Cyber risk management is a hot topic for businesses across all industries, many high profile breaches have been in the media from financial institutions, healthcare organisations, law firms and IT companies. The construction industry is no different and definitely on the radar for cyber criminals.
In a piece written for VirginiaBusiness.com, Collin J. Hite, leader of the Insurance Recovery Group and the Data Privacy and Security practice at Hirschler Fleischer says, “The situation is getting so bad that businesses, large and small, finally are realizing that the question is not if they will get breached, but when. The construction industry is not immune from data breaches.”
Difficulties facing the construction industry
For many construction industry decision makers there is a mistaken belief that their organisations are not at risk because their business does not deal with the general public, have an online presence or handle large amounts of credit card information. While some may not consider construction to be a target, cyber criminals can see the vulnerabilities. Construction firms have access to large amounts of information such as confidential employee information, intellectual property, project plans and drawings, financial data and accounts, contractor details, etc.
Traditionally workers in the construction industry haven’t had to bat an eye lid regarding cyber security which has contributed to an overall lack of security awareness, training and skepticism towards cyber risks and insurance.
The Internet of Things is also presenting new challenges for the industry as terrific new equipment and methods are created with connectivity in mind. For example, internet connected field equipment which can be remotely controlled is hurriedly implemented for it’s efficiency but less forethought is given towards the security of these devices.
High Profile Incidents
Let’s take a look at some major cyber incidents which were targeted at various areas of the construction industry.
“The attackers got access to login credentials for Target’s computer network from one of their vendors, Fazio Mechanical. An employee fell victim to a phishing scam that allowed malware to be installed on the company’s computers. Fazio had access for electronic billing, project management, and contract submission and not because they were remotely monitoring and controlling any of the HVAC and refrigeration systems at any of their stores.”
“Multiple sources close to the investigation now tell this reporter(Brian Krebs) that those credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.” Krebs on Security.
German Steel Mill
The German Federal Office for Information Security (BSI) detailed in a report that attackers used booby-trapped emails to steal logins that gave them access to the mill’s control systems. This led to parts of the plant failing and meant a blast furnace could not be shut down as normal. The unscheduled shutdown of the furnace caused the damage, said the report.
In its report, BSI said the attackers were very skilled and used both targeted emails and social engineering techniques to infiltrate the plant. In particular, said BSI, the attackers used a “spear phishing” campaign aimed at particular individuals in the company to trick people into opening messages that sought and grabbed login names and passwords. The phishing helped the hackers extract information they used to gain access to the plant’s office network and then its production systems.
Once inside the steel mill’s network, the “technical capabilities” of the attackers were evident, said the BSI report, as they showed familiarity with both conventional IT security systems but also the specialised software used to oversee and administer the plant.
Turner Construction was the victim of a spear phishing scam in March when an employee sent tax information on current and former employees to a fraudulent email account. Hackers spoof the “From:” field in an email to make it appear to come from a trustworthy source, say from your CEO or CFO. Typical spear phishing scams include messages requesting personal information on employees such as names and addresses, Tax details, corporate banking account information, or login credentials.
In the case of Turner Construction, the information provided to the fraudulent email account included full names, Social Security numbers, states of employment and residence as well as tax withholding data for 2015. All employees who worked for the company in 2015 were affected by the data breach. Turner, which is headquartered in New York, is one of the largest construction management firms in the U.S. with offices in 24 states.
Cyber Insurance Can Help Protect Your Business
The cyber insurance market has already seen a surge in demand for stand alone cyber liability insurance policies as a direct result of the Notifiable data breach regulation which is set to begin from February 22nd 2018. A cyber insurance policy can protect against many potential incidents, including loss of data, cyber extortion, business interruption, identity fraud and malicious data damage.
A good policy will also cover defence costs and the cost of public relations experts, which is very important when considering reputational damage and loss of business which a data breach is shown to cause. A recent study showed that following a data breach or cyber attack, stock prices fall an average of 5%. Thirty-one percent of consumers impacted by a breach stated they discontinued their relationship with an organization that had been breached, and 65 percent lost trust in that organization.
Current scams and prevention methods should be regularly circulated for employee knowledge. There are a number of third parties offering a wide range of solutions such as All Secure IT Services which offer customised managed services for all IT needs or DDM Security Systems which offer email security and encryption solutions.
One email can breach the entire network and as a result we suggest getting employees to subscribe to and follow Cyber Insurance Australia on Linkedin & Facebook for regular updates or join the monthly newsletter at cyberinsuranceaustralia.com.au
Contact us on 1300 462 923 to discuss insurance options today.