Contractors with weak cyber-security measures could be turned down for insurance unless they implement stronger safeguards, a cyber-security expert has warned.
In December 2021, infrastructure management firm Amey was hit by a cyber attack after hackers used ransomware to access documents, including correspondence with government departments, which were leaked online.
It was the latest in a list of companies – including Interserve, Bouygues UK and Bam Construct – to be targeted by cyber criminals in recent years.
Following a string of attacks, Cyber Security Associates (CSA) technical director James Griffiths said insurers were now being choosier when handing out cyber insurance to contractors – rejecting those with poor online protection.
Griffiths revealed that a change in insurers’ behaviour had influenced some of the “bigger construction companies” to increase their investment in cyber defence systems to protect themselves and their staff.
Warning that the next big attack was “only a matter of time”, he encouraged contractors of all sizes to check and improve their online safeguards to project their businesses, and ensure they were not turned down by insurers.
Griffiths told CN: “Insurance companies now, because they have been burdened so much over the past three or four years having to pay out on claims [after attacks, some are not insuring] companies that they would have in previous years.
“A lot of insurance companies now are taking advice guidance from cyber-security professionals, [asking them] what they should be asking […] before they take a customer on. And now they are starting to find that companies they have been insuring for 15 or 20 years previously, unless they put these [cyber defences] in place, are uninsurable.”
The CSA technical director said he had seen examples of firms being turned down for cyber insurance because they did not meet the minimum requirements of the insurance underwriter.
“They wouldn’t insure them because the risk is too great,” Griffiths said.
In March, a government report revealed that construction firms were among the groups of businesses that were least likely to have specific cyber-protection rules or controls in place. Measures could include up-to-date malware protection, a policy ensuring strong passwords or backing up data via a cloud service.
The Cyber Security Breaches Survey 2022 paper also found that construction firms were among those least likely to have carried out activities to identify cyber-security risks in the last 12 months.
Griffiths suggested some contractors had historically paid more attention to health and safety than cyber security, but he stressed that they could no longer neglect it and offered recommendations.
He said: “Set up multifactorial authentication. So make sure you have that turned on, and enforced from all your third parties and applications you use.
“Monitoring [is also important], and identifying what is going on in your network and on company devices, because it’s no use having all these [protections] in place and you are not actually monitoring or alerting to these things that actually happen,” he added.
Official government stats show that 39 per cent of businesses identified a cyber attack in the last 12 months to March, with the most common threat coming through phishing attempts (83 per cent). The average cost for medium and large businesses was £19,400.
Within a four-month period in 2020, major contractors Bouygues UK, Bam and Interserve all fell victim to malicious actors targeting their systems. Interserve’s subsidiary, RMD Kwikform, was also targeted in November 2021.