Construction contractors can spend their entire career bidding work, managing projects and handling cash flow issues, while on the way to a banner year. Then it happens! A cyber-attack occurs, setting the company back thousands of dollars and taking the focus off the job at hand and wasting untold man-hours. This is just the beginning of the concerns with cyber breaches and the risk only escalates from here. There are numerous threats to a company’s cyber environment. We drill down into three areas that many overlook with useful advice to prevent attacks from occurring.
Employees have access to the company’s network and can inadvertently open an email from a malware or phishing attack, innocently allowing a hacker into the system. Many companies have internet access in the construction trailer on the job site. When employees are too busy to head back to the trailer, they might connect to a random area hotspot to share pertinent job information. Hot spots can be an open door for hackers trying to gain access to your system. Hackers have been known to call employees pretending they are trying to correct a computer-related issue and meanwhile gain access to all of the company’s data. Establishing protocols, training employees and testing lessons learned will help ensure you have a strong team. Implementing tools to limit remote access from unsecured networks or adding dual identification systems will also help increase protection.
Subcontractors or Vendors
Even with completed internal network risk assessments, data protection tools and instituted network policies and procedures, companies are still at risk if subcontractors and vendors are not protected. This third party risk adds more complexity to the situation as they need access to the company’s internal platform to share and maintain job information. A well-known example of a subcontractor who had been breached is the Target breach in November – December of 2013. This was when the retailer granted network access to an HVAC contractor to test and monitor the HVAC systems. The contractor was unknowingly breached prior to working with the store and when Target granted the contractor access, the hacker gained access too! The situation could have been avoided had the network been segmented. It is important to know what data you have before you can determine the best way to protect it. In the Target breach, their point of sale system was on the same server as their HVAC system.
Following the breach at Target, their stock prices dropped 10 percent1. The CEO was fired and 47 of the 50 states, including the District of Columbia, had to resolve settlements2. The retailer had to pay ten million dollars in class-action lawsuits in the first year alone, not including the 67 million dollars paid to settlements involving Visa card customers3. In all, Target incurred more than 250 million in damages4! Can any company really afford a loss of this magnitude?
Direct Outside Threats
A third area not to overlook is the direct attack. As with Target, the original threat came through vendor access, but after carefully plotting and planning with the entire network at their fingertips, hackers ultimately attacked Target’s system directly and compromised the point of sale system. Another example is where a contractor was waiting for payment on an ongoing contract but for some reason, the agreed payments were delayed. After more than two months had passed, the contractor called the institution and discovered all the payments were made, but to the new payer as advised. The institution had received an email directly from the contractor explaining the new payment instructions and they did not know the new payment advice was fraudulent! Immediately in situations like these, incorrect blame can be placed.
Many insurance providers are denying claims if the organization has not implemented appropriate cyber controls, or if they have not had an ongoing periodic risk assessment performed to show due diligence. Additionally, contractors and subcontractors may be required to comply with the Defense Federal Acquisition Regulation Supplement (DFARS), which required compliance by December 31, 2017. In both cases, action must be taken to evaluate systems and reduce the risk of a security incident so the business does not incur significant financial losses and a destroyed reputation.
Reduce your risk factor by performing a data mapping exercise and having a risk assessment completed. This exercise will help determine what data you have, how it interacts with your system and where data resides while in motion and at rest within your organization. As technology continues to expand and become more sophisticated, there will be new ways to hack into systems. Safeguards that constantly assess new threats and vulnerabilities will help prevent companies of all size reduce the chances for a cybersecurity break.
Don’t let your company be a target for a cyber attack. Talk with a financial advisor who has IT and risk assessment experience or reach out to PBMares to learn how you can keep your business safe and protect your reputation.
1Harvard Business Review, Why Data Breaches Don’t Hurt Stock Prices, March 31, 2015
2The Baltimore Sun, Target agrees to pay $18.5 million to prevent future data breaches, May 23, 2017
3Reuters, Target in $39.4 million settlement with banks over data breach, December 2, 2015
4Washington Post, Data Breach hits Target’s profits, but that’s only the tip of the iceberg