AN INCREASING DEPENDENCY ON TECHNOLOGY DEMANDS BETTER ASSET PROTECTION
BY KATIE KUEHNER-HEBERT
The construction industry is joining other sectors on the road to digital transformation, and with that cyber risks naturally increase. The COVID-19 pandemic is exacerbating those risks, as would-be fraudsters take advantage of the disruption. Fortunately, mitigation tools, em-ployee education and cyber insurance can minimize those risks.
HOW THE PANDEMIC IS EXACERBATING CYBER RISKS
Now that many administrative employees are now working remotely from their homes and jobsites have been modified to abide by COVID guidelines and restrictions, the necessary modifications have led to a greater interest in technology within the industry, says Ken Wengert, second vice president and regional director of construction, energy and marine risk control at The Travelers Cos., a member of multiple AGC chapters.
“However, as more contractors invest in technologies that can help them improve operations and safety on the jobsite, and enable some to work from home, the opportunity grows for cybercriminals who may be looking to do harm,” says Wengert, who is based in Albany, New York.
One potential cyber risk: Employees accessing the construction company’s systems from home on their personal devices might unwittingly open the door for allowing fraudsters to listen in on conversations after hacking into the devices, says Nikki Ingram, cyber security risk engineer at Zurich North America, based in Schaumburg, Illinois.
“Companies can install a virtual private network — be aware, however, that sometimes the bandwidth gets very sensitive and loses connec-tion,” Ingram says. “While some vendors just tell companies to reduce the security in order to increase bandwidth, we do not recommend that — that move opens up businesses to increase risk of cyber attack.”
In addition to its own risk mitigation efforts, Zurich, a member of multiple AGC chapters, offers access to pre-vetted cybersecurity vendors that have the resources to help protect customer data when their employees work from home, including training to spot social engineering attempts.
The pandemic has also necessitated specialized business continuity plans to handle unexpected things like office shutdowns and staff work-ing remotely from home, Ingram says. Contractors need to plan for how these employees will share information remotely to staff at project jobsites that might still be ongoing, or to project partners including owners, subcontractors and suppliers — and how that information can re-main secure.
“For the backend of the pandemic, contractors need to plan for how they will safely transition back to their offices, whether that be in a stepped hybrid process where some staff return to office and others remain remote,” she says. “It is important that policies are established for these transitions, such as if employees plan to use a USB memory stick to download and transfer data from their personal devices to office computers, they should buy a fresh USB so that it’s clean and not corrupted by any malware or ransomware.”
COVID-RELATED SOCIAL ENGINEERING
One social engineering phishing scam related to the pandemic looks like an informational email from an official agency, such as the Centers for Disease Control, about the COVID-19 virus and the workplace, says Robert Douglas, president of PlanetMagpie, an IT consulting and services firm headquartered in Fremont, California.
The email asks the contractor to sign up to receive ongoing information using their work email address and password, says Douglas, who is based in the company’s Dallas office. However, in reality, the fraudster is using the contractor’s credentials to obtain access to the contractor’s email account to get to the company’s contact list — phone numbers and email addresses of all of the people the firm does business with.
“Next, the cybercriminal emails those contacts, posing as you, the contractor,” Douglas says. “If the target is an accounts payable person at another company, the fraudster might demand they pay a late invoice — which is totally fake. If the target is an administrative assistant, the cybercriminal might pose as the company’s owner and tell them, ‘Hey, I’ve got this big deal — I need this much wired to close the deal.’ Or, if it’s holiday season, they might tell the assistant, ‘Please order 50 $100 gift cards and send them to this address.’”
Fraudsters often target contractors because their workforce tends to be somewhat decentralized, spread across offices and trailers, and less apt to have formal cybersecurity training, he says. Many contractors also see IT purely as an expense, which means they may skimp on security measures like firewalls, email filtering and cloud backups.
Contractors need to train their employees on how to spot and reject social engineering attempts, most commonly sent via email, Douglas says. Most of PlanetMagpie’s customers in the financial, biotech and manufacturing industries provide their employees with cybersecurity training on a yearly basis at a minimum. However, not many in the construction industry conduct such training.
“IT can only do so much, even with the best security measures,” he says. “All it takes is a single click on a malicious link in an email — and malware can encrypt your workstations and network devices, causing permanent loss of your company data. Employees must receive training on how to look at an email and figure out whether it’s fake or not.”
During training, PlanetMagpie walks employees through all the different ways their network and their computer can be infected or attacked, and how to determine if an email is malicious. If they are ever unsure, they should always contact IT support.
“It’s important to train employees ASAP,” Douglas says. “Ransomware attacks have gone up 150 to 200 percent since the start of COVID lock-downs, taking advantage of employees working from home, increasing the available ‘area’ cybercriminals can attack.”
ADDITIONAL CYBER RISKS
The two most common challenges that contractors face are with ransomware and business email compromise attacks, says Dan Zastava, director of corporate underwriting and product development at Sentry Insurance based in Stevens Point, Wisconsin.
Ransomware is a malicious software that restricts access to files on an infected machine — usually by encrypting them — and then demands ransom payment in exchange to restore access to the files, Zastava says. Common attack methods include file downloads or malicious links through email, remote attacks on servers and malicious email attachments.
“In contrast, business email compromise is a form of cyber crime that leverages email methods to trick victims into transferring money or other goods to a perpetrator instead of the intended recipient,” he says.
One of the main motivations for targeting a construction site is the theft of intellectual property, such as blueprints that could provide intel-ligence a criminal would need to defeat the physical security in the future, says Corey Nachreiner, chief technology officer at WatchGuard Technologies in Seattle. Another could simply be compromising the supply chain to divert payments or extortion via ransomware.
“Most cybercriminals just want to make money, and ransomware is very effective at getting companies to pay extortion by locking up digital assets that are required to do business,” Nachreiner says. “If you use IT technology for things like blueprints, and you don’t have hard copy backups, ransomware could significantly disrupt your ability to work at a site.”
To protect against this, construction companies should invest in employee education — teach all managers, employees and contractors to identify phishing attempts, flag suspicious emails, calls, or wire transfer requests, and not click on every link they receive, he says. Contractors should combine this education with technical security controls like advanced malware protection products that can identify even the newest ransomware, and domain and URL filtering solutions, which will prevent users from reaching bad sites even when they accidentally click the link.
Contractors are also more vulnerable due to the increased use of ruggedized tablets and smartphones in the field, Nachreiner says. Regularly update these devices, change their stock passwords and assess them for potential compromises. “Ultimately, the more digital technology you use on the jobsite, the more cyberattack surface there is for malicious actors to target; especially if those technologies are connected wireless-ly,” he says.
For more traditional devices, like ruggedized laptops or tablets, contractors should make sure to install a full endpoint protection suite that protects the device directly, no matter where it is in the world, Nachreiner says. If they are using computers, printers and other computing devices on a jobsite, contractors need to secure them the same way they do at your office by deploying a firewall, leveraging other network security services, installing endpoint anti-malware protection, patching software and backing up data.
“But also be sure to train workers on the importance of physical security at a jobsite,” he says. “Even if the site you are working on is cur-rently unoccupied, physical access to it could allow attackers to plant devices and equipment that make it easier for them to launch a cyberat-tack on the building’s future tenant.” A
Follow a number of risk mitigation steps, including some that “don’t cost a thing,” says Tim Francis, enterprise cyber lead at The Travelers Cos. Ins. headquartered in New York City.
“Creating strong computer passwords and updating them on a regular basis is an easy place to start, although only 60 percent of Travelers Risk Index survey participants from the construction industry admitted to doing so,” says Francis, who is based in Hartford, Connecticut. “Visiting a cyber prevention website to learn how best to protect your business is another suggestion that doesn’t take many resources and can make a meaningful difference.”
Other smart steps companies can take include installing firewall/virus protection; implementing data backup processes and hacker intrusion detection software; completing cyber risk assessments on the business and vendors; conducting internal IT audits; training staff; and simulating a cyber breach to identify areas of system vulnerability.
One social engineering phishing scam related to the pandemic looks like an informational email from an official agency, such as the Centers for Disease Control, about the COVID-19 virus and the workplace.
The 2020 Travelers Risk Index found a majority (53 percent) of construction decision makers are reliant on their computer systems for their businesses to run properly, but 81 percent have not conducted a simulated cyber breach to identify areas of system vulnerability. A simulation can improve a company’s chances of avoiding cyber events from ever happening.
“Dealing with the unknown is always an unsettling proposition, especially when it involves the financial health and stability of a business,” Francis says. “By simulating a cyber breach, exposures and vulnerabilities can be identified. More importantly, they can be addressed through actions taken that can safeguard the company against suffering a similar type of cyber event.”
As more contractors embark on digital transformation, cyber insurance coverage “is more important now than ever,” says Dan Zastava, director of corporate underwriting and product development at Sentry Insurance in Stevens Point, Wisconsin.
“Cyberattacks can impact project designs, bid data and security systems involved in architectural proposals,” Zastava says. “These attacks can also result in lost data, theft of personal identifiable information and in some cases, a business shutdown.”
While the coverage offerings may vary from one insurance carrier to the next — some providing broader coverage than others, cyber insurance can assist the policyholder in responding to a covered incident by providing some or all of the following:
- The cost of a cyber forensic analyst to determine how the hacker got into the system and what data was accessed.
- The services of an attorney to identify state-by-state notification requirements pertaining to the personally identifiable information of customers living in each state.
- Public relations firm utilization.
- Liability coverage if the insured is sued as the result of a covered breach event.
- Business interruption.
- The physical loss of sensitive information on HR paper files, cyber extortion, social engineering and fraudulent impersonation.
“The insurance carrier may also have tools and resources to assist with reducing cyber risks, such as incident response plan templates, webinars, training modules and federal or state-specific information,” Zastava says. “Carriers that provide cyber insurance coverage also can provide preventative solutions to help businesses plan ahead to mitigate the impacts of an attack.”
Preventative measures include drafting an incident response plan; knowing the initial steps to take after an incident occurs; conducting regular training with employees to spread awareness and to identify phishing attempts; and regularly backing up data and key software programs to offline storage devices.
Another growing cyber risk for contractors: additional vulnerabilities within the cloud, says Corey Nachreiner, chief technology officer at WatchGuard Technologies in Seattle.
“Like many industries, construction organizations leverage digital services like software-as-a-service apps or network-based services specific to the industry,” Nachreiner says. “These often web-based services can suffer from certain risks if not implemented securely.”
One of the most common and simple issues is credential-based fraud — “hackers don’t break in, they log in,” he says.
“There’s little need for hackers to figure out very complex technical tricks to compromise your digital services if they can just hijack a valid user credential,” Nachreiner says. “Unfortunately, stealing credentials is often very easy using phishing attacks, or even finding re-used credentials from other breaches.”
A cybercriminal doesn’t need to evade any defenses if they can impersonate a trusted user, he says. To protect against this, contractors should implement multi-factor authentication on all their online services so that hackers can’t log in just because they have a stolen password.
Moreover, many of the digital services presented today are web-based solutions, and a badly coded web application can expose many technical vulnerabilities hackers might exploit to gain control of a company’s system or its data, he says.
“Web application vulnerabilities are a complex discussion for non-technical folks, but the easiest advice we can give is to refer the web developers of any system you create to the Open Web Application Security Project at OWASP.org,” Nachreiner says. “There, coders can learn the right way to create online web services without exposing different vulnerabilities. We also recommend you get a third-party security auditor to penetration test your digital services at least once a year.”