Contractors often use sophisticated digital technology to participate in project design, communicate with project partners and conduct daily operations. While these electronic tools can improve collaboration and streamline the building process, they may also expose you to perhaps unfamiliar liabilities.
Major insurer Chubb recently released an advisory report entitled New Business Models, Technology Raise Professional Liability Risks for Contractors. It describes these cyber threats and offers strategies for guarding against them.
Contractors have long been at risk for liability associated with participating in design work. But now risks are arising from the use of new project modeling technology and the potential vulnerability of confidential and proprietary data they use or store, such as:
- Construction plans,
- Customer data, and
- Personal information.
For example, building information modeling (BIM) software produces a three-dimensional model that is shared by the engineers, architects, and general and subcontractors. Each system overlays the others, offering an effective way to detect any potential clashes in component location or work scheduling.
But because BIM systems contain building plans and other project data files, they also pose risk of cyber attack. The Chubb report cites indications that hackers have been targeting building designs and using malware to target CAD programs.
Still, the types of cyber crime most likely to occur, according to the Chubb report, remain email phishing (general messages requesting sensitive information) and “spear fishing” (messages that appear to be from someone familiar to the recipient, but which are actually fraudulent). Just one employee who gives in to either of these deceptions could enable a hacker to defraud your business of hundreds or even thousands of dollars.
New mobile technologies such as smartphones and tablets also pose a threat. Employees who use their own devices for work could download malware-infected apps capable of searching for and stealing sensitive company information.
Cloud-based software, data storage and other services potentially create additional exposures through contracts that limit the provider’s liability for data security, network outages and regulatory compliance. If you’re using a cloud service, be sure to assess your risks and responsibilities.
Steps to take
Here are more steps you should take (and regularly update, if necessary) to limit cyber risks:
Know your info. Identify the data that you use and store, and make sure you know where it’s located and how it’s being protected. Assign at least one person in your organization ultimate responsibility for data security. (He or she should have a backup.)
Keep data “need to know.” Strictly limit access to sensitive project information to only those whose jobs require that access.
Create a hierarchy. Segment networks to keep sensitive information isolated from less-sensitive data. Rank information by its sensitivity and provide higher levels of protection for valuable proprietary and personal information.
Provide training. Educate all employees about data security. Train staff on procedures and rules appropriate to their roles. Teach everyone to identify and report suspicious emails or other dubious activities.
Who can help
For assistance developing an effective cyber security program, the Chubb report recommends that contractors work with data security professionals and consult their insurers’ risk engineers. In addition, Smith & Howard can help you set an appropriate budget for managing information technology.