Is your construction business prepared for cyber risks?

But it’s harder to conceptualise a risk to your IT systems, and our property and construction sector isn’t fully ready for the absolute carnage that a cyberattack can cause. Only 5% of businesses have cyber insurance, even though everyone is at risk of a cyberattack – and the cost of an incident can sink your entire organisation.

The top 3 cyber risks for the property and construction sector

Unfortunately, our cybersecurity team is frequently called in to help with breaches. The top three risks are:

1. Ransomware: Property and construction businesses typically hold a lot of private data about their staff, their customers and their subcontractors. All that information is lucrative on the dark web. A ransomware attack is crippling – it will shut down all your systems and leave you in the dark as the bad guys hold your company hostage. 
2. Invoice fraud: Because property and construction sectors often send one-off, large invoices, they are a favourite target for this type of fraud. Threat actors (the cybercriminals) will get into your email system, learn your processes, and then try to scam you or your customers with fake invoices and claims of changed bank account numbers. 
3. Third-party supply risk: Companies that outsource IT systems or platforms are at risk. If your supplier is breached, there is a significant chance it will have an impact on you. 

Incident response costs can be eye-watering 

A ransomware attack can be a life-and-death situation for a business. An estimated 70% of SMEs don’t survive more than a year after a ransomware extortion event, according to Fraser Walker, BDM for cyber insurer Emergence, who spoke recently at ‘Get Cybersmart’, an event hosted by Grant Thornton New Zealand and Gallagher Insurance. 

What would your business do if a threat actor encrypted and locked you out of all your systems, and threatened to publicly release your private data? You might think your backups will save you, but threat actors often encrypt your backups first. They’re usually easy to find and often saved in a folder called ‘backup.’ When someone is demanding a ransom of $1 million to unlock or decrypt your systems, what’s your plan? 

You’ll need the services of security experts, lawyers, PR professionals and your IT providers, explained Anthony Cooke, Partner at Atmos cybersecurity management specialists, at Get Cybersmart. By structuring a clear plan and surrounding yourself with the right team of experts, you can create a more efficient cost-effective process. This is something that can be implemented today to ensure you’re prepared, as the costs of handling an incident can be substantial – especially when factoring in both the response, potential ransom and any regulatory engagement or third-party claims.

That’s where insurance can help. Depending on your policy, insurers typically cover both ransom and incident response costs during and after an incident. 

Why would you pay the ransom? 

People often ask why businesses or insurers would ever pay a ransom, which can only support and encourage criminals. But most people haven’t seen the carnage caused by the bad guys in their efforts to put pressure on their victims – or how reliably these criminals will deliver on their threats. 

“You don’t realise the lengths they will go to, to get you to pay attention,” Fraser told attendees at the Get Cybersmart session, “They’ll post on your LinkedIn. They’ll dob you into the Privacy Commissioner. They’ll constantly phone and email your staff. They’ll contact your clients and tell them, ‘I have a copy of your driver’s license in front of me’.”

The threat actors may also ‘printer bomb’ a business, exhausting all your paper to print out private information to grab attention and create panic like payslips, HR grievances, the ransom demand or any other sensitive material they can use to ramp up the stress for decision-makers. 

The criminals will follow through on their threats, but they often deliver your business back to you if you do pay the ransom. Whilst paying a ransom isn’t always necessary, insurers can be confident the ransom payment will lead to the reinstatement of your data and access. 

“We’ve generally seen the threat actors follow through on their promise to deliver decryption keys and stolen data. So, whilst we never recommend paying ransoms as a first resort, doing so does generally mean your business is made whole again,” Fraser said. And he says they don’t tend to double extort a business, “On one occasion we saw a ransom paid and the organisation was hit again with an identical attack the next month. That business went back to the cybercriminals to say, ‘We already paid this’, and the threat actors couldn’t have been more apologetic. They immediately delivered all the decryption keys and even offered to provide manpower to re-enter lost data.

Critical steps for protecting your business  

At the Get Cybersmart session, Raj Tiwari, Grant Thornton partner and cybersecurity expert reminded the audience that the basics for security remain the same: multi-factor authentication, strong password management, always updating hardware and software. In the property and construction sector workers often log on remotely, which adds risk, so ensure your internal processes are robust. And team members should only have the level of system access they need to do their jobs - and no more. 

Staff training and awareness are also imperative. Raj and his team saw one incident where a CEO was in the Philippines and connected to the Wi-Fi in a local café. His email was breached and threat actors emailed his team, pretending to be him, saying, ‘Please pay the attached invoice immediately’. It was an extremely convincing email and invoice, but luckily an eagle-eyed staff member spotted the sign-off: ‘Sent from my Samsung’. She knew the CEO only had an iPhone. That kind of awareness is hugely valuable in preventing losses. 

Raj says you also need to have an incident response plan – and test it. You should get to know your response experts and insurer before an incident occurs. This helps build trust, and reduces your stress levels if they do need to step in to help you handle an extortion event. 

New Zealand’s regulators have been relatively slow to legislate on cybersecurity – we estimate that Aotearoa is seven or eight years behind the pace. That’s probably making our market more attractive to threat actors, who will target your business, large or small. You need to start thinking about what could go wrong and how you can protect yourself. The property and construction sector is brilliant at managing risk, so let’s get cybersecurity risk higher up the register and treated with the seriousness it deserves.