Written by Stephen E. Yoch, Felhaber Larson
The worldwide COVID-19 pandemic and wide stay-at-home orders have not resulted in a pause on the need for cybersecurity. Indeed, cybercriminals are more active than ever, exploiting companies’ understandable distraction in addressing the challenges of the pandemic.
The requirements of cybersecurity remain the same and it is more important than ever that builders remain diligent.
Do builders need to worry?
Many builders and small businesses see themselves as a “little fish” that cybercriminals won’t bother to attack. The news is filled with major companies being victims of cybersecurity attacks. This can create a misperception that builders are not vulnerable.
There have been major construction industry security breaches. The use of Building Information Modeling and Virtual Project Management software have made construction projects increasingly vulnerable to cybersecurity attacks. One recent study noted that the highest percentage of phishing attacks, including spam, went to construction-related industries.
Many people believe that the construction industry is less vulnerable because it deals more with “tangible items” rather than digital information. However, construction companies have increasingly created virtual construction tools for design, project management, and customer tracking. In an increasingly automated environment, payment information, designs, and customer information are ripe for cyberattack and ransomware breaches.
30% of real estate executives with one or more properties have experienced a cybersecurity event in the last two years, and 50% of the real estate industry says their organization is not adequately prepared to mitigate a cybersecurity attack. Yet, only 5% of respondents noted cybersecurity threats as a serious risk to their business. 77% of executives in the construction, engineering, and infrastructure industry said they have experienced a cybersecurity incident in the last 12 months.
One crucial thing to remember is many cybersecurity incidents are caused by ex-employees, not cybersecurity criminals. Ex-employees were responsible for a third of all cases of fraud. Common targets for cybersecurity attacks against construction companies are customer records, employee records, and physical assets/money.
Contracting to limit the threat
THIRD PARTIES – VENDORS. When a third party causes a data breach, the cost increases by $13 per compromised record. Thus, it is crucial that companies look not only to their own vulnerabilities, but also attempt to minimize risk caused by third-party providers and vendors.
SYSTEM AND PLAN REQUIREMENTS. Simply imposing contractual obligations for indemnity may be insufficient as the vendor may not have sufficient wherewithal to actually protect the indemnified party from risk. Thus, it is crucial
that companies seek detailed information about the vendor’s security processes, firewalls, and encryption. This ideally should include the vendor’s own internal risk assessments, and whether or not the vendor has met the standards set by NIST, SSAE 16, or the ISO.
INDEMNITY PROVISIONS. Companies often demand that a vendor “indemnify and defend” the company from any and all losses, damages, or risks as a result of a cybersecurity breach. Unfortunately, such broad indemnity obligations, while legally enforceable, do not protect the indemnified company from the harm to its business and reputation, and, in many cases, the vendor may simply be unable to meet the financial obligations and liability stemming from the promise contained in the indemnity.
PRIVACY. Some laws require clear agreements by and between parties to protect personal private information and vendors. For example, HIPAA requires that covered entities ensure HIPAA compliance in a Business Associate Agreement, and parties otherwise in possession of PII can also be subject to required contracts.
RIGHT TO AUDIT. All third parties/vendors should be subject to a “right to audit” provision, which subjects to review any of their records, data, or other information that may be impacted by the sharing of private, confidential, or sensitive system information.
TESTING AND SECURITY REVIEW. Vendors and third parties should be subject to penetration testing and security information reviews to ensure system and data integrity.
INSURANCE LIMITATIONS. There is no “industry standard” cyber insurance policy. Companies with insurance protection save on average $4.8 per record breached. As the nature of the cybersecurity threat evolves, insurance companies and their products are attempting to assess the risk and create appropriate coverages.
Investing in security
HARDWARE. Making sure the network is protected from physical (i.e. criminal) intrusion or theft.
NETWORK. Investing and maintaining up-to-date system security is key:
• Password protection
• “Access” limited by need
• Access information and authentication
• Firewalls
• Intrusion detection systems
• Antivirus software
ADOPTING A RISK SECURITY FRAMEWORK: Hire an outside company to do a Risk Assessment and adopting an appropriate Incident Response Plan. Builders should strongly consider following the risk security frameworks and providing third parties assurance it is following proper risk remediation procedures.
TRAINING. For phishing attacks in particular, training is often the best defense from employees unwisely clicking on links
or questionable documents. In any event, employees should be trained to immediately notify their IT staff if they have inadvertently clicked on malware.
Unfortunately, viruses are not limited to the pandemic. Now more than ever cybercriminals are looking to attack builders. The health of employees and a functioning computer system require diligence and the investment of time and money.
Written by Stephen E. Yoch, Felhaber Larson
Stephen Yoch is a partner at Felhaber Larson and has been representing builders and developers for over 20 years. Over the last decade, he has developed expertise in cybersecurity, focusing on construction companies. He received a cybersecurity certificate from Mitchell Hamline Law School in 2016.
