In 2009, PATCO Construction lost over $588,000 in five days. The loss didn’t come from a construction deal gone south or an embezzling employee. It happened when attackers installed a banking Trojan on a company computer.
The attackers obtained PATCO’s login credentials, password, and the answers to three security questions. They used the information to initiate illegal wire transfers from PATCO’s bank account. The bank recovered less than half of the money, leaving PATCO facing a $345,000 loss and leading to many years of litigation with the bank.
According to research from QBE Insurance Group, only 44 percent of construction companies have a cybersecurity plan, and just 26 percent of construction companies have purchased cybersecurity insurance. It’s time for construction companies — even small ones — to get serious about cybersecurity.
WHY ATTACKERS TARGET SMALL- AND MEDIUM-SIZED BUSINESSES
Many construction-business owners assume that cyberattackers have no interest in their companies. After all, they don’t store large amounts of financial information or Social Security numbers, and they’re not part of high-risk industries like finance, health care, and retail. However, as part of an increasing wave of attacks against small- and medium-sized companies, more and more construction businesses are falling victim to cyberattacks. Here are a few reasons that smaller targets appeal to attackers:
- Weaker security. Few small companies have a strong cyber security postures, and most have no security expertise at the management level. Think about it: someone who graduates with an MBA specializing in fraud protection isn’t likely going to become a chief information security officer for a small business.
- Poor data protection. Many small businesses sign up for cloud software that uses poor data encryption. They also transfer their data using poorly protected Wi-Fi networks.
- Access to clients. Small construction companies often have high-value customers, including Fortune 500 companies and government agencies. Attackers can steal login information from a small business employee and use it to go after a much more valuable target, cleaning out the small company’s bank account along the way.
- Poor legal protections for commercial bank accounts. Commercial bank accounts don’t have as many legal protections as personal bank accounts. The law holds businesses to higher security standards than individuals.
- Non-savvy employees. Small companies rarely offer employee training related to creating strong passwords, avoiding phishing emails, and recognizing social engineering attacks. As a result, their employees become easy targets.
WHAT CONSTRUCTION COMPANIES CAN DO
A small construction office might not have the budget for a major cybersecurity overhaul, but a few simple precautions can protect construction businesses from major losses.
Smart Password Protection
Employees can use one of two methods to create strong but easy-to-remember passwords. One method involves creating a sentence that incorporates upper-case and lower-case letters, numbers, and symbols, such as “I won $1,000 in Las Vegas last summer.” Then, take the first letter or bits of each word to create a strong and memorable password — Iw$1iLVls. Another type of strong password chains together four random but easy-to-remember words — dogenvelopedoctorraisin.
Once their passwords are set, remind your employees to change their passwords often, and remind them how important it is not to share their passwords with anyone else or write passwords on sticky notes and post them around the office.
Email, Text Message, and Phone Protection
Even when your employees receive emails or texts containing links to legitimate-looking websites, or they receive seemingly innocuous forwards from their friends, remind them to never click the link that’s provided. Instead, they should open a new browser window and navigate to the website from the browser.
Also, if your employees receive a suspicious or alarming voicemail that sounds like it’s coming from someone important, remind them not to call the number left in the message. Instead, they should contact the government agency or company directly using its publicly available phone number.
Installing good but affordable security software, including antivirus for individual computers and out-of-the-box small business network protection, can go a long way toward protecting construction companies. Also, verify whether cloud software offers strong encryption before signing up for an account.
Even small construction businesses should purchase cyberinsurance to protect themselves from lost revenue and litigation. It could save the business from catastrophic losses following a cyberattack.