Data breaches and hacking are now considered the number one threat facing company executives. Cyber criminals want contractors’ and their clients’ money, intellectual property, financial information, customer data and classified material. Now, those cyber threats are rapidly increasing in both numbers and complexity. While construction companies may not be able to stop a cyber attack, regardless of preventative measures, taking steps before a breach or compromise will reduce the chances of a successful cyber attack and the ultimate cost associated with an attack. 

LOOKING BACK AT 2019

In order to best plan for the future, it is important to review last year’s takeaways. There are a number of actions a construction company should take to bolster its cyber security planning and mitigate cyber risks. Companies need to plan for the inevitable attack and develop an "incident response plan." Preparing a response ahead of time helps companies navigate a confusing and challenging situation. Companies should update contracts with third-party vendors to ensure that business partners are not the source of a system's compromise. 

Employee training also continues to be a priority investment for every company. Cyber criminals are now using artificial intelligence to develop more complex schemes to steal from a company, so employees must be educated. When all of those efforts are still not enough to stop an attack, having proper insurance may be the difference between whether a company shuts down or continues operation.

The addition of more state and international regulatory frameworks is creating even more challenges for construction companies. The mandates for securing cyber data and the consequences of failing to do so can be daunting. The European Union’s General Data Protection Regulation was designed to provide individuals control over their personal data, but it also places strict requirements on companies and significant penalties if they fail to follow those requirements. The California Consumer Protection Act (CCPA) provides Californians with rights relative to their personal information but also creates strict compliance and penalty challenges. More states are following California’s lead, creating an even more complex web that construction executives must understand and navigate. Since one or more of these regulations can impact a company, properly identifying and complying with these laws will impact business operations. 

THREE AREAS OF FOCUS FOR CONSTRUCTION EXECUTIVES IN 2020

Heading into 2020, construction executives would be well-served to spend time focusing on the following three key areas and make sure their companies are developing a response to each:

1. Procedures on handling and responding to ransomware and business email compromise

“Smishing” and deepfakes are real threats against a business. “Smishing” is SMS message-based phishing that will increase significantly in 2020 because cyber criminals have found that text messages are easily manipulated and more difficult to detect. The more connected employees are to company systems, the higher the chance that a text compromise can be used to infiltrate the system to steal money, data and reputation. Business email compromises are also becoming more sophisticated and expensive. Cyber criminals are now using artificial intelligence to develop more complex, undetectable schemes (deepfakes) to steal from companies. Last year, three U.S. companies reported that cyber criminals used deepfakes to manipulate executives’ voices and trick employees to send money to the criminals. These advanced techniques allow cyber criminals to bypass current technology aimed at stopping them. Taking inventory to evaluate where a company is vulnerable to such scams will allow executives to put procedures in place to catch these schemes before the money leaves the building. 

Assistance from governmental agencies must be preplanned. Although the FBI reported a 100% increase in cyber scams last year, with the overall global losses at $26 billion, there was a simultaneous 75% recovery rate on the monies lost in business email compromises—provided the FBI was notified promptly and appropriately. Preparing for, and responding to, cyber attacks has become an enterprise-wide necessity, as well as a global-wide opportunity for the business community and government resources to work together to slow the tide of cyber malfeasance.

2. Prepare to implement new laws and regulations

New regulatory frameworks are being implemented by more and more states—and now more countries. To properly respond to the convergence of these frameworks, construction executives would be well-served by implementing procedures with a macro view rather than individual reactive measures. 

In the absence of a federal framework, the State of California has again led the charge in regulating the protection of consumer personal information. The CCPA provides California residents with wide-ranging rights pertaining to their personal data, and its use. However, in order to provide these rights, the CCPA places massive burdens on companies doing business in California (note that a business does not need to have a physical presence in the state) to provide transparency around the collection and use of personal information, while simultaneously requiring protection of this same data.

The burning question now is which governmental body will implement the next standard of privacy regulations? While Congress struggles with finding an acceptable privacy framework, states such as Nevada and Vermont have now passed privacy rules of their own. The states of Washington and Florida have recently introduced privacy laws similar to the CCPA, which could have a dramatic impact on businesses that operate in these jurisdictions. The bottom-line is this: More privacy legislation is inevitable, and construction executives must obtain counsel on how to comply with specific rules and regulations in a variety of locations.

These regulations impact how the construction industry conducts business and executives must familiarize themselves with the requirements and develop an internal strategy to comply with not only the existing laws, but imminent future regulations as well. Executives should not assume that these are static regulations which will simply stagnate until a breach occurs. Rather, the entire industry must accept that attorneys will be testing companies’ compliance with the regulations, and actively bringing lawsuits to force compliance and recover damages. 

3. Employee access protocol and training must continue to be a priority for construction companies in 2020

In the last five years, ransomware demands have gone from tens of thousands to millions of dollars. The average cost of a major data breach is now $42 million. More often than not, employees are how cyber criminals access computer systems. Unsecure mobile devices and poor email procedures are the leading causes of data breaches. Personal devices create conveniences for both the employee and company, but they also create cyber vulnerabilities. Properly trained employees better protect their personal devices and email, which dramatically reduces potential points of entry for cyber criminals. It is also critical that companies develop protections against employees attacking the computer system. A recent study found that 34% of cyber attacks actually originate internally from employees acting badly. Creating a protocol that monitors credential access to company systems can help avoid most of these inside jobs. In the event there is a compromise, it is important that employees recognize what has happened and act quickly. Build upon an incident response plan and practice it company-wide. Teach employees that they all play a central role in both avoiding, and responding to, a cyber threat or attack. 

Construction executives must continue to act to protect their companies from the fast-changing cyber threat landscape. Although these three areas of focus do not guarantee the avoidance of a cyber incident, they will assist construction companies with mitigating successful attacks and reduce the losses that accompany cyber-related events.