Evenifanattackerhasnointentionsofcausingphysicalharm,he
or she may be interested in obtaining valuable corporate data,
such as intellectual property, trade secrets or any other data
that could be used for competitive advantage. Furthermore,
even in instances where hackers have no interest in your
company’s data whatsoever, they may nevertheless capitalize
on human weaknesses in your system as a jumping-off point
for other data systems. This is especially true for contractors,
who may offer unanticipated avenues to other targets and is
even more pertinent for those in the government contracting
space, as they may have access to sensitive government
information or capabilities.
Also, construction companies house significant amounts
of sensitive employee information, making it a path of least
resistance for those looking for a simpler target. They do not
care where they get their information. They only care that they
get it, and they are patient. A recent survey showed that cyber-
attackers went undetected for an average of 243 days.
Moreover, even those construction businesses who do
recognize the threat to the industry may be inclined to think
that cybersecurity is solely an IT issue. However, preparing
for – and responding to – a cyber-incident falls on the
shoulders of many more than just IT or information security
professionals. In fact, a successful incident response team
consists of a multitude of cross-functional representatives
in addition to IT and information security, such as legal,
compliance, privacy, public relations, government affairs,
audit, ethics, and business lines.
No matter how secure or resilient a company’s system may
be, perfect security does not exist. As many cybersecurity
experts profess, “it is not a matter of
if
but
when
.” Thus,
against the backdrop of the inevitable, the time to prepare
for a cyber-incident is not while an attack is ongoing. A critical
aspect of cybersecurity is preparedness.
Below are some baseline steps
members of the construction
industry should be taking to ensure
cyber-incident preparedness:
»
Incident Response Policies:
It is absolutely critical to have a
plan in place in the event a cyber-incident does take place.
While traditional incident response and disaster recovery
plans may serve as a rough guide, cyber-incidents pose
specific threats that will not be adequately addressed by
policies directed at incidents occurring on a more tangible
level (such as natural disasters). So it is imperative that a
policy be created specifically for a cyber-event that takes
into consideration these specific characteristics.
»
Designated Leadership:
An incident response policy is only
effective if the people responsible for executing it understand
their role and are able to fulfill their duties. Accordingly, there
should be clearly designated roles for the varying aspects
of the incident response process. In particular, there should
be a pre-identified incident response team, with a single
“incident command”who is in charge of the overall response
process and who has real-time decision-making authority.
Similarly, there should be designated points of leadership
within functional departments tomanage the process in their
respective areas. As mentioned, the incident response team
should consist of representatives from all key stakeholders
within the organization, and these roles and responsibilities
should be clearly defined and memorialized in the incident
response policy.
»
Communication Protocols:
In order to respond in a timely
and appropriate way in the event of a cyber-incident,
employees must understand when and what needs to be
communicated across departments. Any incident response
policy should clearly articulate communication protocols
and escalation procedures. Similarly, there should be clear
guidelines regarding external communications, such as
requiring that all third-party inquiries be routed through the
public relations department and a strict prohibition against
communicating about the incident to the outside world.
»
Employee Training:
To ensure that incident response
procedures are properly communicated, companies should
conduct regular training with all employees. Training should
not be limited to just those individuals directly involved
in the incident response process but should be given to all
employees. However, additional targeted training should be
conducted with official Incident Response Teammembers.
»
Cyber-Exercises:
The best form of training is through
execution. Simulated cyber-exercises are the most
effective method to ensure (1) incident response policies
and procedures are sufficient and effective and (2) such
procedures are readily understood across the organization.
Cyber-exercises can help to identify unknown vulnerabili-
ties or unanticipated gaps in process that may not be readily
apparent on paper. Moreover, exercises allow companies
to practice their response protocols for the first time in a
A hacker with access to construction data could wreak
havoc not only operationally but also through the physical
destruction of data, servers and infrastructure as well as
ultimately by threatening the safety of individuals on-site.
In fact, such incidents can cause harm to an owner’s design
and security systems.
20 Building Washington
LEGAL REVIEW
