Cyber breaches are big news. Large corporations get hacked with alarming frequency, and hundreds of thousands of consumers are vulnerable. You may not think your architectural, engineering or contracting firm is at risk, but that is simply not the case.
Building information modelling (BIM) and computer-aided design (CAD) are in widespread use. These tools, while they improve efficiency and quality, also increase the risk of a cyber-attack. There have been well-publicized cyber-attacks on solar panel installation contractors, HVAC contractors, manufacturers and retailers of building products, fence contractors, and many other firms across the industry.
Customer information, intellectual property and your firm’s financial information are all at risk. Social engineering and phishing scams can defraud your company of thousands of dollars. Your firm could experience damage to your reputation, business interruption or construction delays, and lawsuits by affected clients.
Small businesses are increasingly at risk
Large corporations are not the only ones affected. According to international cyber security and anti-virus provider Kaspersky Lab, small businesses faced eight times more ransomware attacks in the third quarter of 2016 than in the same quarter last year. The average cost of a cyber-attack on a small business is $690,000, according to Ponemon Institute. Notably, the National Cyber Security Alliance found that 60 percent of small businesses close their doors within six months of a cyber-attack.
There are steps you can take to help keep your customer and company data safe. Enact these policies to prevent data breaches and protect yourself.
- Open-access Wi-Fi networks (those without passwords) are prime targets for scammers. Make sure your network is password-protected.
- When logging into email or other secure sites, make sure the URL starts with https://. This indicates a secure site. A site that starts with http:// (no ‘s’) is not secure.
- When you’re using your computer or tablet in a public space, shield your login screen and other sensitive content from prying eyes.
- Don’t leave your laptop, tablet or phone unattended where someone can grab it and all the data it contains.
- Disable the automatic check-in feature of your phone. This feature can reveal personal habits and sensitive information.
- Don’t give strangers without proper credentials access to secure areas in your building.
- Lock your computer when you leave your office, desk or work station.
- When you’re sending a confidential document to a colleague or client, encrypt it before you email it. Then email the encryption password in a separate email. This is safer than uploading it to a password-protected cloud sharing app, or mailing a CD.
- When possible, use a corporate VPN to establish remote connections to business systems.
- Make sure your firewalls are regularly updated with the latest security patches.
- If you receive an unsolicited email, verify its authenticity. Company logos are easily copied by scammers, so don’t assume that a logo means an email is from the company it purports to be from.
- Reputable companies generally don’t use public email services like Gmail and Yahoo, so emails from these domains should be carefully scrutinized.
- Beware of requests to supply or “verify” account numbers or sensitive information.
- Don’t click on links in unsolicited emails. If you think the message is legitimate, go to the company’s website and log in from there.
Social engineering attacks pose a significant threat to data and systems. These are attacks in which scammers trick people into giving them access to sensitive information. Rather than breaking into your network, these scammers will try to get you to hand over the information willingly by making you think they’re someone they’re not.
Here’s what you need to know about these kinds of attacks:
- Fraudulent communications like phishing emails and smishing (fake SMS or text messages) trick users into clicking on links that can infect their computers with viruses or activate bots that collect sensitive information. Don’t click on a link unless you are absolutely certain the message is legitimate.
- Social engineers troll social networks to learn personal information and details and then use this information to try to hack into their accounts.
- Common social engineering tactics include:
- Strange links in posts
- Unexpected popups
- Pirated media with embedded malware
- Messages offering rewards for contests you did not enter
- Fake social media profiles, pages or groups
- Apps or games requesting access to your profile information
Social engineering attacks can also happen over the phone, with a caller requesting sensitive data, or in person by a contracted employee trying to gain access to your network.
Mobile device safety
- Four-digit PINs are relatively easy to break, especially if they are birthdays or anniversaries. Use a six-digit PIN instead. Fingerprint trails can reveal swipe patterns, so use a complex swipe pattern and clean your screen regularly. Alphanumeric passwords and fingerprint IDs are more secure.
- Back up your device to a computer or cloud service. Use encrypted backup options for added security.
- Consider an app that wipes the contents of your device if it is ever lost or stolen.
- Turn off your camera’s geotagging function, as it gives scammers information about your location.
- Be careful when connecting to Bluetooth with your mobile device as you may be giving those nearby access to your device when you connect.
- Verify that your business liability insurance policy includes coverage for breaches of corporate confidential information.
- Purchase a policy that affirmatively covers funds stolen from your customers’ bank accounts.
- Make sure your policy has a limit of at least $2 million in the aggregate for privacy breach costs.
If you use a phone app for mobile time tracking, work on system design or installation for smart building, or collect data or stream from drones, you could be putting your company at risk. Professionals in the construction industry are as susceptible as anyone else to cyber-attacks. Know how to protect yourself and talk to your employees about this growing threat. Taking these precautions will help reduce your risk of becoming a victim of a cyber-attack.
Daniel Gmelin is the National Architects and Engineers Product Head at Hiscox, the international specialist insurer. He can be reached at Daniel.firstname.lastname@example.org.