COO of NormCyber, Pete Bowers, explores why construction firms are at particular risk of cyber threats and how cyber insurance can protect your business
As technology advances, the risk of cyber-attacks continues to loom over businesses in all industries. However, recent reports have highlighted the construction sector as particularly vulnerable to cyber threats, with many firms lacking cyber insurance to protect themselves. In fact, construction is now the fifth most at-risk sector for cyber-attacks, and the second most likely to be hit by ransomware. This vulnerability is likely due to the high success rates and willingness of construction firms to pay out when the worst happens.
The pressure is mounting for them to improve their cyber resilience. But with insurers now upping their standards, the onus is now on construction firms to bolster their defences against cyber criminals and secure the policy of their choice.
Why bother with cyber insurance anyway?
Cyber-attacks are steadily on the rise. The government’s latest Cyber Breaches Survey estimates that, across all UK businesses, there were approximately 2.39m instances of cybercrime in the last 12 months, costing victims, on average, £15,300 annually. As these attacks proliferate, the question keeping business leaders up at night is no longer “What if we’re hit?” but “What do we do when we’re hit?”. The purpose of cyber insurance is to produce an answer to this question, and, accordingly, its popularity has been skyrocketing.
This trend has put cyber insurers themselves in a difficult position. Faced with increased demand for their services amidst an evolving cyber threat landscape, cyber insurers now scrutinise candidates more meticulously than ever before. Applicants often find that – even after costly business assessments are done – they are rejected for coverage, while those that already have policies in place, may come up against that premium that simply prices them out of this type of protection.
Naturally, this has led many construction businesses to ask: is cyber insurance worth it? The short answer is yes – but there is a caveat. Cyber insurance offers a great safety net to firms that have already established some level of cyber resilience. The ability to establish and demonstrate this level of preparedness is the key to success in attaining coverage, keeping coverage affordable, and even maximising the effectiveness of disaster recovery in the event of an attack.
The ‘PPT’ approach: People, process and technology
To get cyber insurance-ready, construction firms must first create a comprehensive framework for cyber resilience assessments. This requires joined-up thinking across three areas:
Often seen as a ‘human firewall’, people are organisations’ first and main line of defence against cybercrime. It is also the biggest liability – and cyber insurers know this. Eight in 10 cyber breaches occur as a result of phishing, which exploits the human brain’s natural instinct to trust the familiar and respond to pressure. Recently, the rise of remote working, the blurring of work-life balance and layoffs – resulting in potentially disgruntled or careless employees – have all exacerbated the threat to organisations on this front.
Regular, bite-sized security awareness training combined with simulated phishing attacks can help organisations test and improve awareness and compliance.
Processes cover both ‘technical measures’ – such as appropriate access controls and system security protection for processing and moving personal data – and ‘organisational measures’, which include the policies, processes and procedures governing the firm’s contractual agreements with contractors and their implications for individuals’ data security. Certifications such as Cyber Essentials, Cyber Essentials Plus and ISO27001 are designed to give organisations the framework for ‘good practice’ and demonstrate cyber health credentials.
Cyber insurers are interested in this because having effective technical and organisational measures in place means that, in the event of a cyberattack, they can help firms resume operations faster and more easily, while complying with data protection regulations. Having a documented and tested incident response plan – defining who does what and when, who is informed and how, and which systems must be restored to ensure business continuity – is key.
Technology controls must be both proactive – for example, vulnerability management and email threat prevention – and reactive, including threat detection and response, and cyber security incident response.
Construction firms operating in traditional IT environments have more catching up to do in this regard than those in the more technology-native sectors. The area where this is most apparent is patch management: only 26 percent of construction organisations have this technical control, compared to 31 percent of all businesses.
Making the invisible visible
Once organisations have a framework in place, they can focus on the next step: continuous testing and reporting. By repeatedly assessing the strength of their people, process and technology controls, they can not only identify areas for improvement, but also create benchmarks against which progress can be measured.
Construction firms that can externally demonstrate their ‘cyber health’ credentials in tangible terms have a huge advantage when it comes to cyber insurance. This is because cyber insurers operate in a loosely-defined risk landscape. Unlike other industries, where disasters and accidents tend to be one-off events, in the world of cybersecurity, breaches often have a snowball effect, with hackers lurking in the shadows for months and stolen data circulating on the dark web for years.
Since there is no ‘black box’ cyber insurers can plant into organisations to give them a clear measure of ‘good’ and ‘bad’ cybersecurity behaviour, it’s up to the firms themselves to demonstrate that their house is in order. When organisations can provide empirical data on the strength of their defences, cyber insurers can actually quantify the level of risk involved and make favourable decisions faster and more easily.
Bolster your resilience with cyber insurance today
Construction firms may look like lucrative targets for cybercriminals due to their financial precariousness and perceived lack of cyber resilience, but all that can change. With a focus on improving people, process and technology controls, construction firms can improve their cyber resilience, solve their cyber insurance woes and, ultimately remove the target on their backs.