BY ERIC M. ONDERDONK, CBCP, SENIOR MANAGER, WIPFLI
A MEMBER OF MULTIPLE AGC CHAPTERS
Until recently, many smaller construction companies didn’t consider themselves a target for cybercriminals and fraudsters. Why would they be targeted rather than the bigger companies with greater assets?
But the reality is, a cybercriminal who steals $10,000 from a small firm nets the same money as one who steals $10,000 from a larger firm, and chances are they have an easier time going about it. Smaller construction companies just haven’t had the same controls in place as larger firms, so they’ve started to see criminals target them with email phishing, CEO and CFO impersonation, check fraud, fraudulent vendor change requests and more.
Even who you work with comes with its own risks. For example, utility companies are harder for criminals to hack directly, and so those criminals turn to the vendors and partners they work with instead to gain access.
Now that smaller construction companies are aware of the growing threats, it’s time to take action. Below we dive into the top six controls your company should have in place to help mitigate risk and protect your customers, vendors and your reputation.
1. CARRY OUT ONGOING EMPLOYEE TRAINING
Employees are on the front line when it comes to information security. In order to help protect the overall organization, they must know their security responsibilities. If you don’t know what threats are out there, the tactics criminals are using and how to combat them, how can you hope to prevent attacks?
At the same time, if you only do annual training, can you really expect your employees to remember everything they learned month after month with no reinforcement? What’s more, cybercriminals are evolving alongside the techniques to combat them, so quarterly security awareness training from a professional third-party can keep employees up to date, as well as continually reinforce security awareness.
Employees should know what to do if they suspect an incident has occurred, what your organization’s acceptable use policy is, how to handle confidential information, and even how to keep a clean desk to prevent on-premise stealing of sensitive information. Criminals will impersonate IT personnel, utility workers and others to obtain access to your office, including paper records and even servers.
2. PERFORM FREQUENT TESTING
Knowing your vulnerabilities is step one to fixing them. Perform vulnerability scans, vulnerability assessments, dark-web information scans and real-world penetration testing to give you a comprehensive view of how robust your information and cybersecurity is and where you can mitigate risk.
3. KEEP YOUR SOFTWARE UP TO DATE
Older software and software that’s no longer being supported are two potential ways cybercriminals can gain access to your organization and its data. Make sure your software — whether it’s from a third-party vendor like Adobe or Microsoft or something your IT team developed for custom use — is always up to date with security patches. Retire software and hardware that have reached the end of their lifespans, as their vulnerabilities only open you up to attacks.
Another huge risk that companies frequently take is not securely disposing of physical assets. Hard drives, computers, mobile devices and copiers and printers all must be wiped of data and then destroyed. If you’ve leased equipment like copy machines that must be sent back upon being retired, then it’s especially crucial to wipe data from those machines.
4. USE MULTI-FACTOR AUTHENTICATION
Multi-factor authentication makes it much harder for criminals to gain access to sensitive information. As an example of multi-factor authentication, logging into your work email account on a laptop could involve signing in with a password as well as inputting a verification code sent to your mobile phone. Logging into your email on your phone could involve using a fingerprint scan as additional verification. Gaining access to your office could involve a keycard scan as well as a PIN.
Make sure multi-factor authentication is in place for any external-facing system you have and any portals providing access to your internal environment. This includes not only email accounts but also any CRMs or ERPs you may use, and even your intranet.
5. CREATE AN INCIDENT RESPONSE PLAN
While you can take many comprehensive steps to prevent fraud and cybercrime and greatly reduce your risk, nothing is 100 percent effective. This makes having an incident response plan crucial to every organization.
If your organization suffered a data breach of sensitive customer information tomorrow, what would you do?
Having an incident response plan means having a playbook you can rely on to help contain and recover from a cyber incident. It determines who you will contact for support, including attorneys, public relations personnel, insurance companies, a computer forensics team and, of course, law enforcement.
Data breaches require timely response from all of these unique areas in order to limit the damage to your company’s wallet, its customers and especially its reputation. Additionally, having the necessary contracts in place ahead of time for certain vendors like a professional incident response team is key to acting quickly.
6. UTILIZE MANAGED DETECTION AND RESPONSE SERVICES
Cyberattacks are growing in number. They increased by 32 percent in the first three months of 2018, compared to the first three months of 2017, and it got even worse during the second quarter of 2018, with cyberattacks increasing 47 percent over Q2 of 2017.
With the huge and only growing threat of cybercrime, managed detection and response services are becoming a better solution to help ensure security coverage. So frequently, attackers find a vulnerability in your system and sit on your network for weeks or months until they find the right opportunity to access sensitive data. It takes over 200 days on average to even detect a breach.
But providers of managed detection and response services will put sensors on your network that can detect anomalous behavior and when an attack is happening and then alert the company to take action. You can both help prevent cyberattacks and respond to incidents incredibly quickly with services like these.
If you didn’t consider your organization a target until now, start laying out a plan for implementing the strategies above. It’s only through layered security methods that you can help ensure your organization is protected and prepared to face growing threats. Make sure you’re asking and answering the right questions about security, too.
Eric M. Onderdonk, CBCP, is a senior manager at Wipfli, a member of multiple AGC chapters. Contact him at 952 548 3424 or firstname.lastname@example.org for additional information.