Contractors with weak cybersecurity measures could be turned down for insurance unless they implement stronger safeguards, a cybersecurity expert has warned.
In December 2021, infrastructure management company Amey suffered a cyberattack after hackers used ransomware to access documents, including correspondence with government departments, that were leaked online.
It was the latest in a list of companies, including Interserve, Bouygues UK and Bam Construct, to be targeted by cybercriminals in recent years.
After a series of attacks, Cyber Security Associates (CSA) CTO James Griffiths said insurers were now being more selective in handing out cyber insurance to contractors, turning away those with poor online protection.
Griffiths revealed that a change in insurers’ behavior had influenced some of the “largest construction companies” to increase their investment in cyber defense systems to protect themselves and their staff.
Warning that the next big attack was “only a matter of time,” he encouraged contractors of all sizes to check and improve their online protections to project their business and make sure they don’t get turned down by insurers.
Griffiths said NC: “The insurance companies now, because they have had to pay a lot in the last three or four years for claims. [after attacks, some are not insuring] companies that they would have in previous years.
“Many insurance companies are now heeding the advice of cyber security professionals, [asking them] what they should be asking […] before accepting a client. And now they’re starting to find that the companies that they’ve been insuring for 15 or 20 years before, unless they put these [cyber defences] instead, they are not insurable.”
CSA’s technical director said he had seen examples of firms being turned down for cyber insurance because they didn’t meet the minimum insurance underwriter requirements.
“They wouldn’t insure them because the risk is too great,” Griffiths said.
In March, a government report revealed that construction companies were among the business groups least likely to have specific cyber protection rules or controls. Measures could include up-to-date malware protection, a policy that ensures strong passwords, or data backup through a cloud service.
the Cyber Security Gap Survey 2022 The paper also found that construction companies were among the least likely to have carried out activities to identify cybersecurity risks in the last 12 months.
Griffiths suggested that some contractors have historically paid more attention to health and safety than cybersecurity, but stressed that they could no longer neglect it and offered recommendations.
He said: “Set up multi-factor authentication. So make sure you have that turned on and applied from all your third parties and apps you use.
“Surveillance [is also important]and identify what is happening in your network and in the company’s devices, because it is useless to have all these [protections] in place and it’s not really monitoring or alerting on these things that actually happen,” he added.
Official government statistics show that 39 percent of businesses identified a cyberattack in the past 12 months through March, with the most common threat coming from phishing attempts (83 percent). The average cost for medium and large companies was £19,400.
In a four-month period in 2020, major contractors Bouygues UK, Bam and Interserve fell victim to malicious actors attacking their systems. Interserve subsidiary RMD Kwikform was also attacked in November 2021.