search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
LEGAL NEWS


Navigating The Many Cyber Risks In Today’s Construction Industry


By Cinthia Motley and Nora Wetzel, Sedgwick


in data privacy and cybersecurity and correct them before suffering a breach or cyberattack. Internet-connected solutions and remotely accessible systems like building information modeling and project management software are useful tools, but also offer opportunities for hackers to launch a cyberattack. Construction businesses often have


B


architectural drawings and specifica- tions, corporate banking accounts and employee information along with bank account data used for payroll. Spear- phishing attacks commonly target employee payroll information, and ransomware attacks may steal intel- lectual property and other proprietary assets. “Ransomware” is a form of malware that encrypts critical data on affected systems (often through a phishing email). Te encrypted data is then held “hostage” until the victim pays the untraceable cryptocurrency ransom. You can prepare for and minimize


your exposure to cybersecurity threats by implementing thorough preventive measures. To help you get started, here are some key questions to use in evalu- ating your company’s current state and to identify weaknesses to correct.


Data Assessment What data do you have, both in


sensitive, regulated personally identi- fiable information and key confidential business information, and do you need to keep it? One of the first steps a company


should take is to assess what types of data it collects and maintains as well as


18 September/October 2017


usinesses in the construction industry would be well-served to identify their vulnerabilities


where that data is stored. Te company can then identify the related risks and protections needed. Tis assessment should also be used to evaluate whether the business has satisfied both its regulatory and contractual obligations. Once there is an understanding of the scope of the data and related risks, it’s advisable to seek the assistance of an information security professional.


Access to Information Who has access to your information


and login credentials to your networks, and to what companies’ information and networks do you have access? Credentials, logins and related


permissions and rights can all be used to hack into a business’ system and take critical information. Carefully document who has access to administrative and security rights as well as who has access to your systems. Give access based on needs of the job. Carefully track active and inactive users and implement a system to immediately terminate access rights when an employee (or vendor) no longer needs it.


Encryption


How robust is your data encryption? Encryption converts data into a


code to make it unreadable. Encrypting data makes it less enticing to a cyber- criminal because the data’s value is lost if it cannot be decoded or read. It also may provide a safe harbor in the event of a data breach; many states’ laws and federal laws exclude sensitive infor- mation from the definition of a breach if the information subject to the breach was encrypted.


Have a Plan Do you have an up-to-date privacy


and data security plan and have you assessed whether it is in compliance


Cinthia Motley Nora Wetzel


with current laws, regulations and contractual requirements? A key to successful mitigation of


cyberattacks depends on the prepa- ration of an incidence response plan (IRP) identifying which stakeholders will assume responsibility for promptly addressing incidents. Make sure to keep your IRP updated with current employees and phone numbers that can reach employees at all hours. Rarely do cyberattacks occur between the hours of 9 to 5.


Team Do you have a breach response team


identified, with both internal members and external specialists? When a data breach occurs, you


should have your partners identified in advance. Compliance with data breach regulations requires operating on a very short timeline. Having a forensic vendor identified and under contract who can immediately deploy its investigative resources is critical to “stop the bleeding” and to investigate what occurred. Selecting an attorney in advance to immediately retain to shield communications with attorney-client privilege is critical.


Business Continuity Do you have a business continuity


and backup plan that can keep you in operation in the event of a ransomware or business-disruption attack? Cybersecurity attacks that cripple a


business’ systems can cost it enormously. Regular backups of data and having alternative operating plans and systems


California Constructor


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24