentially is a business plan to help prevent a data breach. The security policy should be tailored to the business and should address:
  • roles and responsibilities of those who are accountable for information security (including both internal and external resources);
  • types of information the business deals with and ways to protect it;
  • expectations regarding how employees should store and disseminate information, as well as information on how those expectations will be enforced; and
  • requirements for mobile devices (e.g., laptops, smartphones and portable hard drives), including encryption and the ability to wipe a device clean if lost or stolen.
The information security policy is only helpful if it’s followed consistently. Employee training can be challenging if workers are typically spread among different jobsites, but it’s critical to ensuring implementation takes place. 
 
3. How Can the Impact of a Breach Be Mitigated?
If a breach occurs, time is of the essence. Creating a detailed incident response plan can help minimize the disruption of the breach, and in turn limit first-party expenses, legal ramifications, regulatory fines and penalties, and potential reputational damage. The plan should include:
  • the names and contact information of those to be notified if a breach is discovered (also known as the incident response team);
  • the specific information to be shared with the incident response team;
  • the factors to weigh when determining the severity of the breach and the response;
  • the steps to take to restore affected systems; and
  • the process for documenting the incident.
The incident response team should include both internal resources and external firms, such as public relations and legal professionals. Update the plan annually to keep contact and other information as accurate as possible.

This step can really pay off. According to the Ponemon Institute, an incident response team can reduce the per-capita cost of a data breach from $217 to $193.20.

Insurance is another key element of the equation. Cyber policies aren’t standardized, so review coverage terms carefully with an insurance agent or broker. Look for an insurance carrier with experience in both the construction industry and in cyber insurance, as well as a commitment to helping minimize the possibility of a loss. Some insurers offer loss prevention and reimbursement for certain measures to help companies better prepare for cyber attacks.


Ken Goldstein is a vice president of global cyber security for the Chubb Group of Insurance Companies. For more information, email goldstek@chubb.com.