They have cheeky, even beguiling names like SamSam, Locky, WannaCry and Reveton. You know these names better because of the immeasurable pain, suffering, and loss they cause from ransomware data theft and extortion.
What makes this scourge worse is the way criminals are actively targeting construction companies. No wonder many industry leaders ask, “Why us? We’re a construction company. What are we worth stealing?” A lot turns out.
First, a quick look at the new normal based on the numbers:
If you’ve experienced an attack, you know what’s at stake. It goes beyond a disastrous ransom demand. It’s a terrorizing blow that puts your reputation and ability to keep business up and running at the center. The viability of all ongoing projects and offers is immediately jeopardized.
Even if you are fortunate enough to have business insurance that will help make up for part or all of the financial loss, you will be subject to higher premiums, reduced coverage, or both, or a summary cancellation. Either way, you pay.
“I’ve been to companies where a data breach is a vital event. They say, ‘We can’t pay. We can’t recover. We’re done,'” says Nick Espinosa.
Espinosa is a best-selling author, noted TED spokesperson, cybercrime advisor, and head of Security Fanatics, a global authority on cybersecurity and IT infrastructure defense. He understands why the bad guys are exploiting the construction companies’ databases. These crown jewels could be:
- Employee information
- Bid data
- Profit / loss information
- Bank records
- Material prices
- Other confidential information
“First of all, it is clear: every industry is under attack. Nobody is spared. Still, the construction industry is singled out because it tends to be rich in money and is constantly pressured to meet delivery goals. Construction companies are seen as more vulnerable and willing to “pay,” explains Espinosa.
There is another reason. Fast growth in a booming economy is a double-edged sword. For the bottom line, of course, it’s great. But it can also mean that cybersecurity will be neglected as companies accelerate their digital transformation. That leaves it to a normally overworked and understaffed IT department to fight a crafty, relentless enemy.
“Construction companies don’t invest enough in cybersecurity. You tend to be a little behind. It’s like hiring a specialist contractor. Would you like a drywall contractor to install your HVAC system? Skills must match highly talented and resourceful thieves. Cybersecurity is a specialty that few companies have the in-house know-how or time to keep up with, “says Espinosa, noting the sky-high success rate criminals have in breaking construction company defenses.
Kevin Soohoo, Director, Construction and Engineering at Egnyte, a leading content management company, says the ransomware plague deserves the same level of leadership as occupational safety.
“Construction projects are full of risks and uncertainties. Traditionally, project drivers have been viewed as a triad of work, material and equipment. For example, the industry has made great strides in securing workers with very tangible results, ”says Soohoo.
How tangible? Dodge Data & Analytics Reports 72% of contractors say their security program has a positive impact on their industry position, with 66% claiming security practices drive business development.
The risk posed by ransomware attacks begs the question: isn’t it time to treat cybersecurity with zeal and focus as a security management program? Lax attention to either one is a potential business nicker or killer.
The good news is that the industry is making this a regular issue, sharing best practices on a national level with well-known trade associations like MCAA and NECA. In fact, the AGC IT Conference, one of the few construction events with a large focus on construction IT, will feature three separate cybersecurity breakout sessions during the 2.5 day event.
Espinosa recommends companies insist on free and sensible practices, such as multi-factor authentication when signing up. This simple action often deters a potential attacker – the hacker knows why he should bother to overcome this obstacle when there are far more accessible targets. In addition, Espinosa advises developing a defensive strategy around a third party safety assessment. “It’s the right step to sleep better at night,” he advises.
Another notable step is the partnership with a content management company like Egnyte, which is at the forefront of G2, the independent go-to place for enterprise software, for data-centric security. “Egnyte has much stricter security measures than most content management companies,” reports Espinosa.
In a world characterized by cyber thieves who want to turn your company upside down, it makes sense to rethink long-held security assumptions. Consider implementing best practice cybersecurity measures that will protect your data assets from the unthinkable.