0
Cybersecurity AwarenessCybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

Cybersecurity Awareness Month – 10 Tips for Improving Your Organization’s Cyber Hygiene

October is Cybersecurity Awareness Month – a month-long event with the goal of raising awareness of good cybersecurity practices.

As a law firm focused only on technology, data security, and privacy, Beckage is dedicated to helping organizations create robust cybersecurity programs that help prevent or lessen the impact of potential cyber attacks. This starts with helping organizations, and their employees understand the important role they play in protecting their systems and safeguarding data.

In recognition of this important educational opportunity, we have compiled some of our top cybersecurity tips to help your organization improve your cyber hygiene. Do your part, #BeCyberSmart!

1. Use Multi-Factor Identification  

Add multi-factor authentication to your accounts. These tools require you to grant access to your accounts every time someone tries to log in.   

 

2. Update your Systems  

Updates may be a pain, but they are important. Updates often include patches for recently identified security issues. Neglecting updates may leave you vulnerable to threat actors exploiting these vulnerabilities.  

 

3. Emphasize Employee Education  

Human error is one of the most commonly cited causes of cyber incidents. Conduct regular cybersecurity trainings, including tabletop exercises testing your incident response plan, to help employees understand their role in incident response and prevention.  

 

4. Use Strong Passwords  

Choose unique passphrases as an alternative to passwords (ie. Myd0g1sth3b3st! vs. Fido123). Use a different password for each account. To help keep your credentials straight, consider using a password manager.   

 

5. Examine Emails Carefully  

Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Pay attention to email and website addresses and independently verify links and attachments before clicking. Know where/how to report any suspect emails because you may not be the only one who received it.  Sharing is caring! 

 

6. Avoid Public or Unsecure Wi-Fi Networks  

Do not connect to a public or unsecure Wi-Fi network, such as at a coffee shop or hotel. Any sensitive information transmitted over these unsecure connections can be accessed by other users on the network. When a secure network is not available, opt to use your mobile hotspot.  

 

7. Create Email Forwarding Alerts  

Set up alerts when forwarding rules are added to your e-mail account and routinely check email forwarding rules. If threat actors gain access to an email account, they may create account rules to hide their activity.      

 

8. Do Not Use Personal Devices to Access Sensitive Data  

Personal devices, such as your phone or personal computer, are often not as secure as devices in the workplace. Downloading or accessing sensitive information on those devices could lead to the information being compromised. Unless your Security Officer says otherwise, never access sensitive information from personal devices.    

 

9. Keep Track of your Backups  

Make sure to have backups of important backups in place and these backups are stored separate from your normal environment. Check the integrity of your backups regularly. 

 

10. Find A Data Security Team  

Creating data security policies, procedures, and plans be daunting. Partnering with a team that understands the legal and threat landscape surrounding data security is a great first step towards improving your cyber preparedness. 

 

 

*Attorney advertising – prior results do not guarantee future outcomes.

Subscribe to our newsletter.

0
Construction Industry and Cyber AttacksWhy the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

Why the Construction Industry Is Being Impacted By Cyber-Attacks, and What To Do About It

By Jennifer A. Beckage, Esq., CIPP/US, CIPP/E
and Daniel Parziale, Esq., CIPP/US

Introduction

For many years, the construction industry has appeared almost immune from cyber events because of the limited personal information it keeps. However, the last 12 months directly negate this view, reminding the industry that this perspective no longer carries weight. The construction industry is one of the leading industries impacted by data security incidents. This begs the question: why? And what can the industry do to address this rise in cyber threats?

Threat actors know that the construction industry is, in some areas, behind in data security and privacy initiatives. This is in large part because this industry, to date, avoided heavy regulation in data security and privacy laws. The limited regulation and guidance in the construction industry may have contributed to less focus on cybersecurity than in other industries.

Additionally, many in the construction industry are leveraging artificial intelligence technologies (AI) such as machine learning (ML) and robotics, among others. These new technologies still require data security and privacy risk assessments and proper controls in place, something that may be a second thought for those in the construction industry that, historically may not have had cybersecurity top of mind.

Lastly, the threat actors seek to extort money, and the construction industry presents a big, lucrative target. The exposure of cyber-attacks in construction, in part, is amplified by the amount of confidential and proprietary information digitally stored and shared across projects and their long information technology (IT) chains. Infrastructure, financial accounts, as well as the data of employees, projects, and business- sensitive information may be at risk. Accordingly, the number of cyber-attacks in the construction industry are growing exponentially.

The legal and threat landscapes are constantly changing, requiring those in the construction industry to be familiar or associate themselves with experienced tech and legal providers who can assist in navigating these rushing river waters.

 

Some of the Largest Cyber Risks Facing the Construction Industry

While the risks of cyber-attacks are not unique to the construction industry, their impact on the industry is distinctive.

For example, on January 30, 2020, French construction behemoth, Bouygues, announced that threat actors were holding 200GB of data ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/. Ultimately, the ransomware event caused a delay to various projects as Bouygues shut down various operating systems to prevent the propagation of the attack. See Bouygues, Press Release – Information on a Cyber-Attack, https://www.bouygues.com/wp-content/uploads/2020/01/prbouyguesconstructioncyberattack01-31-2020-pdf.pdf.

Unfortunately, Bouygues is not alone in their suffering. Bird Construction, a large Canadian construction company, suffered a similar ransomware attack in December 2019, where the threat actors were demanding $9,000,000 CAD in exchange for decrypting the 60GB of data they were holding for ransom. See Naveen Gourd, Maze Ransomware hits Bird Construction and Bouygues Construction, https://www.cybersecurity-insiders.com/maze-ransomware-hits-bird-constriction-and-bouygues-construction/.

These events are, unfortunately, very common in the construction industry.

There are five main cyber-attacks that could impact a construction company: i) ransomware; ii) fraudulent wire transfer; iii) downtime or business interruption; iv) breach of intellectual property; and v) breach of bid data. Each presents its impact and harm.

  • Ransomware: Ransomware, when a threat actor holds a computer system hostage for payment, can limit a construction company’s access to critical systems and potentially delay work at a project. Moreover, a construction company may be left with little choice but to incur the financial responsibility of paying the ransom. However, damage from a ransomware event is not simply limited to the payment of the ransom but may also include reputational damage.

 

  • Fraudulent Wire Transfers: Fraudulent wire transfers, often the result of social engineering, present a substantial risk to the construction industry, which is often moving large sums of capital around. Falling victim to fraudulent wire transfer not only presents dire fiscal issues for a construction company but can also lead to severe reputational harm.

 

  • Downtime or Business Interruption: The construction industry is heavily reliant on the ability to deliver projects on a deadline. A cyber-attack on a construction company’s software or equipment could potentially cause a delay in the project while the cyber-attack is properly addressed.

 

  • Breach of Intellectual Property: If a construction company is holding highly sensitive blueprints or schematics in its computer system, breach of these computer systems could result in major reputational damage and potential lawsuits.

 

  • Breach of Bid Data: If a construction company holds information regarding its bidding strategies on a computer system, access and acquisition of these files could lead to a loss of a competitive edge.

 

What Happens In A Data Breach

The fast-moving cyber threat landscape above is juxtaposed with emerging data security and privacy laws. In the United States, there is no overarching data security and privacy law(s). Instead, we have a patchwork of federal and state laws that may apply to an organization.

For example, let’s pretend that Company XZY suffers a data breach that not only seizes access to systems, but one such system is a human resources program that contains all of the employee’s personal information (whether hosted internally or with a third-party provider). Perhaps another system is a client management program that has a sensitive design or tenant plans or city or government projects with confidentiality treatment requirements. Assuming in this scenario that the threat actor accessed and then exfiltrated the human resource system and client management program data, then Company XZY would have to provide notice to all potentially impacted persons (the employees in our scenario) under a myriad of state and perhaps federal laws, but also under contract to the third parties whose confidential business information was impacted.

As it relates to the employees, it is important for the legal counsel for Company XZY to review where each employee resides to determine applicable laws that will direct notification requirements for employees. As one can imagine, in a data breach with hundreds or thousands or more employees who are impacted, this could become complicated, but there are seasoned professionals who can help the organization prepare and respond. Unfortunately, most organizations are not prepared.

Besides operational setbacks from a data security incident and notifications to potentially impacted persons, there could also be revenue loss, reputational harm, legal fees, technical costs, call center expenses, credit monitoring costs, regulatory reporting, third-party claims, and more.

There are, however, ways that this risk can be shifted.

 

Actionable Steps the Construction Industry Can Take to Mitigate Cyber Risk

There are several methods your organization can leverage to limit its exposure to cyber risks. These include but are not limited to: 1) building a team of trusted advisors; 2) picking the plan that is right for you; 3) evaluating risk so it is properly allocated through contract; 4) evaluating whether your organization has a strong cyber liability insurance policy; and 5) implementing good cyber hygiene and best practices.

1. Build A Team of Trusted Advisors

Cybersecurity preparedness will require knowledge and awareness across many roles within the organization. The leaders of the organization, information technology, legal, and most likely also marketing, sales, customer service, accounting, finance, human resources, and other groups to the extent they exist at the organization.

Third parties will likely need to be engaged as the legal and technical areas are emerging at rapid speeds. Further, the market is oversaturated with vendors, providers, partners of all types and sizes. Organizations should take time to validate credentials, years of experience, contractual terms, insurance carried, and more before engaging third-party partners to assist with cybersecurity program development.

2. You Pick the Plan

The organization’s team should, through a risk assessment, determine its cybersecurity program goals. Too often organizations are “sold” by a vendor as to a plan, but if a breach occurred such a plan would do very little to prevent legal and technical risk.

Some in the construction industry have robust experience with information technologies and others rely heavily on third parties. If the latter, find a trusted partner to help you manage your third-party providers if your organization does not fully understand technically what they are doing. Just like an employee, those third parties should be reviewed regularly (more on that soon).

3. Contract with Strong Data Security & Privacy Provisions

Another method of mitigating cyber risk is through contract. When reviewing your company’s agreements with third-party vendors and subcontractors, it should pay close attention to indemnification and insurance procurement provisions for how they might allocate cyber risk between the parties. A data security incident at one of your company’s vendors may have serious consequences when it exposes your business’ information. To that end, your company may want to consider including language in its third-party contracts which require vendors and subcontractors to indemnify your company in the event the third-party vendor or subcontractor suffers a data breach. Similarly, your company might want to consider requiring a third-party vendor or subcontractor to name your company as an additional insured on its cyber liability insurance policy. Both of these steps help in the event your third-party vendor suffers a data security incident, as the financial impact on your business would be minimal.

4. Cyber Liability Insurance

If the third parties the organization is using do not want to (or they should not) carry certain risk, one potential method of mitigating risk associated with cyber-attacks are a cyber liability insurance policy. These policies generally provide coverage for the following types of attacks:

  • Data Breach Expenses: When a threat actor accesses or acquires Personal Identifiable Information as defined by applicable law, your company has suffered a data security incident. Cyber liability insurance policies typically cover the costs of hiring lawyers, forensic IT security vendors, public relations, or crisis communication costs to assist you in handling your response. Moreover, cyber liability insurance policies cover the cost associated with notifying individuals and state regulators, providing identity and/or credit monitoring services to affected individuals, and running a call center.

 

  • Cyber Extortion or Ransomware: When a threat actor acquires access to your company’s systems and encrypts or otherwise locks you out of the network, demanding the payment of a ransom to unlock the system. Cyber liability insurance policies typically cover the cost of negotiating with the threat actor as well as potentially paying part of the ransom.

 

  • Fraudulent Wire Transfer: When a threat actor misdirects a wire transfer from your company to a vendor, your company is a victim of a fraudulent wire transfer. Cyber liability insurance policies will normally cover such fraudulent wire transfers if your company took certain steps to prevent them. Coverage for fraudulent wire transfers is generally limited to the amount of the wire transfer itself.

 

  • Business Interruption: When a threat actor executes a cyber-attack, some cyber liability insurance policies provide coverage for the loss of business income as a result of being locked out or shut down as part of the cyber-attack.

As provided above, cyber liability insurance policies generally cover the major types of cyber-attacks a construction company may face; however, cyber liability insurance is not the only means of mitigating the risk of a cyber-attack.

Cybersecurity insurance can provide first-party and third-party damages. Other insurance such as Tech Errors & Omissions may be options for some organizations to consider as well.

5. “What’s Good for the Goose is Good For The Gander” Policies and Practices

a.) Policies & SOPs

Applicable here is the old proverb “what’s good for the goose is good for the gander.”

If an organization is going to require that its vendors and third-party partners have certain controls and practices, then that organization should perhaps think about its practices. In fact, its insurance carrier may require it. Also, the organization may have requirements under laws and regulations, under contract, or other duties owed.

This is where most organizations are paralyzed – it sounds overwhelming. Or they find some stock policies, modify them slightly, and place the policies on a virtual shelf.

In creating policies, the team charged with building a construction cybersecurity program will identify first the laws that apply to the organization, IT standards it wishes to follow, along with other guiding principles – organization mission, vision, codes of conduct, or company ethics policies, and more.

Policies and standard operating procedures can come in a myriad of shapes and sizes, which makes creating them sometimes difficult for organizations – too many choices – so they pick and choose from numerous templates and the result is, frankly, often a mess.

Organizations should plan to take time to put together written policies and procedures that reflect the organization’s goals, vision, standards, controls, and more – not some other organization’s that is in a template found online.

What are some good cybersecurity controls and practices? The National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework Version 1.1 offers for some a good place to start looking at what a cybersecurity program may look like on the technical side for your organization. See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (available at https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf).

b.) Controls

The organization will need a variety of physical, administrative, and technical controls.

Physical controls include safeguarding server rooms to video monitoring of secure areas (*be careful if you are collecting biometric information, this is also a fast-moving area).

Administrative controls include the policies and SOPs discussed earlier, but also that there are folks responsible for these duties, there is training, review, auditing, discipline, and more.

Technical controls can take many forms but include changing passwords regularly, implementing two-factor authentication where possible, and regularly informing employees of the dangers of social engineering. Good cyber hygiene can prevent a cyber-attack from occurring in the first place, and in that regard is one of the most effective means of mitigating cyber risk.

6. Construction Cyber Culture

One final method of mitigating cyber risk is through fostering good cyberculture across the organization.

An organization is on its way to great construction cyber culture through the actionable items above: 1) team of trusted advisors, 2) selecting a plan, 3) third-party contracting and auditing, 4) cybersecurity insurance, and 5) policies and procedures.

Great construction cyberculture begins with a buy in at the top and demonstrating by example (so no exceptions!).

 

Conclusion

Unfortunately, organizations in almost every industry are navigating cyber threats and the construction industry is no exception. There are, however, a number of risk mitigation strategies that can be reviewed for applicability to an organization. As discussed, the first step is to find those experienced trusted advisors to help navigate this complex and sophisticated legal and technical terrain.

Subscribe to our newsletter.

*Attorney advertising. Prior results do not guarantee similar outcomes.

 

Dan Greene Cannabis & Tech Today ArticleDaniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Daniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Beckage CannaPrivacy and Incident Response Team Lead, Daniel P. Greene, Esq., CIPP/US, CIPP/E was published in Cannabis & Tech Today‘s Summer 2021 issue for his article, ‘The Cannabis Industry’s Growing Threat of Business Email Compromise.’

CongressBipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

Bipartisan Group of Senators Introduce Cyber Incident Notification Act of 2021

On Wednesday July 21, 2021, Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins, (R-ME) introduced the Cyber Incident Notification Act of 2021 (CINA). 

Under CINA, federal agencies, federal contractors, and critical infrastructure companies (Covered Entities) would need to notify the Cybersecurity and Infrastructure Security Agency (CISA) within twenty four hours of discovery of a cyber intrusion or a potential cyber intrusion.  Moreover, under CINA, Covered Entities would need to provide regular seventy two-hour updates to CISA until the cyber intrusion has been mitigated.

Covered Entities who report to CISA under CINA will be afforded certain protections regarding their reports, including the report not being admissible as evidence into any resulting criminal or civil actions and being exempt to subpoenas, except for those directly coming from Congress.

CINA provides that Covered Entities who fail to report a cyber intrusion to CISA are subject to penalties determined by the Administrator of the General Services Administration (GAO), including but not limit to removal from Federal Contracting Schedules.  Additionally, CINA also provides that Covered Entities who fail to report cyber intrusions to CISA may be “subject to financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year.”

Beckage closely monitors changes in laws governing cybersecurity incidents and breaches of system security, including those which affect government contractors and suppliers.  Beckage’s team of attorneys and technologists are especially entuned with both responding to a data breach and understanding what a robust cybersecurity program would entail.  Beckage will continue to monitor CINA as it makes its way through the Senate and an update accordingly.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

Cybersecurity Map of United StatesCISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

CISA Cybersecurity Advisory – Chinese State-Sponsored Cyber Operations

On July 19th, the National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigations (FBI) released a joint cybersecurity advisory pertaining to Chinese state-sponsored threat actors. The advisory warns of potential malicious activity targeting “U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations.”  

In response to this increased threat, CISA suggests organizations, particularly managed service providers, semiconductor companies, the Defense Industrial Base (DIB), universities, and medical institutions, take the following steps: 

Patch your systems as soon as you can after the release of operating system and application patches.  Updates are often quickly reverse-engineered by threat actors to determine the vulnerability that is being fixed and whether it can be weaponized. 

Employ monitoring and detection technologies give you a 360-degree view of what is happening on your network.  Be sure you can see lateral movement, which may show indicators of compromise, inside-out traffic to malicious hosts, which may indicate command and control communication, and outside-in communication, which could reflect attempts at compromise from external sources.   

Implement strong preventative measures to mitigate or help prevent compromise from occurring.  These include active anti-virus and multi-factor authentication. 

Read the full cybersecurity advisory issued by CISA here. While this alert focuses on businesses that would be potential targets for nation-state threat actors, the advice above is applicable to any business. Following these best practices does not guarantee the prevention of a security incident but can make it substantially more difficult for threat actors to gain a foothold in an organization’s network and systems and can reduce detection time. 

If you suspect any malicious activity in your systems, or would like to speak to an incident response attorney to help improve your organization’s security, Beckage attorneys can be reached 24/7 via our Data Breach Hotline: 844.502.9363 or IR@beckage.com.  

*Attorney advertising: prior results do not guarantee future outcomes. 

1 2 3 6