Construction companies operate just like all other companies, right? Not so much. They might use name-brand computers and tools like Microsoft Office for garden-variety office activities. But they also run CAD, project-planning, and procurement systems you won’t find in other industries. If you’re in the construction industry, you already know all that. So, why are we pointing it out? Because the hardware and software with which construction companies work; the collaborative nature of the work they do with architects, engineers, foremen, and workers; the workflows required for design, construction, and testing; and the regulatory and security mandates with which they must comply require special care and feeding.

That means you should have access to highly trained and specialized people to see to your IT and security needs. You (or those highly trained and specialized people) should be able to support the technologies that run your critical applications — estimating, accounting, project management, document management, and scale management, and others. You (or those highly trained and specialized people) should have Mobile Device Management (MDM) and remote access capabilities that allow your team members to have access to anything, at any time, from anywhere. You (or those highly trained and specialized people) should also be able to design, build, manage, and monitor the network(s) on which all of your technological tools run.

If You Build It …

Since you are, after all, in the construction industry, you know the importance of punctuality and reliability. The highly trained and specialized people who see to your IT and security needs should be equally punctual and reliable. Not everything is an emergency. But if your IT team isn’t punctual and reliable under normal operating conditions, it’s not likely they’ll come through for you at crunch time. Make sure they treat your business as if it were their own. Make sure they care for your data as if it were their own. Make sure they secure your entire IT infrastructure as if it were their own. Make sure they treat cyber threats and viruses as if they. were being attacked by them. And make sure they’re there when you need them — before you need them.

A famously misquoted line from Field of Dreams is, “If you build it, they will come.” In construction, that may or may not be true. But in the world of IT and your infrastructure network, it’s definitely true of hackers and other bad actors. So, when you look for the highly trained and specialized people to see to your IT and security needs, look carefully and choose wisely.

And in case you’re curious, yeah, we know some guys. 😉

In an earlier post, we mentioned the importance of cyber liability insurance — and the importance of putting the necessary cybersecurity protections in place so you can qualify for a comprehensive policy at an affordable rate. Well, as they always do, the market has continued to evolve, demand has continued to increase, and so have the premiums for cyber liability policies.

In a recent press release, AM BEST wrote:

Strong demand for cyber insurance and the substantial rate increases in recent years have made the segment the fastest-growing one in the U.S. property/casualty insurance industry. AM Best estimates cyber direct premiums written in 2022 to range between $8 billion and $11 billion, up from $2.7 billion just two years ago. Additionally, average quarterly price increases, albeit still high, have slowed somewhat since peaking at 34% in fourth-quarter 2021, according to published reports, at the same that insurers have become more conservative with limits and shares. Insurers have placed greater focus on managing aggregate cyber exposures given the systemic risk involved.

Translation: The cyber liability market is booming. Premiums are going up. Coverage limits are going down. Your potential for financial risk is increasing.

What Can You Do?

This is bigger than an IT issue. More than your network and your data are at stake. If you’re a business owner, a chief executive officer, a chief financial officer, or a chief operations officer, your entire business may be at risk from ransomware, viruses, data theft, damage to your reputation, and compromises to your customer relationships. Regardless of whatever ransom might be demanded after your network is infected with ransomware, is anything worth that price? Is any such risk worth taking?

What you can do is take control. If you’ve taken no steps to securing your network and your data from cyber breaches, get a cybersecurity audit that will:

  • Determine the types of information stored on (or accessible through) your network(s)
  • Document the number of hardware and devices connected to your network, as well as the number and types of software systems or applications in use
  • Assess your overall data security
  • Reveal any unknown vulnerabilities
  • Make sure your hardware and software are up to date
  • Evaluate whether your existing policies and training are adequate
  • Determine if your people are compliant or if they pose potential threats
  • Make sure their cybersecurity roles are clearly defined adequately staffed.

Will that make your organization bulletproof? No. Will it decrease the likelihood of a cyber breach and increase the likelihood of your getting a solid cyber liability insurance policy at an affordable rate? Yes.

If you want to ensure your business is as secure as possible, do it now.

Timing is everything.

The March/April edition of Claims Magazine contains an article called, “Build a Strong Security Culture to Guard Against Risks”. The article says this, in part:

A security culture supports the objectives and values related to security protecting the data and technology the company uses to do its work while protecting employees, customers, vendors and others. Security culture can be defined as the ideas, customs and social behaviors of a group that influence its security. Having a good security culture means security is embedded in the organization. Clearly, that’s important to provide the broadest level of protection for organizational data and systems.

Making sure you have the right tools and software in place to secure your organization against data breaches, viruses, and ransomware is one thing. Making sure your people have the appropriate mindsets and awareness — and making sure they know how to respond to perceived threats — is another.

“By failing to prepare, you are preparing to fail.” (Benjamin Franklin)

You can prepare your people and your organization by following six steps:

  1. In addition to having the right tools and software in place, make sure your people know to log all suspicious behavior and what steps to take to restore the safety of your environment.
  2. Teach your people that all software can be exploited and that there are bad actors who make their livings by exploiting it.
  3. Understand that simpler is better. The more complex a system or infrastructure is, the more difficult it is to administer and maintain and the easier it is for a hacker to find and exploit vulnerabilities.
  4. Insecure protocols — even if you attempt to conceal them with obscure ports and other tricks — are still insecure. Don’t let your people use them.
  5. Safety first. If your people consider all input as potentially hostile and teach them to verify anything and everything they accept, your people and your infrastructure will remain more secure.
  6. Provide the least amount of administrative access necessary for particular people to perform particular operations.

Does that seem simple? Good. It should. Complexity invites confusion and risk. Simplicity enables clear understandings, confidence and … well … security.

Security is not a cult. But it should be an integral element of your culture.

When most people think of cabling, they probably think of the spaghetti under their desks, the cable that comes in from the street for their internet connections, or the jungle of cables that connect their TVs to their home theater systems. This post is not about those cables. Rather, it’s about structured cabling.

According to Wikipedia:

Structured cabling is building or campus cabling infrastructure that consists of a number of standardized smaller elements (hence structured) called subsystems. Structured cabling components include twisted pair and optical cabling, patch panels and patch cables … Structured cabling is the design and installation of a cabling system that will support multiple hardware uses and be suitable for today’s needs and those of the future. With a correctly installed system, current and future requirements can be met, and hardware that is added in the future will be supported.

If you’ve been in business for a while, you’ve probably been informed on occasion, by some means or other, that your network is down. More often than not, it’s because of a poorly designed or a low-quality cabling system. A properly designed and installed structured cabling system provides a cabling infrastructure that delivers predictable performance as well as having the flexibility to accommodate moves, additions, and changes; to maximize system availability; to provide redundancy; and to future-proof the usability of the cabling system.

What Does It Do?

Imagine this: You got a computer for your home office, but there are no power outlets in the room. So, you have to find an extension cord (or cords) to run down to the breaker panel in the basement. Want to add a new lamp for your desk? You’d have to do the same thing with a different extension cord (or cords). That’s the way early IT networks were connected — with patch cords. That was then. This is now.

The best way to look at a structured cabling system is to consider it a mixed-media network system that controls all traffic across all media such as voice, data, video, and building-management systems. If your structured cabling system is designed, planned, and installed properly, it’ll be forward-looking and flexible enough to accommodate your present needs, as well as those that will arise as your business and technology evolve. Beyond that, a structured cabling system effectively divides your entire infrastructure into controllable blocks, then connects those blocks to produce high-performance networks.

The bottom line is your cabling needs to be structured and much as your organization does. And structured cabling will keep your network and your organization up and running.

According to Techopedia, disaster recovery is defined as:

a set of policies and procedures which focus on protecting an organization from any significant effects in case of a negative event, which may include cyberattacks, natural disasters or building or device failures. Disaster recovery helps in designing strategies that can restore hardware, applications and data quickly for business continuity.

Albert Einstein famously said, “In theory, theory and practice are the same. In practice, they’re different.” We bring that up here because, in the case of cyberattacks, natural disasters, or building or device failures, designing strategies isn’t going to help. The only thing that’s going to help is getting the business up and running again as quickly as possible while mitigating damage, risk, and the potential for recurrence.

Like Now

Should you incur what Techopedia refers to as a negative event, you need to triage — to prioritize things in order of importance. You need to minimize your losses of time, data, money, and credibility:

  • Shut down your compromised network and get it rebuilt on new hardware.
  • Identify your critical IT assets and determine their maximum allowable outage time.
  • Protect and secure your vital assets while minimizing the effects of the attack.
  • Find and eliminate the attackers.
  • Conduct the necessary crisis communications, including notifying all affected employees and customers.
  • Assign specific roles and responsibilities to your employees during the recovery process.
  • Contact your cyber liability insurer to make sure any claims incurred are adjudicated appropriately.
  • Contact your legal counsel to gauge potential liability and help with breach notifications to credit monitoring agencies.
Look Ahead

No one can predict when cyberattacks, natural disasters, or device failures will take place. But given the increasing prevalence of cyberattacks and the proliferation of cyber criminals, operating a business without a disaster-recovery plan in place — or operating a business without a trusted business partner to create and execute that plan — is like driving a convertible through Sniper Training School: You might actually make it through unscathed, but why in the world would you even try?

Be safe. Look ahead. Strive for the best but plan for the worst.

As Robin Williams said, “Reality. What a concept.”

In one of its cybersecurity predictions post, Gartner wrote this:

By 2024, 30% of enterprises will adopt cloud-delivered Secure Web Gateway (SWG), Cloud Access Security Brokers (CASB), Zero Trust Network Access (ZTNA) and Firewall As A Service (FWaaS) capabilities from the same vendor.

In contrast, Forbes published an article — “How Cybersecurity Companies Can Become Trusted Partners” — in which the author wrote this, in part:

As IT leaders look at cybersecurity offerings today, they see a proliferation of acronyms, deep technical claims and broad feature sets that leave the average leader wondering where to start and what to believe: CSPM, UEBA, Zero Trust, Cloud Native, Open XDR and so on. These are important concepts, no doubt, but they are ultimately tools to an end … From my conversations with IT leaders, I’ve learned that, instead of big claims, cybersecurity customers want a trusted partner. They want results. They want to get back to focusing on their core business. They want to know if cybersecurity risk is being managed by experts as an ongoing security journey.

To put it succinctly, simpler is better.

Which Way?

We work with companies that fall into one of two categories:

  1. The company’s been breached, needs to have the breach fixed, and needs to have its business operations restored. Now.
  2. The company doesn’t want to be breached, needs its access points sealed, and wants to have its network secured and monitored. Now.

The companies in both of those categories don’t have time for acronyms, abbreviations, arcane words and phrases, or definitions. If they’ve been hacked, they’re in peril. If they haven’t been hacked, they’re at risk. Either way, the direction they want to take is the one that’s most direct and most effective. And they’re not looking for a vendor that talks a good game. They’re looking for a vendor that brings its A Game and does what needs to be done. Now.

While we pride ourselves on being trusted by our customers, we don’t talk about it. We earn it. And vendors aren’t partners because they say they are. You’re a partner only if your customer thinks of you that way.

When it comes to choosing a cybersecurity provider, it really is a matter of direction.

Choose wisely.

History is full of famous last words. There’s some controversy as to the famous last words of a daredevil: They’re either, “Watch this,” or “What could go wrong?.” And the famous last words of many surfers and swimmers have been, “Are you kidding? “I’ll never get bit by a shark.”

Likewise, the famous last words of more and more business owners have been, “Cyberattack? Me? Never happen.” That, unfortunately, constitutes a very expensive way to find out you’re wrong.

Reality Check

According to the October edition of Best’s Review magazine, in an article entitled “Cyber Coverage Hits Landmark but Challenges Remain,” we learn this:

This insurance coverage celebrates its 25th year of existence in 2022 … Not only have the policies changed dramatically over those 25 years but so have the exposures [and] the risks … The average cost of a data breach globally averages to US$4.35 million in 2022 … [affecting] not just major corporations, but middle-market and even small businesses … cyber insurance rates for 2021 had risen the most in the following industries: energy/oil/gas and utilities; media/leisure/entertainment; professional services; IT/technology/telecoms; financial services; and public sectors.

If you work in those industries — and others — your chances of suffering a cyber attack are greater than your chances of being bitten by a shark or struck by lightning. And given the exponential proliferation of cyber attacks, running the risk of suffering such an attack seems to fall somewhere on a scale between unwise and self-destructive. There might be good reason for running such a risk. But we don’t know what it is. And it certainly isn’t money.

Follow the Bouncing Ball

The chart below shows increases in cyber attacks and their related implications for the past 17 years.

The good new is there was a slight decrease in data compromises from 2021 to 2022. The bad news is the bad guys who perpetrate cyber attacks haven’t taken any time off, but they have gotten increasingly more adept at getting what they want. And what they want is your data and the opportunity to hold you at ransom for it.

Here’s the bottom line: You can play fast and loose with your cybersecurity if you want to. But if you do, the thing that’s likely to suffer most is your bottom line.

Don’t get struck by lightning.

We can’t even tell you how many companies we talk with that say one of two things: (1) We’re so small, no one wants to hack us.” (2) “We’re so small, we can’t afford cybersecurity protection.” Given the line of work we’re in, it’s hard to argue with people who say those kinds of things because they think we’re just trying to make a sale. Well, yeah. We would like to make a sale. But we’d also like to make sure your company, your people, your networks, and your data are safe.

Consider this: The website for Security magazine recently published a blog post called, “Why small businesses are vulnerable to cyberattacks“.

In many cases, small businesses do not take cybersecurity seriously. Many businesses feel “too small” to be affected by a cyber incident. If an incident does occur, many do not realize the severity of a breach until it is too late … 47% of businesses with fewer than 50 employees do not have a dedicated cybersecurity budget. And only 18% of companies with more than 250 employees have a dedicated cybersecurity budget … the average cost of a data breach increased 10% in 2021 to $4.24 million.

Let’s Do the Math

It’s entirely possible you don’t think your business is big enough or important enough to be the target of a cyber attack. But given the average cost of a data breach, let’s consider two scenarios:

  1. Your company is small enough that you don’t have $4.24 million in assets. But you suffer a ransomware attack, and the ransom amount is $5 million. Even if it were only $3 million — or $2 million — you’d likely be put out of business.
  2. You buy cybersecurity coverage that includes end-point protection, multi-factor authentication, and email filtering. Let’s say that coverage costs $20 per seat, per month, and the ransomware attack fails.

If you have 50 employees, that’s $12,000 a year to stay in business. If you have 250 employees, that’s $60,000 a year to stay in business. It doesn’t take a mathematician, an accountant, or an economist to figure out that’s a lot less than any ransomware artist worth his salt would cost.

Cybersecurity is not an expense. It’s an investment — in your business and in your future.

Don’t take a chance. You’re not too small to hack.

Vulnerable is one of those words that seems to get thrown around a lot without much attention being paid to what it actually means. Everybody knows Superman is invulnerable (except for Kryptonite, of course). But what about the rest of us?

We don’t have to go any farther than the first definition at dictionary.com to find out how vulnerable we really are:

vulnerable (adjective):
1. capable of or susceptible to being attacked, damaged, or hurt

We’re susceptible to being attacked, damaged, or hurt even as we get out of bed in the morning. And it certainly doesn’t get any better after that.

Not You?

We could suggest your drive to work in the morning is fraught with vulnerability and go on from there. But given our line of work, we’re much more concerned with what happens at work, what could happen to your business, and how vulnerable your networks, your data, and your people are every day. And that vulnerability has nothing to do with the size of your business.

According to Byars Wright:

With more than 70% of cyber-attacks hitting small businesses, companies need to realize that it’s not just multimillion-dollar industries these hackers are going after. Small businesses are now a prime target since they’re less likely to have the infrastructure or security measures in place to prevent an attack. Whether this is due to a lack of budget needed to beef up cyber-security, or not believing anyone would want to hack them in the first place, the fact remains that even if the hacker obtains 30 personal information records, it’s a win for them …

  • 54% of small businesses had data breaches involving customer and employee information in the past 12 months.
  • 52% experienced a ransomware attack, and 53% had more than two ransomware incidents in the past 12 months.
  • The average cost due to damage or theft of IT assets and infrastructure was $1,027,053, in addition to $1,207,965 for disruption to normal business operations.

Is there a cost to cybersecurity protection? Yes. But what’s the cost of not having it?

The Bottom Line

The bottom line that could affect your bottom line is that hackers are like pickpockets at the carnival: They’re there because you are. They want what you have. However underhanded or illegal it might be, they’re just doing their jobs. And they’re getting better at it all the time.

It’s your job to protect yourself.

That’s why we’re here.

There’s an old saying that goes like this: “Wherever you are, that’s where you are.” We could never decide whether that’s really profound or really obvious. But it doesn’t matter. What does matter is a question we get all the time.

Whenever we talk to companies about cybersecurity, someone always asks, “Where do we start?” The answer is, “Wherever you are.” That means — whether you’ve done a little or a lot to protect your company from cyber attack — the best place to start is with the next logical step.

If you haven’t done anything, we’ll start with a gap analysis: How prepared are you for an attack? What’s your ability to recover? We’ll assess the level of vulnerability of your remote access points and the ease with which your networks and systems could be compromised. Then we’ll categorize your risks and prioritize our remediation efforts.

Next, we’ll act like hackers and do our darnedest to breach your environment. That will enable us to evaluate your network, your software, your security controls, and your defenses. Beyond that, we’ll keep an eye on your IT infrastructure to make certain it remains secure and compliant. We’ll even monitor dark web data for evidence of data theft, immediately reporting breaches or abnormalities. And we’ll help you prevent or minimize risks to your operation and your reputation from hacked or exposed credentials.

If You Already Have Some Protection

If it ain’t broke, there’s no need to try to fix it. Start from the most recent thing you’ve done and build on it. Fortify your defenses. Shore up your firewall. Replace your end-of-life network equipment. Check all of your perimeter and internal defenses and system configurations to ensure they’re as tight and secure as they were when you put them in place. And make sure you keep them up to date.

Attempted cyberattack is no longer if. It most definitely is when. You owe it to yourself, your company, your people, and your customers to make sure you’re prepared to ward off those attacks and to recover from them should they occur.

Wherever you are on your journey to cybersecurity, that’s where you start your efforts to become more secure.

We don’t know if that’s profound. But it’s necessary, now more than ever.