As handy as all these digital gadgets are for your contracting business, there is one area that, without your strict attention, could cost you a lot of money as well as your reputation. We are talking about cybersecurity. As easy as it is for you to use these devices, hackers, and other bad actors can just as easily break into your systems.
You need to be alert for the types of problems a lack of digital security can cause, not just you, but your customers, employees, and vendors. Not to worry, though. There are ways to protect yourself and your business.
What is cybersecurity?
If your business is like many others, you use a number of digital tools to streamline your workflow, store documents, and information, scheduling … the list gets longer every day. Some of these tools may only reside on your computer but increasingly, the tools you use for these activities live in the cloud. This means you need an internet connection to use them.
Once you hook your computer to the internet, you have a hole where digital rogues can sneak into your online workplace, steal your stuff, and wreck the rest. What do these people want?
- Access to personal information (think identity theft)
- Access to proprietary corporate assets including project and bid data, privileged contracts, intellectual property, and architectural designs (sabotage and trading in company secrets)
- Access to personal information on servers belonging to another organization (the Target breach was traced back to an HVAC contractor)
- Extortion (holding data for ransom is getting popular)
It isn’t just information that can get compromised; a hacker can also damage servers and IT infrastructure with the potential to harm the people on your jobsite if architectural designs or security systems are tampered with.
Why should you care?
Here are a few good reasons:
- In 2015, there were over 2,200 security incidents with confirmed data loss.
- Over 80% of incidents were from external threats, most from hacking and malware.
- On average cyber attackers went undetected for 243 days.
- Attackers are getting quicker at compromising victims while internal breach discovery and fraud detection are falling behind.
A data breach can wind costing you an arm and leg in legal costs. It isn’t uncommon for those whose data has been stolen from your system to bring a civil suit. You will also be paying for notifications, regulatory fines, and penalties, and for security consulting.
If you need more convincing, the Ponemon Institute, an independent research firm specializing in privacy, data protection and information security policy, published findings in 2014 that estimated the cost per lost or stolen record was $154. Each.
The average total cost of a data breach was $3.79M, an increase of 23% from the year before.
One of the more troubling issues is that standard contract forms, as a general rule, do not address cybersecurity issues. If you take on government projects, they are likely to have more specific cyber protection requirements. (See Executive Order 1336.)
What can you do?
If your company is the victim of a digital breach, you have three issues to deal with.
- Your company must determine how your systems were breached and what data may have been accessed.
- You will need to engage an attorney or other legal counsel to find out what your responsibilities are for notifying other individuals and companies.
- These parties, once identified, must be notified of the breach and you should provide a credit monitoring service to them for good measure.
If you haven’t been hacked yet, assume you will be. Cybersecurity must be addressed as part of your risk management plan. You can develop this section by asking:
- What personally identifiable information, employee information, and/or client confidential information do you store?
- Where is the data stored, how, and who has access to the data?
- How many files are stored there?
- What other data does your business have, where is it stored, and what else is that data connected to?
All company laptops, as well as portable media devices like thumb drives, should be encrypted. You may want to consider banning the use of portable media altogether. Thumb drives are easily lost and stolen.
Employee safety training should include training in digital security risks. Anyone who accesses company files could be the proximate cause of an incident. Just like you emphasize personal safety on the jobsite, you should make sure everyone understands the importance of data security.
Make sure you are:
- Keeping the company’s firewalls current and all security patches regularly updated
- Checking for a “hold harmless and indemnification agreement” with your vendors in the event of a data breach involving their information or their IT services.
- In the case of a data breach, putting into place a detailed plan of action.
Form a team of cross-functional representatives, including IT and information security experts, to help your company define legal implications, keep you in compliance, and take care of privacy issues. You will also need expertise in public relations, auditing, ethics, and government affairs.
There are a variety of tools available to help you protect your data.
Make and keep a detailed inventory of the data you hold, including where that data is stored and how it is controlled. If a breach occurs, you will be able to expedite notification and forensic processing.
Create strong passwords and require them to be changed or reset on a regular basis. Do not allow passwords to be duplicated. If you have default passwords, make sure those are changed as well.
A firewall is your best defense and an excellent tool to isolate and contain breaches. User authentication should be a requirement for anyone with access to your systems, and you should subscribe to an annual support and maintenance agreement with your firewall vendor. Your service should also include 24/7 monitoring and support. All of this will be cheaper than paying out for stolen data and damage.
A couple of other items can minimize your capital outlay if (when) your systems get hacked.
- Obtain a “hold harmless” agreement from all third parties you share information with, especially if the data is stored in the cloud. Go over the agreement with the third party so you can limit as much liability as possible.
- Get cyber-insurance (yes, it’s a thing). This transfers your risk to the insurance carrier. You can find a policy with reasonable premiums that covers liability lawsuits, pays for your expenses such as the cost of legal counsel, and pays for notification and credit monitoring for the owners of the hacked data.
Additional cyber-insurance can also be obtained to pay for data restoration and losses from business interruptions caused by the incident. Don’t rely on your property policy; hacking is typically excluded.
Other areas that may be covered: payment for digital extortion and the costs for a data breach coach to guide you through the process. Construction employee training, penetration testing, security audits, and vendor management consulting may also be included.
Hacking is the new bank robbery. It is silent, can be difficult to catch, and can ruin business reputations. Prepare your defenses before the enemy can breach your walls.