No industry is immune from privacy and cybersecurity risks, and the construction industry is no exception. Those in the construction industry can protect themselves against a potential cyber attack by understanding the risks and vulnerabilities and developing a plan.
Ransomware cost businesses more than $20 billion in damage in 2021, according to cybersecurity companiesand a study of security detectives found that construction was the third most common industry to experience ransomware attacks in 2021 (13.2 percent of total ransomware attacks in North America).
The industry attracts cyber attackers in many ways. First of all, the industry is largely unregulated when it comes to cybersecurity and privacy. This may explain why construction organizations have not prioritized the implementation of privacy and security measures. A study by IBM’s Pokemon found that 74 percent of construction-related organizations are unprepared for cyberattacks and do not have an incident response plan in place.
Second, construction transactions contain significant amounts of personal information and sensitive business data, particularly regarding financial data, that attract threat actors.
Third, construction companies work with a variety of vendors, and each transaction can involve multiple parties, providing ample opportunity for an internal or external bad actor to wreak havoc.
Finally, in recent years, the construction industry has increasingly implemented artificial intelligence and robotics, which, given their interconnectivity, require additional security and data privacy considerations.
Understand risks and vulnerabilities
Not all construction organizations face the same amount of inherent business risk from a cyber breach. That would depend on factors like the nature of the projects they work on (public infrastructure versus residential homebuilders), their clients (e.g, governments, companies and individuals), the technologies involved in the project (e.g, internet of things, drones, GPS and biometrics), the jurisdictions in which business is conducted and the amount and nature of personal information and sensitive business data in the organization.
Additionally, the level of risk may depend on how well an organization is prepared for the challenge. For example, members of the organization’s IT staff may be experts in systems management, but are they up to date with the latest cybersecurity tools and attack methodologies to provide competent leadership and execution?
Develop and practice an “Incident Response Plan”
As an initial step, organizations can develop and practice an incident response plan before a breach occurs. A good start includes the following:
Identify the internal response team (e.g, leadership, IT, internal consulting and human resources). They are the people in the business who will lead the response to any data incident. They will make quick, informed and prudent decisions that are likely to be critical to the success of the response process and possibly the future of the business.
Identify the external response team (e.g, outside legal counsel, forensic investigators, notification providers, and public relations). Having external team members identified in advance and negotiating and agreeing to any applicable contracts can be vital to the success of any preparedness plan. When a breach occurs, valuable time can be wasted trying to identify, assess, negotiate, and contract with the third-party service providers needed for the response.
Anticipate critical workplace security and business continuity issues that could be compromised by a compromise with information and control systems. To the extent possible, contingency plans should be designed to allow operations to continue while the incident is investigated and damage is mitigated.
Check with insurance brokers or cyber insurance companies to confirm applicable coverage or to discuss coverage options for cyber attacks. If coverage exists, notifying the insurance company should be one of the organization’s first steps in responding to an incident.
Clarify team member roles and responsibilities at key points in the response process: incident discovery, investigation, coordination with law enforcement, remediation, notification, third-party inquiries, compliance, and reassessment. This must include a well-defined decision-making process to facilitate good choices and avoid delays.
Practice practice practice. Members added to the response team may not have first-hand experience to help coordinate a data incident investigation or response. Unfortunately, even a well-written plan does not give the people charged with implementing the plan the competence to execute it. Once the organization creates its plan, it should bring together internal and external breach response team members to simulate an incident and help members gain valuable experience navigating the investigation, mitigation, and overall response process. as well as in joint work. Much like a fire drill, practicing this process will help ensure that any data incident is dealt with in an efficient and orderly manner.
Create awareness throughout the organization
It is important for organizations to create awareness of the risk of cyber attacks and cybersecurity risks. This may include the following:
Tell employees what to do immediately if they think an attack has occurred (e.g, who to notify [generally, IT] and how to disconnect from the network). This may include coordination with the organization’s workplace security team to ensure, for example, that compromised systems and equipment do not cause physical harm to people or damage to property.
Preparation can make a difference in the success of a construction organization’s ability to handle a cyber attack. An incident prevention and response plan is only as strong as employee awareness. Employees must understand the risks involved in maintaining complex data-driven systems and equipment and the basic steps they can take to prevent or mitigate a cyber attack and, if necessary, respond to one.
Jackson Lewis PC © 2022National Law Review, Volume XII, Number 91