“It won’t happen to us, and companies in our industry are not a hacker’s target.” 

That’s an outdated notion in an age when, according to security experts, 4,000 ransomware attacks take place per day. In 2017 alone, the costs to companies will exceed $5 billion, and that’s accounting for just one of many types of cybersecurity threats.   

Construction and surety companies can minimize the threat of cyber-attacks by implementing the following preventive measures.

Review Data and Identify Weaknesses 
Look at the firm’s data and consider what losing it would mean. Any software a construction company uses that connects to the internet or is remotely accessible—from project management or design and modeling tools, to payroll and banking applications—are possible data breach targets. 

Companies should ask:
  • Is this data sensitive and/or confidential? 
  • How is it stored?  
  • Does it need to be kept, and for how long?
  • What if a cyber-criminal held it for ransom?  
  • What is the impact to the business if this data is stolen? 
  • What if the data is stolen by an insider? Intentional or unintentional acts by employees present a danger. Limiting who has access to sensitive data is a first step in mitigating the insider risk. 
Once a company has identified the types of data it has, cybersecurity professionals can help implement plans that mitigate the risks of lost or stolen data, including a response plan if there is a data breach.  This is an important part of a company’s business continuity plan resulting from disruptions that occur due to a weather event or disaster of some kind.

Develop Cybersecurity Processes and Procedures
Widespread phishing, spoofing and other social engineering scams fool users into allowing their computer and network to become infected. Training personnel to recognize suspicious emails, websites and links is very important. Training and implementing strong password protection and the value of regular backups will go a long way to helping a company minimize any losses. Untrained employees are more vulnerable to dangerous behavior, such as password sharing or clicking on links in phishing emails. 

The best training is through simulations of cyber-attacks or social engineering attempts. It tests the effectiveness of a company’s employee training, and its incident response planning, and often reveals weaknesses that may have been missed. Additionally, for surety and other highly regulated industries, regulators are beginning to expect that companies put information security best practices in place.

Companies may think that keeping systems updated is the IT department’s job , but every employee needs to participate. When those pesky little pop-ups notify that software updates are available, it’s very convenient to click the “remind me later” button. But when later comes, some employees may never install these updates or restart their computers. Among other things, these updates protect against known malware, and because hackers are coming up with new malware all the time, these updates might be critical to a company’s security.
 
Having processes and procedures in place ensures a company is adequately protecting against cybersecurity threats.

Cybersecurity in a Highly Regulated Industry
Surety is a property and casualty insurance line and therefore subject to insurance regulations at the state and federal levels. Congress and state legislatures have enacted numerous laws to help protect the privacy and security of confidential and personal consumer information.

Most states require some form of pre-breach security measures for protecting consumers’ personal information. Generally, those requirements are reasonable practices, procedures or safeguards to prevent unauthorized access; use; modification; and/or disclosure of this information.

State governments also have enacted breach notification laws that require the disclosure of any data breach to any person whose personal information was involved. The language generally states that the trigger for notification is whether the data is reasonably believed to have been used, accessed or acquired by an unauthorized person. All states require that this notification be accomplished without unreasonable delay. With situations such as the recent Equifax data breach, what is considered unreasonable delay is still being argued. 

Keeping up with cybersecurity will continue to be challenging for lawmakers and insurance companies alike. As such, a proactive, thorough approach is recommended.

Brad Rasmussen is chief information officer of Merchants Bonding Company, Des Moines, Iowa. For more information, visit merchantsbonding.com.