homeWelcome, sign in or click here to subscribe.login
     


 

 

Construction


print  email to a friend  reprints add to mydjc  

June 1, 2020

Just when you have the new COVID-19 safety rules licked, here come the cybercriminals

  • A cybersecurity expert explains what a rise in email phishing attacks means for the construction community.
  • By BENJAMIN MINNICK
    Journal Construction Editor

    Global communications firm Edelman says nearly half of businesses responding to a survey reported at least one cybersecurity incident since the start of the COVID-19 pandemic. Talk about getting kicked while you’re down.

    Edelman is referring to a study of 1,000 businesses by IT security firm Barracuda Networks that also found just over half of them saw an increase in the number of email phishing attacks since the outbreak.

    What does all this mean for the construction community? To find out, the DJC asked Erik Moser, Edelman’s head of issues and crisis for the Pacific Northwest. Moser has led cybersecurity planning for a large coffee company and managed cybersecurity incidents for well-known regional clothing retailers, as well as a number of app developers and IT companies.

    Q: Why have security incidents increased during the pandemic?

    A: The most immediate factor is because there is a greater population of people working remotely and relying on their networks in new and potentially unfamiliar ways. Also, people have been craving information, so cyber threat actors are taking advantage by using emails with alleged COVID-19 maps and other resources to lure victims to click on fraudulent links that ultimately install malware and compromise data and systems.

    Lastly, the COVID-19 environment has made the already-present threat of ransomware even more severe, especially for organizations in critical infrastructure functions or time-sensitive projects like construction firms.

    Q: Where are construction firms most vulnerable?

    A: Every company needs to be responsible in how it handles personal data — for employees, as well as clients/customers; and then also be diligent to transferring money and making sure not to fall victim to any phishing or diversion.

    However, due to the time-sensitive nature of projects, ransomware can be especially dangerous because not being able to access data or systems could disrupt timelines and have cascading effects on a project.

    Q: What should contractors do in a ransomware situation?

    A: Preparation is always the best solution. Construction business leaders will need to navigate tricky decisions while under immense pressure, including if they pay the ransom, how to engage with stakeholders to avoid fallout, and how to keep operations running as smoothly as possible while the situation is sorted out. Preparing ahead of time by engaging experienced counselors can give leaders opportunities to practice for these situations, and greatly improve their response. It can make the difference between a full stoppage and just a minor distraction.

    Q: Many contractors use a myriad of electronic payments. What can they do to prevent fraud here?

    A: There are a lot of good resources for how to manage/avoid phishing scams that can misdirect payments, which contractors need to be vigilant against. However, they should also think about what other data they are holding onto that could come with legal responsibility — personally identifiable information (PII) like names, email addresses or other information that would require notification if it were accessed.

    Q: What should a firm do if its workers become victims of unemployment fraud?

    A: This is outside our scope, but if a company sees this, they should consult their legal advisers immediately to determine the appropriate next steps.

    Q: How well prepared for cybercrime is the construction industry?

    A: It varies company by company. Every industry is vulnerable to cybercrime, so every company needs to be prepared for it. There is a common misconception that hackers only target large companies, which is not the case, they target those who are vulnerable. AEC firms that are behind the curve should loop in legal, technical and PR expertise now to ensure they’re prepared to react to a cyber incident if one should occur.

    Responses have been edited for clarity.
     


    Benjamin Minnick can be reached by email or by phone at (206) 622-8272.



    
    Email or user name:
    Password:
     
    Forgot password? Click here.