In this article, Tysers explains how cyber attacks pose significant operational risks in the construction industry, causing business disruptions and delays
Construction companies have become an increasing target for cybercriminals in recent years, with several high-profile cyber attacks, including UK-based Bam Construct and Interserve, who were contracted to build several NHS Covid Hospitals at the height of the pandemic.
A government study revealed that construction companies are one of the most likely to fall victim to Cyber-Facilitated fraud.
Despite this statistic the report also revealed the construction sector is also one of the least likely to have a range of cybersecurity controls in place, including board members or trustees that have responsibility for cyber security.
There are many serious operational, reputational and legal risks that need to be considered and mitigated against where possible. A cyber attack can cause severe disruption across the supply chain and may even impact suppliers or clients if malware is spread outside of the company or confidential data is leaked.
Operational Risks
Ransomware attacks have become increasingly common, with many cybercriminals targeting key systems used by businesses in their day-to-day operations and to deliver services.
The financial impact of an attack of this nature can’t be underestimated and can cause large-scale business disruption, particularly when users are locked out of crucial systems necessary for the progression or completion of a project.
Reputational Risks
If a cyber attack leads to a significant delay in project delivery or compromises your supply this could cause considerable reputational damage, particularly if highly sensitive data is leaked, which causes distress and/or financial losses for other businesses or individuals associated with your business.
Legal Risks
GDPR places the responsibility of data security and confidentiality on the business which holds and processes this data, including sensitive data about other businesses, employees and clients.
If a data breach occurs you may be liable to fines and penalties for breaching GDPR, even if the leak was a result of a cyber-attack.
If a data breach occurs, you may also be legally required to notify individuals whose data has been compromised, which, in the case of large-scale breaches, can be costly and time-consuming.
How do I protect my business against cyber attacks?
-
Cybersecurity Measures
Robust cybersecurity is essential to protect your business, and it’s important to invest in cybersecurity measures regardless of business size or industry.
Implementing secure password policies which require strong passwords that are frequently changed can help deter ‘brute force’ password hackers, as can multi-factor authentication, which is one of the easiest steps that can be taken to protect data making it more difficult for cybercriminals to access systems.
You can find out more about multi-factor authentication in our online guide.
It is also equally as important for your employees to have up-to-date training to stay ahead of the increasingly sophisticated methods used by cybercriminals.
Some cyber insurance policies even offer cybersecurity training, to help reduce the risk of claims caused by human error.
2. Incident response & business continuity planning
It is crucial that in addition to having robust cybersecurity measures in place, you also have a cyber business continuity plan (sometimes known as an incident response plan) in place for cyber-related incidents which seeks to minimise damage and disruption to the company and your supply chain.
This incident response plan should include a wide variety of scenarios, including ransomware attacks, data breaches and other cyber incidents and how your business can continue operating even during or after a cyber incident has occurred. You can learn more about cyber business continuity planning here.
3. Cyber & Crime Insurance
One way of mitigating the financial impact of a cyber attack or data breach is to ensure you have robust Cyber Insurance and Crime Insurance policies in place.
Although some business insurance policies may offer limited coverage for Cyber Incidents, this is unlikely to be sufficient to cover the true cost of a cyber incident.
Many comprehensive cyber policies also offer cyber breach response support, an invaluable resource offering expert guidance in crisis containment and the best course of action to limit damage to your business and reduce recovery time and costs.
Typically, this will include data recovery specialists and expert negotiators to help recover your data and assets from cyber criminals.
It’s also important to consider that although a comprehensive cyber policy protects you against many costs associated with a cyber attack, policies do not cover monies taken from your account or fraudulent transfers – this can, however, be covered by a Crime Insurance policy which includes computer crimes.
Contact Tysers today
Our expert construction brokers are here to help. Whether you require risk management expertise in one particular area, or a programme of bespoke covers designed to protect all current and emerging risks, get in touch today or visit our website for more information.