Money Talk: Managing Cyber Security Risks

by Mark Battersby –

The recent headlines about Internet “hacking” and security breaches have focused on large retailers such as Target, Neuman Marcus and Home Depot and big banks like JPMorgan Chase. Unfortunately, fraud and financial data losses are not limited to retailers nor to one industry. Small rural building operations and businesses are increasingly vulnerable to cyber crimes like online identity theft, hacking or phishing.

Today, almost every building business is involved with some form of Internet connection or storage of data such as customer lists, employee information, books, records, receipts and tax documents. Nearly 83 percent of small businesses do not have a contingency plan outlining procedures for responding and reporting data breach losses. However, according to the National Cyber Security Alliance, a nonprofit cyber security educational organization, one in three small businesses is a victim of cyber crime each year with 60 percent of those victimized going out of business within six months.

A data breach or hacking incident cannot only harm the builder or contractor, it can also lead to a lack of trust on the part of customers, lenders and suppliers. Small businesses must make plans to protect their operation from cyber threats and help employees stay safe online. In fact, it is the building operation’s obligation to protect the data and the financial information of its customers, suppliers and employees.

So-called “cyber hacking” is big business, and no one, not individuals, not small businesses and not large corporations is safe. In the U.S. most states have breach notification laws, and other countries are following suit. In other words, many laws mean written notification must be sent to those individuals who have been affected. Even where such laws are not in place, a reputable building business should provide breach notification.

It should come as no surprise that social media sites can expose information at light-speed with little control. It is becoming more and more likely that a builder or contractor’s reputation will suffer from a cyber security breach.

It is not only a business site but also an employee’s activity on social media sites that can trigger liability, especially if the business is responsible for the sites. Defamatory statements, leaked information and copyright infringement are all growing concerns.
Losing the trust of customers can be much more damaging than the financial loss of repairing the effects of any breach. Making matters worse, a business can be held liable for the loss of third-party data. If there is a data breach, the operation could find itself facing expensive damage claims.

The increasing threat of data security breaches makes it important for every building business to reinforce their security practices. But, how can any builder or contractor manage this risk?

Security experts agree that the easiest place to start is strong password protection. Many recently exposed “hacking” cases have been traced back to weak passwords that were either (1) not encrypted or “salted,” or (2) not changed regularly.

Other tips to help secure a business’s data, reduce its liability and, in many cases reduce the cost of insuring against potential losses, include:

  • Get a firewall. There are hardware and software approaches that are both cheap and easy to use.
  • Conduct regular risk assessments to reveal hardware, software and individual site vulnerabilities.
  • Computers that are used for sensitive applications such as making electronic bank deposits, should be isolated from the rest of the building business’s network.
  • Control access to data which often means limiting delivery and exchange of customer-, supplier- or employee-related documents and information to secure channels.
  • Get anti-virus software and use it. There are a number of popular packages, most of which are relatively inexpensive. Although free updates are usually included, make sure to update the program regularly or, better yet, allow the software to do so automatically
  • When an employee or contractor who has had access to the system leaves the building business, the employer should make sure their passwords are no longer usable. (Many employers lock an employee out of the system just before or at the same time he is being terminated.)
  • Create and implement a data security plan that includes immediate notification of all affected parties. It many cases, it is the law.
  • Share the liability by demanding similar protocols with suppliers—and checking for compliance.

Little of a building business’s data is typically covered under today’s insurance policies. Thus, liability for any loss of customer or employee data is probably not protected.

Admittedly, some of a building or contracting business’s insurance policies might offer general liability protection. Directors and Officers (D&O) liability may, for instance provide a measure of coverage for these areas. Unfortunately, as the risk escalates, it is only after a hack attack that many builders and contractors discover what is and what isn’t covered by their insurance policies. Unfortunately, by then it’s too late.

A business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus or a hack attack on a building business. Identity theft, telephone hacking and phishing scams are all very real possibilities rarely covered by traditional business interruption policies.

While few so-called “umbrella” policies or blanket liability insurance policies cover these types of losses, a relatively new type of policy, “Cyber Liability Insurance” is available. Cyber liability insurance has been available for almost 10 years although it is very rarely purchased.

Cyber liability Insurance can cover hacker attacks, viruses, and worms that steal or destroy a building business’s data. Even e-mail or social networking harassment and discrimination claims can be covered, along with trademark and copyright infringement. Cyber liability insurance will often cover the loss of profits because of a system outage caused by a non-physical peril such as a virus or attack.

A builder or contractor purchasing cyber liability insurance enjoys special protection from most digital issues. The new cyber insurance products available today can help protect the business from cyber problems that could cause tremendous hardships.

When looking into cyber insurance, common sense dictates that all potential risks should be covered including laptops and mobile phones. Portable devices make it much easier to both store and to lose information. For example, a missing USB stick, a stolen iPad or a laptop left in a taxi are all real possibilities and, for a hacker, a gold mine. There are viruses being built just to attack mobile devices.

A good insurance company will ensure a policy holder has all the protection in place that is possible. They can make sure a firewall is in place to protect the network and help create social media policies that reduce risk. Even if data is stored in the cloud, the building business may still be liable for a breach. Although controlling how a cloud provider handles the business’s data is almost impossible, cyber insurance can protect any operation from their mistakes.

Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Businesses, even independent small building businesses, are increasingly in their cross-hairs and need to use every protection strategy—including cyber security—available to combat the growing cyber threat. RB

Mark Battersby has more than 35 years experience in small business issues, tax and financial matters. Contact him at

Related Posts: