Unless the world stops using computers, cyber crime will continue to increase in the coming years. Ransomware remains one of the most immediate challenges for most businesses, including construction, given the numerous avenues of intrusion available to cyber hackers.

In addition, expect to see an increase in attacks against building automation. These attacks are of particular concern to construction companies, as commercial builders are faced with the very real proposition that cyber criminals will attempt to infiltrate command and control systems, which could lead to the compromise of security, HVAC, electrical, elevator and potentially other major building components.

An attack of this magnitude may subject commercial builders to significant liability and pose a threat to life safety issues. Without proper preparation, construction companies may be in the crosshairs for opportunistic cyber criminals looking to exploit weaknesses in cybersecurity systems.

Construction executives should have an understanding of their company’s cyber risks, what their firm has done to protect against an attack, and what additional steps may be needed to avoid a costly cyber attack or breach. Following are four steps that provide a solid starting point for this exercise.

Identify the Company’s Digital Assets

Every construction company possesses data and information that must be protected—whether it is confidential employee or customer information, or trade secrets and other information that provides a competitive advantage. Some, if not all, of this information is stored electronically. Identify the information and its exact location within the business’ computer system.

Examine Existing Security Measures

Once the information is identified, determine what, if anything, is being done to protect it. An honest examination of existing internal technological security systems is critical.

• Is the computer system protected by a firewall?
• Are internal human resources files encrypted?
• Is inbound and outbound network traffic monitored for anomalies?
• Are physical files secured in a confidential manner?

While this is a daunting task to someone untrained in cybersecurity, a variety of resources exist to assist. In addition to cybersecurity vendors that specialize in this analysis, several governmental entities have identified guidelines, or minimum standards, that should be met to protect against cyber crime. The National Institute of Standards and Technology has issued a set of guidelines known as the “Framework for Improving Critical Infrastructure Cybersecurity” to help organizations manage cybersecurity risk. At the state level, the New York State Department of Financial Services recently released a comprehensive set of cybersecurity requirements.

Although construction companies are not yet required to comply with all of these standards, they provide steps that should be considered to protect against cyber attacks. In addition, should a breach occur and litigation ensue, a court may look to these standards as a baseline from which to determine whether a company took appropriate action to protect against a cyber attack.

Train Employees Rigorously

The importance of training employees as the first-line of defense against a cyber attack cannot be overstated. Employee mistakes are routinely the way cyber criminals launch cyber attacks.

Given the proliferation of ransomware attacks, it is imperative that all employees are trained on how to avoid a cyber intrusion. Attacks come in various forms, such as phishing and social engineering, and from various sources: fake emails, compromised links, or enticing social media click-throughs. Any one of these could lead to cyber infiltration or the launch of a damaging ransomware attack, all of which could have expensive consequences.

To reduce the risk from these attacks, a comprehensive training program should be instituted. Have a professional train and test employees, in person or online. Employees who fail these tests get remedial training. This training program should be ongoing, consistent and measured.

Set Contractual Expectations and Obtain Insurance Coverage

Incorporate specific cyber-related external risk management strategies to shift the risk of an attack away from the company. A business can have the best internal security and training program, but it’s still vulnerable if a vendor with access to its computer system does not.

Contracts with vendors and subcontractors should set forth specific requirements that must be followed to ensure they are not a cyber risk. Contracts also should require a vendor to indemnify the company in the event a cyber event occurs.

As a fail-safe, seriously consider managing risk through the purchase of a cyber liability insurance policy. Comprehensive cyber insurance can protect the company and act as a safety net should all other efforts fail. As cyber insurance policies evolve, carefully analyze any policy to ensure that appropriate coverage is provided.

The cybersecurity landscape is vast and changes quickly. Following these steps will put a company on the path to avoiding a damaging cyber attack and managing risk in the event a breach occurs.