[BreachExchange] Cyberattacks can cripple the construction industry

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jun 6 10:10:44 EDT 2016


http://www.miamiherald.com/news/business/biz-monday/article80425457.html

There has been an increase in the frequency of reported cyberattacks
against companies in the United States. In February 2016, Hollywood
Presbyterian Medical Center, a hospital in Los Angeles, paid hackers
$17,000 to regain control of its computer system, which had been locked by
ransomware. A month later, MedStar Health Inc. suffered a cyberattack which
shut down the records systems of 10 hospitals in Maryland and Washington,
D.C.

Given that any company with access to the internet is at risk of a
cyberattack, contractors and others in the construction industry should be
aware of the attendant risks and take steps to mitigate those risks.

A cyberattack and/or data breach could result in significant internal
costs, including costs associated with hardware and electronically stored
information (for example, IT expenses; data loss and restoration expenses;
and extortion costs); costs associated with regulatory compliance
(including fines and penalties); and costs arising from third-party claims
for privacy breaches (including contract and tort liability).

Businesses of all sizes are collecting increasing amounts of personal,
confidential, and proprietary information which is accessible via the
internet or the cloud. The construction industry is no different.

Given the increasing popularity of practices such as Building Information
Modeling, Integrated Project Delivery, and file sharing between
participants in a construction project, contractors may be at increased
risk of liability in the event of a data breach. A hacker may be able to
access architectural designs, including the designs of security systems and
features; financial information; confidential project-specific information;
and personal information of employees.

This holds true for both ongoing and completed projects. History indicates
that hackers may target critical infrastructure facilities such as
hospitals and energy facilities, as well as secure government systems.
Existing, ongoing, or planned construction projects in Florida fall into
these categories, including the expansion of Baptist Health System South
Florida, planned expansion at Turkey Point in Homestead, and new energy
facilities in Osceola and Citrus counties.

In November 2013, hackers gained access to credit and debit card
information for tens of millions of Target customers in the U.S. The source
of the data breach was a small HVAC contractor that provided services to
Target. The HVAC contractor had suffered a data breach from which the
hackers were able to obtain the network credentials that the contractor
used to remotely access Target’s network.

A construction company can take several steps to mitigate the risk of a
cyberattack and/or data breach.

Internally, the contractor should develop and enforce a Written Information
Security Program (WISP), which sets forth a protocol for protecting
personal and other sensitive information and complying with regulatory
requirements. The Florida Information Protection Act of 2014, Section
501.171 of the Florida Statutes, governs how covered entities (i.e., any
commercial entity that acquires, maintains, stores or uses personal
information) must prepare for and respond to data breaches.

The contractor should also prepare a preemptive Incident Response Plan in
order to maximize the efficiency and effectiveness of the contractor’s
response in the event of a cyberattack. These proactive measures could
result in cost savings and reduced exposure to liability.

A contractor may consider purchasing cyber insurance to cover the costs of
data restoration, business interruption, extortion and other associated
losses. Given that data breaches may remain undiscovered for some time, the
contractor may want to consider retroactive coverage for unknown losses
that occurred prior to the policy period.

Effective contract management is another key component in risk mitigation.
A contractor may be required by contract to implement specific data
security measures, carry cyber insurance and/or indemnify the owner for
costs arising from a data breach. A careful review of the operative
contract is critical.

Optimally, cyber insurance should be coordinated in order to cover any
potential liability the contractor assumes under the contract. Downstream,
the contractor should include hold harmless and indemnity clauses in
contracts with subcontractors and third-party vendors who have access to
confidential, proprietary and/or sensitive data.

Given the increasing frequency of cyberattacks and resulting data breaches,
contractors and others in the construction industry should be proactive in
order to mitigate the attendant risks. A coordinated effort between IT,
management, and in-house and outside counsel is key to an effective
cyber-defense strategy.


Read more here:
http://www.miamiherald.com/news/business/biz-monday/article80425457.html#storylink=cpy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/4ab070aa/attachment.html>


More information about the BreachExchange mailing list