Insurance – Cyber risk in construction
DALLAS – By now, everyone has heard about numerous high profile cyber security incidents over just the past few years. The data breach involving Target is probably the most widely known, but there are plenty of other breaches extremely large in scope like those involving Sony, Anthem and Yahoo.
The problem is we only hear about these huge multi-billion dollar com-panies, instead of the thousands of breaches involving small-mid sized businesses that can have painful or even crippling consequences, because these everyday incidents aren’t newsworthy. However, one cyber security expert says there are two kinds of business owners in this world – the ones that have been hacked and know it, and the ones that have been hacked but don’t yet know it – which may be only a slight exaggeration.
So what do any of these incidents have to do with the construction industry? On the surface, nothing, except for Target which was actually breached through an HVAC subcontractor. After all, the perception is the biggest risk falls on medical providers, financial institutions, retailers with customer credit card data, etc., companies that have the largest IT footprint and access to sensitive data. Not only that, clearly none of the companies listed above, and few if any that you may hear about on the news, are contractors. So, once again, why should a contractor be concerned?
Dig a little deeper and the answer is very simple: every contractor with an employee and a computer, every single one, is susceptible to the exact same type of attacks to those that hit the multi-billion companies above, just obviously on a smaller scale. The argument could actually be made that contractors are more susceptible since their cyber security procedures are as a general rule, much more relaxed than those other industries. Let’s take a look at some real-life Texas construction company examples:
• Through a phishing expedition, several unsuspecting employees clicked on a link and entered pass-word information, thinking (incor-rectly) that the request had come from the IT department head. This resulted in not only a large personal data breach, it granted the hackers access to company financial and bank-ing information, bidding programs and strategies, confidential building designs, and potential access to the systems of other businesses.
• Several general contractors have recently experienced fraud attempts to capture pay estimates on their projects. A letter is sent to the owner on the GC’s authentic letterhead, signed by the CFO and with an authentic looking voided check attached, requesting that all future payments be sent to that new bank account. By the time the owner and GC figure it out, the money is gone. While it happened with GCs and owners, it could probably more easily happen between a GC and a subcontractor.
• The president of a tech-savvy GC went to a two-day, out-of-town business conference. While gone and during one of the presentations, the CFO received an apparent request from the president to wire $42,000 to the bank account of a consultant they had been working with. The email had the president’s salutation as well his email “style.” Unable to reach the president (the cyber criminals knew this), the CFO checked with the EVP who confirmed that they had been working with that consultant, so he sent the wire and the money was gone.
The thought that a cyber attack only hits big companies, or only hits medical or financial companies, is naïve at best for contractors and potentially catastrophic at worst. Pro-active contractors acknowledge the risk exists, install safeguards that deter attacks and train their employees on cyber security, have preplanned responses if a breach occurs, and have insurance in place to protect themselves on top of the internal procedures. Reactive contractors do not, and are literally a click away from sharing all of their personal and financial data with a cyber criminal.
Jim Zimmermann is vice president of MHBT, specializing exclusively in the insurance and bonding needs of contractors for the past 24 years. He can be reached at email@example.com or by phone at 972-770-1629.
Need a Reprint?