Construction Practices

An Invisible Threat

March 5, 2019
10 min read

Only three people at Hatfield Builders & Remodelers can access the company’s bank accounts and any online transaction requires that two are present. One of the two must have a physical, bank-assigned security fob to verify the transaction. It’s a system designed to prevent theft, and it was surprising the way hackers got around it. They didn’t subvert the system, or circumvent it, but rather used it against itself, exposing that even a seemingly well-protected remodeling company has cyber vulnerabilities. 

Cybercrime is increasing in frequency faster than any other brand of crime, according to a joint report from Cybersecurity Ventures and the Herjavec Group. In 2016, cyberattacks cost the world’s economy $450 billion, roughly the size of Iran’s GDP. Over the next three years, experts believe economic damages from cyberattacks could increase to $6 trillion annually—more than the GDP of France and the U.K., combined. 

Cyberattack, Physical Hurt 

When you tighten the focus of those damages to small and midsized business (SMB), what you find is that the numbers scale nicely (in a masochistic kind of way) in that their impact maintains its relative oomph. A single cyberattack costs a small business on average $120,000, according to cybersecurity company Kaspersky. And it’s even worse for SMBs in North America, where the average financial impact is $149,000, up from $119,000 just a few years ago.

Tighten the aperture further, bringing our industry into better focus, and the realities, while still serious, are a little less dire.

“All sectors are subject to cyber risk,” says Doug Clare, vice president for FICO, an agency known for its credit ratings but more recently its cyber risk analysis. “What our data shows is that the construction industry is at a lower risk for cyberattack than most.” The unfortunate part is it’s not indicative of actual security measures, he says. “They’re just not that lucrative of targets.” But they are still targets. 

Source: Kaspersky Lab

Cyber Enemy No. 1 

No one knows the threat better than Chad Hatfield.  

“These guys spoofed my email so the office manager thought she was communicating with me,” says Hatfield, president of Hatfield Builders & Remodelers, based in the Dallas area. Disguised as Chad, hackers convinced the office manager to send them her email login credentials. “They then set rules for her email so that if I ever sent anything from my actual account it would be routed to the trash.” The intruders explored the office manager’s emails until they were able to map out the company’s processes: who was in charge of what, and who had access. “Emailing as me, they convinced my office manager and my wife (the third manager on the account) that we needed to transfer money as part of a refund to a customer in Minnesota.” 

The hackers ultimately failed, but only serendipitously. Hatfield just happened to walk in the office as his wife and office manager were confirming the $6,000 transfer. They called the authorities soon after. “We never found the guy. Police said it happens all the time.” 

What happened to Hatfield is called social engineering, a method of stealing that exploits many businesses’ biggest vulnerability: its staff.

Phishing emails are the classic attack of this type—fake communications from reputable people or companies sent with the intent of compromising security. It’s called spear phishing when the email is targeted. Yet, this is only one of several schemes hackers have devised to trick businesses into handing over something, whether it be data, access, or cold, hard currency. What happened to Hatfield is called pretexting, meaning that the hacker provides a pretext for a user to send something, be it information or money. 

Between Oct. 2013 and May 2018, the FBI reports that over 41,000 emails were compromised in the U.S., resulting in losses of nearly $3 billion. Malware—synonymous with phishing, its No. 1 delivery method—is similarly prevalent.

From 2013 to 2017, EY’s 20th Annual Global Security Survey found that the prevalence of malware and phishing skyrocketed. It did so seemingly in tandem, as phishing has become the No. 1 malware delivery method. Also, while cyberattacks specifically geared at stealing financial information and data—not including phishing and malware attacks—have ultimately declined, the attacks remain a serious threat. 

Malicious software comes in as many varieties as developers can imagine, each with its own shtick. Trojan malware disguises itself as a legitimate program to lure users into downloading it, and once inside will often create a backdoor for other malicious programs. Worms are self-replicating and use networks to worm their way into other devices. Keyloggers log your keystrokes. Spyware spies. And when your ad pop-ups are so frequent and relentless you can’t see your desktop, that’s when you have Adware. 

The most common malware is called ransomware. Here’s how it works: The hacker hijacks a user’s machine, locks files and access or encrypts needed information, and then ransoms back access to the user, often by threat of deletion. Fifty-one percent of companies surveyed in a study by the Ponemon Institute claimed to have experienced a ransomware attack, and each attack—of which the companies averaged four apiece—cost them $2,500. Ransomware accounts for 39% of all incidents, according to a report from Verizon. 

Providing CyberSecurity 

Capital ‘T’-true, impenetrable cybersecurity is impossible. If the Pentagon can get hacked (and it has) so can your remodeling business. The name of this game is prevention and protection. 

“Small businesses definitely have some distinct challenges,” says FICO’s Clare. It’s a resource issue. Smaller companies, like remodelers, don’t have the expertise and budget to adequately shield themselves. Still, they can do better. 

Vulnerabilities Inventory

The most exposed area for a company is anywhere information is handled or exchanged. That’s why staff are such a vulnerability, as they represent access and information. That also includes partners the business interacts with—subcontractors, vendors, manufacturers, and customers. The now infamous 2013 Target hack—which cost the company $18.5 million and an incalculable amount of bad press—only happened because hackers gained access to its data through an HVAC company who’d worked on a few Target stores. “Identifying those points of information exchange and access is crucial,” Clare says. FICO’s Cyber Security Score is an easy way for a business to gauge its vulnerability, but it’s limited to its web presence. For the most thorough examination, Kevin Coleman, executive director of the National Cyber Security Alliance, says businesses should turn to an expert. “Have a pro come in and analyze your system,” he says. “You call a cybersecurity expert for the same reason you have a professional remodeler redo your bathroom: They’re the pros.” 

Training is Key

A staggering 71% of small business data breaches can be attributed to employees, whether it’s accidental loss or deliberate theft, according to an annual report from information security company Shred-It. Avoiding errors is mostly a matter of training. 

“It’s not uncommon for a business to not know how to analyze or secure their data, or even recognize an attack,” Coleman says. 

Hatfield says that following his company’s attack, training was made a priority. His biggest concern—though he didn’t use the phrase—is social engineering, a fear that his employees will be conned into handing over something valuable. “There are things you can look for,” he says, referencing scam emails. “The grammar isn’t correct. Their request is unusual, and usually involves you trying to download something or click a link.” It’s simple things like conditioning staff to expect fraud that keep clear red flags from being ignored as innocuous. 

“I tell my staff to think about our processes and how we usually interact with clients. If something feels out of place—like an electronic request to transfer funds when we’d usually discuss that in person—it probably is.” It emphasizes the importance of protocol. 

While paid training exists, there are free resources available as well. 

The Small Business Administration as well as NOVA Labs, both offer free, fairly comprehensive online training that provides guidance on what attack methods are being used and how to identify when your business is being targeted. 

For free, in-person training, the NCSA offers courses through its CyberSecure My Business initiative. “We send people around the country to talk to small businesses about what they can do to keep themselves protected,” Coleman says.

Insurance: Proceed With Caution

Cybersecurity insurance serves as a safety net for businesses. 

Insurance covers financial damages. “We have a fraud insurance policy,” says Hatfield. “It covers up to a million for electronic theft, because at any given time we may have half a million dollars in the bank. If someone were to gain access to our bank and transfer it out, we’d be done.” 

Selecting a policy and provider is a matter of research. There is crime insurance, which likely covers fraud and is something most businesses already have, and then there are specific cybersecurity policies, which differ from provider to provider. 

Whether a crime insurance policy, like Hatfield’s, covers a cyberattack is sometimes up for interpretation. Some banks contend that the steps from receiving a fraudulent email until when the theft actually takes place takes the crime out of the jurisdiction of “compromised business email,” which most policies cover. However, recent legal decisions in favor of acknowledging social engineering as an extension of a compromised business email (i.e., Medidata Solutions v. Federal Insurance Co, and Interactive Communications v. Great American) set a strong precedent for future companies making the same claim, though court action may be required. 

For companies wishing to avoid a potential legal battle, policies designed specifically for cybersecurity are also an option. 

There are generally two types of cyber- security policies: first-party and third-party. First-party covers “immediate response costs,” which include extortion, ransom, loss of income due to business interruption, theft, and property damage. Third-party covers claims from third parties, such as clients, that suffered losses as a result of the policyholders’ breach or attack. Those losses can include everything from legal fees to credit monitoring, to restitution. 

It’s important to note that some policies will require a certain level of security in place before coverage can be purchased. 

In addition, unlike car or home insurance, cyber insurance is a relatively new field and lacks standardization. This means that every insurer’s policies could address different risks and contain varying limits on what’s covered and how much they will pay.

Using a Framework

A framework is a cybersecurity structure to help guide a business in protecting itself. The most popular for small businesses was government-funded and developed by the National Institute of Standards of Technology (NIST). It’s simply called the NIST Cybersecurity Framework

“The cybersecurity challenge is larger than just something cybersecurity professionals can fix,” said NIST program manager Matt Barrett during a 2017 workshop. It requires a more comprehensive effort and broader understanding, he explained. 

To that end, the NIST framework has five functions: identify, protect, detect, respond, and recover. These represent easy-to-understand guidelines that companies can use to develop a cybersecurity setup. “These words are accessible to all sorts of [people that aren’t] cybersecurity experts,” Barrett said. Everyone from sales reps to carpenters to designers need to be involved in cybersecurity, but you can’t expect them to understand technical jargon. 

Through the five pillars, the NIST framework helps companies organize thoughts and conversations, so they can develop actionable solutions. The framework lays it out like this: 

 Identify:  Catalog what machines and devices are using your company’s network.  Note which belong and which don’t. 

 Protect:  Establish protections around company data and access. This includes training staff, developing robust security systems, and maintaining that protection. 

 Detect:  This defines how to identify that a cybersecurity breach has occurred. Monitoring allows companies to establish normal patterns, making anomalies easier to identify. 

 Respond:  Develop a communications plan for alerting staff, clients, and partners of a data breach.  

 Recover:  Develop a recovery plan for fortifying newly identified weak points, as well as a plan for implementing lessons learned during the incident into existing Protection and Detection strategies. 

About the Author

James F. McClister

James McClister is managing editor for Professional Remodeler.

Sign up for Pro Remodeler Newsletters
Get all of the latest news and updates.