Enhancing Your Cyber Hygiene Can Protect Your Business
By Dennis Ast, CPCU, CCIC
October was Cybersecurity Awareness Month. This year’s theme, “Secure Our World,” resonates across many industries, but arguably none more so than the construction industry. The construction sector continues to be a prime target for cyber criminals due to its unique vulnerabilities. Cyber-attacks can strike a construction company from various fronts, including software breaches, phishing, fund transfer fraud, and ransomware.
The construction industry faces unique exposures because of the vast amount of sensitive information involved in any project, such as contracts, financials, building plans, and the significant funds transferred electronically between businesses.
So, how can a construction company protect itself and minimize the impact of cyber threats? There are several best practices to consider, including elevating your cyber hygiene and resiliency, training employees on cyber awareness, and having a recovery plan in place should a cyber incident occur.
How does your organization increase its cyber hygiene and resiliency?
First, you need to conduct a vulnerability assessment and potentially a penetration test to identify and resolve any weaknesses. Ensure you are doing all you can to protect the data related to your company, employees, and clients. Implement Multi-Factor Authentication (MFA) for email, privileged users, and remote access to make it harder for cyber criminals to access your system.
Next, implement Endpoint Detection and Response (EDR), or better yet, Managed Detection and Response (MDR) or Extended Detection and Response (XDR). These applications monitor all your endpoints (laptops, desktops, printers, servers, etc.) for any unusual or suspicious activities, allowing your cybersecurity teams to respond promptly and appropriately to minimize any impact on your company. Maintain a regular patching schedule to keep all your systems and applications up to date and replace or remove any end-of-life or unsupported software.
Ensure you have regular, encrypted, air-gapped, and tested backups. To minimize the potential for fund transfer fraud, implement policies that verify (dual control) initial or changes in payment information from or to vendors and employees. It’s better to take the time to verify payment information than to risk paying the wrong party.
How can you minimize the risk of a cyber breach?
Another key to minimizing your organization’s risk of a cyber breach is to educate your employees, as they are your first line of defense. Since 95% of cybersecurity issues are caused by human error, it’s crucial to start with a comprehensive cybersecurity policy. Help employees understand cybersecurity and the critical role they play. Make following the policy a priority and provide regular training and updates to keep them engaged.
Train your employees on how to spot and report suspicious activity. Most importantly, encourage communication and open dialogue about cybersecurity. You want your employees to feel comfortable coming to you with concerns, without fear of negative repercussions.
Finally, an organization needs to have a Cyber Incident Response Plan. There are many templates available from both government sources and cyber carriers. A well-written plan will help your organization identify exposures and determine the best way to respond and recover from an incident, minimizing the impact on the organization. Without a plan, many organizations struggle with what to do if they suspect a cyber-attack, leading to high costs and damage.
By taking a proactive approach to cybersecurity and implementing the best practices outlined above, you can help protect your organization from a cyber attack and minimize the impact if one occurs.
For more information please contact Dennis Ast, Senior Account Executive Cyber Risk Specialist at or [email protected]
This content is for informational purposes only and not for the purpose of providing professional, financial, medical or legal advice. You should contact your licensed professional to obtain advice with respect to any particular issue or problem. Please refer to your policy contract for any specific information or questions on applicability of coverage.
Please note coverage can not be bound or a claim reported without written acknowledgment from a OneGroup Representative.