The Digital Revolution
A quarter century ago, the routine daily use of digital technology to store data was limited to the tech savvy individual and specialized business applications. Since that time, the digital industry has witnessed what may be the most dramatic leap forward of any industry in modern times. Today, every industry relies upon digital technology, whether it be an iPad to swipe a debit card at your favorite restaurant, a warehouse thermostat automatically lowering to take advantage of off-peak hours, or the technology employed to scan the skies for threats against our country. Unfortunately, opportunities to exploit this technology have progressed at nearly the same pace, and many businesses do not have a plan to combat the threats.
The construction industry has become dependent upon digital technology, and as a result, it has become a very appealing target for cyber crime. The increased dependence is a result of two major trends within the construction/contracting industry over the past ten years. First, contractors are taking an expanded role in project design. Historically, contractors approached a project via the design-bid build process, where the major project roles and respective liabilities were segregated, or executed under different contracts. Under the design-bid build process, the architect and engineers design the project and put the project out to bid for the construction phase. Thereby, they are separating a technologically intensive portion of the project from the contractor’s liability.
However, to streamline the process and increase profits, the construction industry now employs the design-build process. Within the design-build model, the contractor will either design in-house or contract for the design and engineering services. Either way, design-build includes the technologically intensive design phase and places the contract and resulting liability on the construction contractor. In the 2016 report New Business Models, Technology Raise Professional Liability Risks for Contractors, issued by major insurer Chubb, the design-build process accounted for 29 percent of the non-residential market in 2005. By 2014, more than fifty percent of all non-residential projects over $10 million were performed under the design-build platform.
The second trend, and most obvious, is that the construction industry has embraced digital technology not only in design and engineering applications, but in daily operations as well. Vital information such as employee data, bank transactions, privileged client correspondence and proprietary customer building plans are now routinely transmitted over contractor networks and employee mobile devices. The disruption of this data transmission could easily bring operations to a halt.
Standard construction industry applications Building Information Modeling (BIM) and Computer Aided Design (CAD), which allow the sharing of building plans and other schematics between engineers, architects, contractors and sub-contractors, are now prime targets for cyber crime. The Chubb article also reports that the global BIM market is projected to expand from $2.6 billion in 2013 to $8.6 billion in 2020. As a result, hackers are showing interest in building designs and are writing malware specifically to target CAD and BIM applications. This phenomenon is possibly best evidenced by an article in The Sydney Morning Herald from 2013, in which hackers were credited with the theft of “top-secret” floor plans of the newly constructed Australian Security Intelligence Organization (ASIO) headquarters in Australia.
Further, industry website Construction Dive posted an article entitled A Future “Hot Target” for Attackers: How Construction Companies Can Improve Cybersecurity,” stating that the go-to crime for cyber thieves is phishing, accounting for 90 percent of all cyber-attacks. Phishing is a cyber-attack in which the perpetrator e-mails or contacts employees via similar peer-to-peer portals, hoping to obtain valuable information such as bank account numbers or social security numbers which will allow the criminal to commit further crimes. The same report states that in 2015 alone, the use of ransomware grew 400 percent. A ransomware perpetrator gains control of your network by installing malicious software that blocks the victim’s access. Only upon cash payment, or ransom, will you be “allowed” to access your digital data and resume operations.
Technological advances have provided determined criminals with exponentially more opportunities to perpetrate crime across the globe. What can be done? The good news is that there are ways to counteract the threat of a cyber crime.
First and foremost is preparation. You should forecast and plan for any and all scenarios that may pose a threat to your business. Everything from market fluctuations to warehouse fires have been anticipated and a plan is likely already in place at your company. The same principles and processes should be applied to cyber-attacks.
How to prepare? First, understand your information. What kind of information do you have? Where is that data stored? At this point it would be a good time to determine who, if anyone, is in charge of securing your digital information. From there, determine who can access what information on a “need to know” basis.
Determine what information is most important. Once a hierarchy is established, you can then segregate the information in the hopes a successful attack would be contained.
Most importantly, pay attention to the facet of your business most vulnerable to an attack—the employees. The bulk of today’s cyber crime is aimed at individuals. It is very important that all employees know and understand your electronic data security policy. Teach employees to identify and report suspicious activity. Create a culture within the organization that makes it easy to adhere to the security policy, because an employee will only report dubious activity if they are certain there will be no repercussions to them personally. Help employees understand that even if they made a mistake, they should report and correct it before it becomes a much larger problem.
Where to get help?
As the Digital Age progresses, the need to develop and manage your business’ cyber security program only becomes more important. First, meet with your CPA and determine your cyber security budget. Once your budget is established, a data security professional should assess your needs and prepare a digital security framework unique to your situation. After your needs have been identified and measures taken to meet those needs, an insurer with construction industry expertise will identify areas of risk, and the best insurance product(s) to mitigate that risk. There are many highly specialized insurance policies covering many forms of cyber-crime. Finally, plan to periodically review your cyber security program to identify new risks present, or address risks within the existing framework. Remember, in the world of cyber crime, the cyber-crook only needs to be right once. You have to be right all the time.