The construction industry continues to be one of the most targeted industries for cyberattacks. A common misconception is that a cyberattack will never happen to your business because you are too small to be targeted. Unfortunately, this is untrue.
According to a 2022 Cyber Readiness Report from insurance provider Hiscox, hackers directed more of their attention to mid- and small-sized businesses in 2021. Per the FBI’s 2022 Internet Crime Report, the FBI’s Internet Crime Complaint Center received over 800,000 reported complaints in 2022, with losses exceeding $10.3 billion. The problem certainly isn’t endemic to the United States. In Canada, 85% of companies experienced at least one cyberattack in 2021 over a 12-month period.
A 2020 survey by NerdWallet found that nearly half (47%) of small businesses reported that they had “no understanding of how to protect themselves against cyberattacks.”
This is a troubling statistic given that such breaches can cost small businesses up to $650,000. In fact, for 2020, IBM’s “Cost of Data Breach Report” stated that the average data breach cost $3.86 million. That unexpected cost could be devastating for any business, let alone a small construction contractor.
For contractors, taking the following proactive steps can help you protect your business and reduce the risk of a cyberattack:
Step #1 – Protect Your Files & Devices
- Update your software.
- This includes your apps, web browsers, and operating systems. Set updates to happen automatically.
- Secure your files.
- Back up important files offline, on an external hard drive, or in the cloud.
- Require passwords.
- Use passwords for all laptops, tablets, and smartphones.
- Encrypt devices.
- Encrypt devices and other media that contain sensitive personal information. This includes laptops, tablets, smartphones, removable drives, backup tapes, and cloud storage solutions.
- Use multi-factor authentication.
- Require multi-factor authentication to access areas of your network with sensitive information. This requires additional steps beyond logging in with a password — like a temporary code on a smartphone or a key that’s inserted into a computer.
- Require multi-factor authentication to access areas of your network with sensitive information. This requires additional steps beyond logging in with a password — like a temporary code on a smartphone or a key that’s inserted into a computer.
Step #2 – Protect Your Wireless Network
- Secure your router.
- Change the default name and password, turn off remote management, and log out as the administrator once the router is set up.
- Use at least WPA2 encryption.
- Make sure your router offers WPA2 or WPA3 encryption, and that it is turned on. Encryption protects information sent over your network so it cannot be read by outsiders.
- Make sure your router offers WPA2 or WPA3 encryption, and that it is turned on. Encryption protects information sent over your network so it cannot be read by outsiders.
Step #3 – Make Smart Security your Business as Usual
- Require strong passwords.
- A strong password is at least 12 characters that are a mix of numbers, symbols, and capital and lowercase letters.
- Never reuse passwords and don’t share them on the phone, in texts, or by email.
- Limit the number of unsuccessful log-in attempts to limit password-guessing attacks.
- Train all staff.
- Create a culture of security by implementing a regular schedule of employee training.
- Update employees as you find out about new risks and vulnerabilities.
Step #4 – Reinforce Secure Behaviors
- Education and awareness are not enough to ensure that security is a part of business as usual.
- Train employees about how to identify email phishing scams (e.g.,” Jason.Smith@abccompany.com” vs “Jason.Smith.abccompany@gmail.com”) gcollins@felhaber.com vs. gcollins.felhaber@gmail.com).
- Train employees to check links (i.e., hover over them) and to be very careful of attachments.
Step #5 – Consider Additional Cybersecurity Countermeasures
- Consider Data Breach / Cybersecurity Insurance.
- Costs are reasonable and insurance can be a lifesaver in the event of a breach.
- Consider encrypting all company data to prevent hackers from being able to use the data when it is hacked.
- Consider eliminating the use of personal devices.
- While this increases costs, it also helps the company control the flow of data outside of its ecosystem.
- Consider banning flashdrives.
- Cybercriminals are known to plant flash drives labeled “Q4 Layoffs” or “Q4 Promotions” in order to tempt employees to plug them into company computers and download the content.
- Cybercriminals are known to plant flash drives labeled “Q4 Layoffs” or “Q4 Promotions” in order to tempt employees to plug them into company computers and download the content.
Step #6 – Prepare to Respond and Recover
- Conduct a cyber risk assessment to determine your cyber vulnerabilities and understand your risk.
- Develop an incident response plan, which helps you respond to a cyber security attack and implement corrective measures to respond to and mitigate the threat.
- Develop a disaster recovery plan to ensure business continuity of any destructive attack that has occurred.
For contractors who are overwhelmed by these six steps, send these steps along to your IT providers. Additionally, there are cybersecurity vendors who can help you take these steps and prevent your company from being an easy target.
Bottom Line
By following the steps outlined above, contractors can mitigate against a costly cyberattack. The time to prepare is now – do not allow yourself to be an easy target for cyber criminals.
