Construction projects are rife with risks, and contractors know how to identify and mitigate those risks. However, the risk of cyber-attacks is often overlooked by contractors. The industry has traditionally been slow in adopting technology, but the pandemic has accelerated the need for connectivity and data sharing technology. With this increased reliance on technology and the internet, construction companies are more vulnerable to cyber-attacks.
The 2022 Verizon Data Breach Investigations Report reviewed over 23,000 incidents and 5,200 confirmed breaches from around the world. Overall, ransomware attacks increased by 13%, making up 25% of data breaches. Among all incidents, 82% involved the human element, which takes advantage of human laziness and fallibility.
When it comes to targeting companies, very small businesses (those with 10 or fewer employees) are at particular risk. The number one attack against very small businesses in 2022 was ransomware. The second most popular attack was use of stolen credentials, such as usernames and passwords. Very small businesses are more vulnerable because of their limited resources and the fact that they cannot rely on trained staff to prevent attacks.
In order to respond to and address cyber security, contractors need to develop a cyber security plan. The plan should identify a company’s response team, including contact information, identify critical business continuity and workplace safety issues, assign roles and responsibilities if an attack should occur, and outline training and practice methodologies. Once developed, the plan should be printed out on paper, as it may not be available electronically if computers are down or compromised.
How to develop a data security plan
Now let’s go over the key steps to developing a data security plan.
1. Identify your response team
Companies should identify both their internal and external data security response team members. Internal company team members may include employees representing management, IT, and human resources. External members may include legal counsel, investigators, vendors, and public relations or marketing companies. These team members will work together to make critical decisions that affect the success of the response and the future of the business. Because valuable time can be lost trying to identify and work with response team members, it’s beneficial to identify them ahead of time and engage third parties as needed.
2. Identify critical business continuity and workplace safety issues
The response team works together to anticipate which processes and safety issues could be jeopardized by a cyber-attack. As much as possible, the team should also develop contingency plans to maintain operations while they are investigating and mitigating the damages.
3. Purchase cyber security insurance
Insurance coverage is available for cyber-attacks. It covers damages for all forms of attack, including ransomware. Contact your business insurance agent to get a quote and coverage details. Once a policy is in place, the first step in your response plan should be to notify the insurance company. They may have additional resources to help you mitigate damages and investigate the incident.
4. Assign roles and responsibilities
The next step is to assign roles and responsibilities to internal and external team members. Plan steps may include investigation, coordination with law enforcement, customer and vendor notification, compliance review, and reevaluation of the plan based on lessons learned.
5. Train all employees
All employees should be trained on how to recognize and avoid ransomware and other forms of data breach. They must learn what to do if they believe an attack has occurred and what not to do. Because cyber-attacks can occur at all levels of a business, it’s important to train everyone.
Gather team members together and simulate a data breach incident and run through the response plan. This will give members valuable experience working together and going through the process of investigation and mitigation. The plan should be evaluated, and changes made if needed.
5 Tips for avoiding data breaches
In addition to creating a response plan, there are a few things you can do to prevent an incident from happening.
1. Locate your data
Find out where your company data, such as employee data, customer data, and proprietary data, is stored. Knowing the exact location of data within your system may reduce the number of customers or vendors you need to notify if a breach occurs.
2. Update software and hardware
Use only the latest in hardware and software and keep them updated. As new technology and information becomes available, you will want to stay ahead. By staying current, you reduce risk.
3. Use encryption and VPNs
Data encryption is a best practice within the cyber security industry, but it isn’t enough to protect your company data. Virtual private networks (VPNs) protect privacy online. They use encrypted data and hidden IP addresses to keep your data and connection safe.
4. Monitor your network
Companies should monitor their networks at all times, so they know whether it has been infiltrated or attacked.
5. Use wire transfers safely
Construction payments often involve large sums of money being transferred between accounts through wire transfers. To ensure the safety of the account information traded in these transactions, all wire transfer information should be confirmed via phone or in person conversation. A wire transfer requested by email should not be sent without verification.
Data security is important for all contractors, especially as more data is now stored electronically. Creating a data security response plan and following best practices will help contractors protect themselves from cyber-attacks.