October 2, 2019
A breach or hack of a construction company’s computer systems is one of the single greatest threats facing the construction industry today. A breach can result in loss of income, loss of clients, loss of trust by the public and even the loss of the entire business.
Because it is impossible to eliminate completely every cyber threat, robust risk management of a cyber security threat is key to the health of the construction company.
A major part of cyber risk management is the drafting and implementation of a cyber security plan. Like most things in life, one size does not fit all. The plan must be tailored to the facts and circumstances of each individual company. Finding the right place to start may even be confusing and, at times, daunting. The first step is to engage the services of an attorney who knows the business, the construction industry and relevant technologies, and who is experienced with cyber security and data privacy law. The attorney can then engage a forensic computer consultant, as necessary. The attorney will work with the company’s C-suite executives, IT persons and key managers to institute a cyber security plan that is right for the company.
SIX STEPS TO AN EFFECTIVE CYBER PLAN
Step One – The Evaluation of the Systems
Like any major project, before diving in, an assessment must be made of the “lay of the land.” This assessment involves a thorough evaluation of where the company falls on the spectrum of readiness to fend off a cyber-attack. This in-depth evaluation will look at, among others, the following:
Step Two – Identifying the Major Assets
In addition to identifying whether certain protections are in place, the company must identify the information that is especially sensitive and confidential and record where such information resides on the company’s systems. This includes anything from the personal information (social security number, health information, bank account number, etc.) of the company’s personnel to certain plans and specifications for certain high-tech or government building projects. Once those assets are identified, the plan can implement certain extra procedures (additional cording off such information, placing the information on a hard drive that is not continually attached to the internet, etc.) to provide a higher level of protection from the breach.
Step Three – Identifying the Major Players Required in the Event of a Data Breach
Such personnel must include at least the following personnel:
Step Four – Identifying Whether Cyber Insurance Is in Place
This first involves the determination of whether the construction company has a cyber insurance policy in place. If not, an insurance broker who specializes in cyber insurance for construction companies (usually the company’s broker for its CGL, Builder’s Risk insurance) should be contacted. The company should work with the broker to put in place a cyber policy that is right for the company. Like the cyber plan itself, there is no one size fits all. The insurance policy should be tailored to factors such as the size and geographic location of the company, the amount of sensitive information that the company has, the amount of risk the company wishes to bear, the amount of the deductible for the policy, among others.
Step Five – Writing the Plan
Once the above factors are investigated, the company can move ahead to place its plan in writing. The plan, like any other corporate policy, should have a section explaining what the plan is, why it is being implemented and what the company hopes to achieve from the plan. Once the preliminaries are set out, the written plan can proceed in three parts. The first part should identify and summarize the investigation to date (as described above) and the short and long-term goals in attempting to minimize the risk of a cyber-attack. The plan should be an evolving document that is supplemented and amended as new information comes into play.
The second part should focus on instituting a series of educational seminars for all company employees on, among other items, the use of email, the dangers of opening or clicking on links that are not safe and the warning signs of phishing for information from hackers. The seminars should also focus on common indications of a fraudulent email, such as non-traditional English (or other language), incorrect tenses, incorrect use of words, a strange email sender address and unusual requests to purchase gift cards or wire money. The seminars should aim to create a kind of “security environment” in which all employees participate. The seminars should also reinforce the idea that a “chain is only as strong as its weakest link” and that to be successful in fending off attacks, all employees must be both knowledgeable and vigilant.
The third part of the plan should focus on exactly what the construction company should do on “game day”—the day a real breach is identified. The procedures should identify items such as to whom a possible breach should be reported and, from there, the personnel that must be identified and in what order. The plan should also identify a person to be “in charge” of the entire breach handling situation. The plan should also identify the preliminary steps that the identified group should take in the event of an actual breach. Such steps include:
Step Six – The Closing
The plan should also provide for a “lessons learned” section. This section would be populated after:
While no plan will be perfect from the start, constant practice runs and revisions will keep the plan up-to-date and reduce (somewhat) the time and money, as well as the tension, which will be expended when a real breach occurs. Such proactive risk management will pay off in spades.
For additional information on cyber security, see The Nightmare Scenario: What to Do When Systems Are Hacked.
Reposted from constructionexec.com, October 2, 2019, a publication of Associated Builders and Contractors. Copyright 2019. All rights reserved.Back to P&A News