How prepared is your
firm for a cyber threat?

by GREG MEEDER, CHRISTOPHER CWALINA & KAYLEE COX, for BuiltWorlds | April 28, 2015

The authors are attorneys with Holland & Knight LLP

Cybersecurity is everywhere in the news today because hackers have been very successful in exploiting human weaknesses across a broad array of industries. Our construction industry appears to be tempted to brush off these early attacks, thinking that it is not a prime target.

However, any business that is connected to the Internet is a potential victim. The construction industry also contains special vulnerabilities related to the physical makeup of our society that do not exist in other commonly recognized target industries, such as the financial or healthcare sectors. In our industry, ignorance can hamper a construction company's well-being and its operational security.

Construction executives should be paying attention to, and learning from, those who have already experienced a major cyberattack. For instance, an owner's plans, specifications and virtual construction data present an easy target. Take, for example, the virtual construction needs of a large construction project. There is almost unlimited access to a building's physical and security design. In addition, many design and construction software systems – such as BIM, Revit, Procore and Aconex – have remotely accessible controls, or Internet-connected capabilities. A hacker with access to this data could wreak havoc, not only operationally, but also through the physical destruction of data, servers and infrastructure, as well as ultimately by threatening the safety of individuals on-site. 

Even if an attacker has no intention of causing physical harm, he or she may be interested in obtaining valuable corporate data, such as intellectual property, trade secrets or any other data that could be used for competitive advantage. Furthermore, even in instances where hackers have no interest in your company's data, they may nevertheless capitalize on human weaknesses in your system as a jumping-off point for other data systems. This is especially true for contractors, which may offer unanticipated avenues to other targets, and it is even more pertinent for those in government contracting, as they may have access to sensitive government information or capabilities. 

Also, construction companies house significant amounts of sensitive employee information, making it a path of least resistance for those looking for a simpler target. Such hackers do not care where they get their information. They only care that they get it, and they are patient. A recent survey showed that cyber-attackers went undetected for an average of 243 days. 

Moreover, even those construction businesses that do recognize the threat may be inclined to think that cybersecurity is solely an IT issue. However, preparing for – and responding to – a cyber-incident falls on the shoulders of many more than just IT or information security professionals. In fact, a successful incident response team consists of a multitude of cross-functional representatives in addition to IT and information security, such as legal, compliance, privacy, public relations, government affairs, audit, ethics, and business lines.

No matter how secure or resilient a company's system may be, perfect security does not exist. As many cybersecurity experts profess, "It is not a matter of if, but when." Thus, against the backdrop of the inevitable, the time to prepare for a cyber-incident is not while an attack is ongoing. A critical aspect of cybersecurity is preparedness. 

PreparE for when, not if, an attack happens

Below are some baseline steps that construction firms should be taking to ensure preparedness:

• Incident Response Policies: It is absolutely critical to have a plan in place in the event a cyber-incident does take place. While traditional incident response and disaster recovery plans may serve as a rough guide, cyber-incidents pose specific threats that will not be adequately addressed by policies directed at incidents occurring on a more tangible level (such as natural disasters). So it is imperative that a policy be created specifically for a cyber-event that takes into consideration these specific characteristics;
• Designated Leadership: An incident response policy is only effective if the people responsible for executing it understand their role and are able to fulfill their duties. Accordingly, there should be clearly designated roles for the varying aspects of the process. In particular, there should be a pre-identified incident response team, with a single "incident command" who is in charge of the overall response process and who has real-time decision-making authority. Similarly, there should be designated points of leadership within functional departments to manage the process in their respective areas. As mentioned, the team should consist of representatives from all key stakeholders within the organization, and these roles and responsibilities should be clearly defined and memorialized in the policy;
• Communication Protocols: In order to respond in a timely and appropriate way in the event of a cyber-incident, employees must understand when and what needs to be communicated across departments. Any incident response policy should clearly articulate communication protocols and escalation procedures. Similarly, there should be clear guidelines regarding external communications, such as requiring that all third-party inquiries be routed through the public relations department and a strict prohibition against communicating about the incident to the outside world;
• Employee Training: To ensure that incident response procedures are properly communicated, companies should conduct regular training with all employees. Training should not be limited to just those individuals directly involved in the incident response process. However, additional targeted training should be conducted with official "Incident Response Team" members;
• Cyber-Exercises: The best form of training is through execution. Simulated cyber-exercises are the most effective method to ensure: (1) incident response policies and procedures are sufficient and effective, and (2) such procedures are readily understood across the organization. Cyber-exercises can help to identify unknown vulnerabilities or unanticipated gaps in process that may not be readily apparent on paper. Moreover, exercises allow companies to practice their response protocols for the first time in a controlled environment. In addition, regulators and consumers are increasingly expecting that companies conduct cyber-exercises as an information security best practice;
• Third-Party Vendor Management: A major cyber-incident will inevitably trigger a need for external assistance (e.g., outside counsel, forensic firms, credit monitoring services, etc.). Just as the time to test incident response procedures is not during an actual incident, companies likewise will not want to deal with establishing third-party relationships in the midst of a cyberattack. Companies should make these arrangements in advance so that these parties are ready to respond if and when the time comes for their assistance.

As discussed, there is no such thing as perfect security, and the construction industry equally is not immune from a cyberattack. Thus, it is imperative that companies begin to prepare for a cyber-event before an incident actually occurs, to ensure a streamlined and coordinated response process and to minimize the subsequent aftermath.

While the above principles serve as a baseline for cybersecurity preparedness, a sound information security and incident response program requires skilled, intensive attention and analysis. Holland & Knight's Construction Industry Practice Group, as well as our Data Privacy and Security Team, have the combined experience to assist companies with cybersecurity incident preparedness, including reviews and analyses of policies and procedures, the conducting of cyber-exercises, and the providing of vendor management services. For more information, please contact the authors.

________________________________________________________________

Gregory R. Meeder is Equity Partner with Holland & Knight's National Construction Industry Practice Group. He is Immediate Past President of the Chicago Building Congress, where he still serves on the Executive Committee. An arbitrator and mediator on the Panel of Construction Neutrals for the American Arbitration Association and ADR Systems of America, Meeder also serves as general counsel to the Underground Contractors Association. He can be reached via email at gregory.meeder@hklaw.com. 

Christopher G. Cwalina is a partner in Holland & Knight's Washington, DC, office, and co-chair of the Data Privacy and Security Team. He concentrates his national practice on privacy and data security compliance; litigation; defending firms in investigations initiated by state attorneys general, the FTC or other government agencies; responding to security breach incidents; establishing international compliance frameworks for firms; developing and writing corporate policies & procedures. Email: chris.cwalina@hklaw.com.

Kaylee A. Cox is an associate in Holland & Knight's Washington, DC, office and a member of its Data Privacy and Security Team. She focuses on privacy and data security compliance, regulatory investigations, security breach incident response, breach preparation and cybersecurity risk management, and development of corporate privacy and security policies and procedures. She advises companies on privacy and cybersecurity regulatory issues and legislative affairs, as well as compliance with state, federal, and international privacy laws, regulations, and directives. Email: kaylee.cox@hklaw.com.