Entrepreneurs with weak cybersecurity measures could be denied insurance unless they implement stronger safeguards, a cybersecurity expert has warned.
In December 2021, infrastructure management company Amey was hit by a cyberattack after hackers used ransomware to access documents, including correspondence with government departments, which were leaked online.
It was the latest in a list of companies – including Interserve, Bouygues UK and Bam Construct – to be targeted by cybercriminals in recent years.
Following a series of attacks, Cyber Security Associates (CSA) chief technical officer James Griffiths said insurers were now more demanding when distributing cyber insurance to contractors, dismissing those with poor online protection.
Griffiths revealed that a shift in insurer behavior has prompted some of the “largest construction companies” to increase their investments in cyber defense systems to protect themselves and their staff.
Warning that the next big attack was ‘just a matter of time’, he encouraged entrepreneurs of all sizes to check and upgrade their online protections to screen their businesses and ensure they are not denied by insurers.
Griffiths said NC: “Insurance companies now, because they’ve been so overwhelmed over the last three or four years that they’ve had to pay claims [after attacks, some are not insuring] businesses that they would have in previous years.
“Many insurance companies are now following the advice of cybersecurity professionals, [asking them] what they should ask […] before taking on a client. And now they’re starting to find that the companies they’ve been running for 15 or 20 years before, unless they put those [cyber defences] in place, are not insurable.
CSA’s technical director said he’s seen examples of companies being turned down for cyber insurance because they don’t meet minimum insurance underwriter requirements.
“They wouldn’t insure them because the risk is too great,” Griffiths said.
In March, a government report found that construction companies were among the least likely business groups to have specific cyber protection rules or controls in place. Measures could include up-to-date malware protection, a policy ensuring strong passwords, or backing up data through a cloud service.
The 2022 Cybersecurity Breach Survey The document also found that construction companies were among the least likely to have conducted activities to identify cybersecurity risks in the past 12 months.
Griffiths suggested that some entrepreneurs have historically paid more attention to health and safety than cybersecurity, but he stressed they can no longer neglect it and offered recommendations.
He said: “Implement multi-factor authentication, so make sure this is enabled and enforced by all your third parties and apps you use.
“Surveillance [is also important]and identify what’s happening on your network and company devices, because there’s no point in having all those [protections] in place and you’re not actually monitoring or alerting to these things that are actually happening,” he added.
Official government statistics show that 39% of businesses identified a cyberattack in the past 12 months to March, with the most common threat coming from phishing attempts (83%). The average cost for medium and large businesses was £19,400.
In the space of four months in 2020, major contractors Bouygues UK, Bam and Interserve all fell victim to malicious actors targeting their systems. Interserve subsidiary RMD Kwikform was also targeted in November 2021.