No industry is immune to privacy and cybersecurity risks, and the construction industry is no exception. Those in the construction industry can protect themselves against a potential cyberattack by understanding the risks and vulnerabilities and developing a plan.
Ransomware cost businesses more than $20 billion in damage in 2021, and a Safety Detectives survey found that construction was the third most common industry affected by ransomware attacks in 2021 (13.2 percent of the total industry). number of ransomware attacks in North America).
The industry appeals to cyber attackers in many ways. First, the industry is largely unregulated when it comes to cybersecurity and privacy. This may explain why construction organizations have not prioritized implementing privacy and security measures. An IBM Ponemon survey found that 74 percent of construction-related organizations are unprepared for cyberattacks and have no plan to respond to incidents.
Second, construction transactions include: significant amounts of personal information and sensitive corporate data, especially related to financial data, that entice threat actors.
Third, construction companies work with a variety of suppliers and each transaction can involve multiple parties, giving an internal or external malicious party ample opportunity to cause damage.
Finally, the construction industry has increasingly implemented artificial intelligence and robotics in recent years, which, given their interconnectedness, require additional data security and privacy considerations.
Understanding risks and vulnerabilities
Not all construction organizations face the same inherent business risk of a cyber breach. That would depend on factors such as the nature of the projects they are working on (public infrastructure versus housing builders), their customers (e.g., governments, companies and individuals), the technologies involved in the project (e.g., internet of things, drones, gps and biometrics), the jurisdictions in which business is conducted and the amount and nature of the personal information and sensitive business data in the organization.
In addition, the level of risk can depend on how well an organization is prepared for the challenge. For example, members of the organization’s IT staff may be adept at systems administration, but are they aware of the latest cybersecurity tools and attack methods to provide competent leadership and execution?
Develop and practice an “Incident Response Plan”
As a first step, organizations can develop and practice an incident response plan before a breach occurs. A good start includes the following:
- Identify the internal response team (e.g., leadership, IT, corporate lawyers and HR). These are the individuals in the company who will lead the response to any data incident. They will make quick, informed and prudent decisions that are likely to be critical to the success of the response process and potentially the company’s future.
- Identify the external response team (e.g., outside legal counsel, forensic investigators, reporting and public relations vendors). Identifying external members of the team in advance and negotiating and agreeing to applicable contracts can be vital to the success of any preparation plan. When a breach occurs, valuable time can be lost identifying, evaluating, negotiating and engaging the third-party service providers needed to respond.
- Anticipate critical business continuity and workplace security issues that could be compromised by compromise with information and control systems. To the extent possible, contingency plans should be established to ensure operations can continue while the incident is investigated and damage is mitigated.
- Consult insurance brokers or cyber-insurance companies to confirm applicable coverage or to discuss cyber-attack coverage options. If coverage is in place, informing the insurance company should be one of the organization’s first steps in response to an incident.
- Please be aware of all legal and contractual obligations that may affect the response process.
- Clarify the roles and responsibilities of team members at key points in the response process: incident discovery, investigation, coordination with law enforcement agencies, remediation, reporting, third-party investigations, compliance, and re-evaluation. This should include a clearly defined decision-making process to facilitate good choices and avoid delays.
- Practice, practice, practice. Members added to the response team may not have first-hand experience helping coordinate an investigation or response to data incidents. Unfortunately, even a well-drafted plan does not empower those charged with carrying out the plan to carry it out. Once the organization has its plan in place, it must bring together its internal and external breach response team members to simulate an incident so members gain valuable experience in navigating the investigation, mitigation and overall response process, as well as to work together. Similar to a fire drill, practicing this process ensures that any data incident is dealt with in an efficient and orderly manner.
Creating awareness across the organization
It is important that organizations create awareness about the risk of cyber attacks and cybersecurity risks. This can include:
- Teach employees how to identify and avoid potential ransomware attacks and other forms of data breaches.
- Instruct employees what to do immediately if they believe an attack has occurred (e.g., inform who? [generally, IT] and how to disconnect from the network). This may include coordinating with the organization’s security team to, for example, ensure that compromised systems and equipment do not cause physical injury to persons or damage to property.
- Instruct employees on what: not To do (e.g., delete system files and try to restore the system to an earlier date).
Preparedness can make all the difference in the success of a construction organization’s ability to deal with a cyberattack. An incident prevention and response plan is only as strong as employee awareness. Employees must understand the risks associated with maintaining complex data-driven systems and equipment and the basic steps they can take to prevent or mitigate a cyberattack and respond, if necessary.
If you have any questions, please contact a Jackson Lewis attorney.