- About PS&F
- Industry Focus
- Client Tools
- Education & Events
- Case Studies
March 22, 2016
Nick Montera | Vice President, Account Executive
Rarely does a week pass when we don’t hear about another major cyber breach, computer virus, or social engineering scam. Healthcare, financial institutions, retail, and governmental networks tend to experience the highest frequency of attacks. However, that does not mean that the construction industry is immune to cyber attacks. The truth of the matter is that any business connected to the internet is a potential victim. This is the first in a three-part series discussing cyber events as they relate to the construction industry. Below we discuss why contractors need to address the risks associated with cyber exposures. In part two, we will discuss cyber risk management basics: what you can do to prevent a cyber event from occurring and how you can minimize damage if and when they do occur. Finally, in part three, we will discuss risk transfer and how outsourcing, contract management, and insurance can protect your firm from loss.
Why contractors need to be concerned
It’s not just large corps that get hacked. In fact, Verizon’s “Data Breach Investigation Report” states, “…85% of targets of opportunity are small businesses.”i A recent publication by Hartford Financial Services Group goes on to state, “…Cyber-related crime incidents affecting small businesses have been increasing since 2004.” ii There are a number of reasons hackers may want to gain access to your systems, including:
Consequence of a breach
47 states have now passed 47 separate data breach laws each with their own reporting requirements. In addition, there are various federal laws that institute further requirements. While the laws vary, in the event of a breach there are generally three issues a victim needs to address. First, the organization needs to figure out how they were breached and what data may have been accessed. This generally requires the services of an outside IT forensic firm. Once it is discovered what data has been accessed, legal counsel is engaged to determine notification responsibilities in the various jurisdictions. For instance, California notification requirements may require notification within days while other states may allow weeks. Finally, once it is understood what the notification responsibilities are in each of the applicable jurisdictions, affected parties need to be notified and credit monitoring is often offered to potential victims of identity theft.
In addition to these legislative requirements, your organization may face civil suits from parties who may have or could suffer identity theft. Regulatory fines and penalties are also common when a breach has occurred.
Ponemon Institute’s latest report estimates that “$154 is the cost per lost or stolen record. $3.79 million is the average total cost of a data breach.” This represents a 23% increase from 2013.
With the prevalence of breaches and the high costs associated with combating one, it’s easy to understand why all organizations need to be keenly aware of the risks and how to protect themselves from a breach. In the second part of our series, we will discuss some basic risk management controls to help prevent a breach as well as the need for a data breach response plan.
i Verizon, “Data Breach Investigations Report,” http://www.verizonenterprise.com/resources/reports
ii Cyber Exposures of Small And Midsize Business – A digital Pandemic, exhibit 1
iii (May, 2015), 2015 Cost of Data Breach Study: Global Analysis, IBM, and Ponemon Institute
The views and opinions expressed within are those of the author(s) and do not necessarily reflect the official policy or position of Parker, Smith & Feek. While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it.