Having trouble viewing this email? Click here
Realstreet logo with buildings

Word on RealStreet!

June 2019

SUMMER SEASON WORKFORCE WOES

SOLVE YOUR SUMMER SEASON WORKFORCE WOES WITH EMPLOYEE LEASING!

Seasonal fluctuations are common in the architecture, engineering and construction industry, and the changing workflow alters workforce needs of the companies within those sectors. While the summer season typically brings an influx in building activity, many businesses often struggle to meet tight deadlines, as employees take more time off to enjoy the warmer weather. It’s a challenge that occurs every year, and could easily be avoided with an employee leasing solution.

FIVE WAYS EMPLOYEE LEASING CAN HELP WITH SEASONAL SPIKES AND SUMMER VACATIONS

Employee leasing arrangements enable companies to have the right-sized workforce, based specifically on project demands. With the summer season approaching, increasing productivity should be a top concern. Here are five reasons employee leasing is an ideal workforce solution to utilize during this busy, but critical, time.

1. WORKFORCE FLEXIBILITY

Employee leasing agreements are highly flexible and customizable. You have the ability to adjust the size of your workforce according to your needs, even when they change quickly. As a result, optimization is achievable, ensuring you have precisely the number of staff members you require at any given point.

2. COST EFFECTIVENESS

Expanding your permanent workforce comes with significant costs. Along with recruitment, onboarding and payroll expenses, you also have to contend with workers’ compensation and unemployment. However, when you opt for an employee leasing arrangement, you can reduce your costs. Much of the recruiting and human resources processes, along with many of the risks associated with growing your workforce, are handled by the placement agency.

3. MORALE IMPROVEMENTS

Seasonal spikes are often taxing for your permanent employees. Frequent overtime can be stressful, particularly when it is mandatory. With an employee leasing arrangement, you can bring on additional short-term team members to alleviate these burdens. As a result, you reduce the risk of your core staff becoming overworked and burned-out.

4. VACATION COVERAGE

Summer is often peak vacation season. Your permanent team is likely looking forward to time away from the workplace. However, numerous absences can be hard to manage, especially if vacations leave you short-staffed.

With an employee leasing arrangement, you can bring in skilled professionals to cover the workloads of your vacationing workers. This allows you to maintain full productivity without having to overburden your permanent staff. Plus, it decreases the odds you will have to reject a vacation request, which is also beneficial for morale.

5. ACCESS CRITICAL SKILLS

At times, seasonal demands necessitate skill sets that are not present in your core workforce. When this occurs, using employee leasing agreements to locate professionals with the right level of expertise for your short-term needs ensures you have access to the skills you need for a precise duration. You get a highly skilled employee on your terms, without having to add them to your permanent staff.

ARE YOU LOOKING FOR SKILLED PROFESSIONALS TO SUPPLEMENT YOUR WORKFORCE?

At RealStreet, we are dedicated to finding high-quality talent for every company that partners with us. If you are searching for architecture, engineering or construction professionals for your vacancies, experience the RealStreet difference today. Contact us to see how our services can help you find ideal candidates more effectively than ever before!

Article Originally Published by RealStreet

MORE POSITIVE START TO THE WORK WEEK

TIPS TO KICKSTART Your WorkWeek and Make it Positive!

Finding yourself going to bed Sunday night, already stressing about the workday that lies ahead of you? While for some, Mondays provide a sense of excitement. They are viewed as an opportunity to restart, relaunch and continue moving projects in the right direction. For others, Mondays lead to stress, anxiety and the feeling of frustration as they head back to "the grind," only looking forward to Friday.

If you're feeling more like the latter, where Monday Motivation has shifted to Monday Un-Motivation, it's time to kick-start your positivity. You spend a significant portion of your life working. You should enjoy what you do, or at the very least, not dread the thought of going into the office. Luckily, with a couple of small changes, your workweek can be both enjoyable and increasingly productive!

TWO KEYS TO A MORE POSITIVE START TO THE WORKWEEK

Starting off your week at work on a more positive note largely requires two things, both of which are in your control. First, you will need to be more diligent about planning, creating a chance to set yourself up for greater success. Second, you have to adjust your mindset.

Easier said than done? Use the following suggestions to start your week off on the right foot!

1. PREPARE ON FRIDAY

A little bit of planning can make your Monday easier to manage. Before you leave on Friday, spend some time examining the week to come and identifying any priorities. Additionally, review the past week’s progress to ensure that no critical deliverables have been missed along the way.

By using this approach, you are checking to make sure you are currently on target and you have a solid idea of what is to come. This increases your overall level of awareness and can help you discover items you may have otherwise missed. Plus, you can schedule a time for your upcoming tasks in advance, allowing you to outline the week ahead.

2. ADD SOMETHING ENJOYABLE

Getting ready for work on Monday is not what most people look forward to over the weekend. Their process can even be somewhat mechanical, particularly if they spend their time solely on what needs to be done to get out the door. However, adding an enjoyable activity to an otherwise mundane Monday morning routine, can provide something pleasant to look forward to, on what can be the toughest morning of the week.

For example, consider having your favorite breakfast on Monday mornings or squeezing in a workout. If you would rather relax, give yourself enough time to meditate or to read a chapter in a book you are reading for fun. This can help you adjust your mindset about getting up on that particular day, and enables you start your week on a positive note.

Article Originally Published by RealStreet

Construction industry unemployment at record low

Construction industry unemployment at record low

With 33,000 net new jobs added to the industry in April, construction unemployment at a record low and other positive signs across the broader economy, a downturn is at bay for at least another year, according to Associated Builders and Contractors’ (ABC) analyses of Bureau of Labor Statistics (BLS) data.

The construction industry had 256,000 more jobs last month than March 2018, which represents a 3.5% increase. Last month, the nonresidential sector added 32,400 net positions, the majority of which (22,100) were created by specialty trade contractors. Year over year, that subsector created 114,200 jobs, according to BLS.

April also saw the lowest construction unemployment rate since BLS started the series in 2000. Compared to a 3.6% national unemployment rate, the lowest level since 1969, construction unemployment decreased 2.2% year over year to 4.7%.

“The case for an economic downturn over the next 12 to 18 months is fading fast,” said ABC Chief Economist Anirban Basu, noting that the country has created new jobs for 103 months consecutively. “With inflation and interest rates low, the cost of capital remains suppressed, helping to induce ongoing spending growth among companies, consumers and governments alike. Corporate earnings remain strong, and today's employment report indicates that many remain firmly in growth mode.”

In March, construction unemployment decreased in 49 states on a year-over-year basis, the first time on record that all but one state saw declines, according to Bernard M. Markstein, president and chief economist of Markstein Advisors, who conducted the analysis for ABC.

Nebraska was the only outlier, the report found, with a slight increase from 5.1% unemployment in March 2018 to 5.3% in March 2019. Utah saw the lowest estimated not seasonally adjusted construction unemployment rate (1.9%), followed by Nevada (2.7%), South Dakota (3%), Florida (3.4%) and Colorado (3.4%).

The rates seen in these five states, as well as in Arizona and Oregon, represent the lowest March level on record, according to the report.

At the bottom of the list was Alaska, with a 13.5% construction unemployment rate. Missouri (9.7%), Kentucky (9.6%), Connecticut (8.8%) and Illinois (8.7%) rounded out the bottom five.

Article Originally Published by Construction Dive

How Tech Is Transforming the Construction Industry

How Tech Is Transforming the Construction Industry in 2019

The immediate applications and benefits of Industrial Internet of Things (IIoT) technologies are obvious in industries like manufacturing and computing, but these digital transformation technologies may not be top of mind for construction managers.

It’s time for that mindset to change. Worldwide spending on IIoT is expected to reach nearly $2 trillion in 2022, proving that these technologies hold a significant amount of value to the industries using them. That rings especially true in construction, where IIoT stands to bolster an already significant commitment to safety and communication. Construction managers should keep these technologies firmly on the radar when making investments in 2019.

SMART EQUIPMENT

With sensors and radio-frequency identification (RFID) tags, even legacy construction equipment can become part of a construction company’s IIoT fleet. The data collected from these machines provides construction managers with a wealth of knowledge around downtime, safety, labor, efficiency and more.

Additionally, the next era of smart construction equipment will feature more autonomous vehicles and automatic equipment shutdown, both of which promote worker safety. Autonomous vehicles, which self-correct based on feedback and environmental factors, also free up human engineers to move from maintenance tasks into more complex roles that leverage the feedback data reported by IIoT machinery.

CONNECTED JOBSITES

While construction jobsites will benefit from the sensor data mentioned above, telematics is also soaring to new heights in 2019. For example, when installed in vehicles, telematics solutions record driving speed and braking, improving driver safety and behavior. Employees who are monitored on connected jobsites also are more likely to adhere to strict schedules and focus on safe operating behaviors.

Connected jobsites not only help improve human behavior, but the lifespan of machinery as well. By monitoring tire pressure, engine health and battery life in real time, construction managers can predict and schedule maintenance during quiet periods instead of experiencing breakdowns during busy times.

The long-term cost savings can be dramatic, but IIoT technologies also stand to increase profit for construction companies. Access to analytics allows for more accurate quoting instead of using flat fees or a targeted estimate. A construction manager who knows the true productivity of his or her equipment and jobsites can make more accurate quotes, gain trust and earn new business.

TRAINING

While still in its infancy, new virtual reality technology is opening the door to better, safer and more efficient training for construction employees. Workers gain experience without risk in real-life scenarios, and spend more time on the job than in a classroom.

Digital transformation also means fewer workers will be needed to perform the jobs of the future. One person can be trained to monitor and manage equipment in a central location instead of sending multiple workers out to various jobsites. That scenario also translates to fewer workers who need to be trained.

However, a new kind of training will need to take place: educating managers and workers on the benefits of IIoT and digital transformation. These groups may be set in their ways and unaccustomed to the idea of a machine doing the thinking for them. But if they truly understand the pros of new technology from a safety and efficiency standpoint, they can help usher in real change. Don’t expect this kind of transformation overnight; but in the meantime, be sure to identify thought leaders on the crew who can lead the charge and answer questions.

As with any new technology, construction managers should start their IIoT initiatives with small, test-case applications and iterate based on learnings. By investing in digital transformation now, construction managers are giving their companies the best chance to stay ahead of the industry curve, increase safety and take on new opportunities for their businesses and employees.

Article Originally Published by Construction Executive

cyber security tips

A Match Made in Cyber Hell

At the end of April, just as St. Ambrose Roman Catholic Church in Brunswick, Ohio, neared the close of a five-month-long, $5.5-million renovation, Father Bob Stec, the parish pastor, was surprised to hear that the contractor, Marous Brothers Construction, Willoughby, Ohio, had not received a $1.7- million payment.

“We were paying our bills. At some point somebody was able to get into our email system and in the course of that, changed the routing numbers for the wire transfers,” the pastor told local reporters. The $1.7 million disappeared.

The story follows a typical pattern of cybercrime impacting construction, starting with the use of email to divert funds, which vanish. But it also fits a pattern of victims declining to share details about how it happened. Neither Stec nor Marous Brothers responded to multiple requests from ENR to recount what happened. Most construction victims of cybercrime, including Turner Construction Co.—which had sensitive personnel data stolen in 2016—offer limited descriptions of the incidents and stress the steps they have taken to remediate. To be fair, the Federal Bureau of Investigation is on the case of the church building fund loss in Ohio, which means all parties have been told to clam up. But when it comes to spreading the warning to others, secrecy often prevails.

Big Worries

Contractors, construction managers and owners worry about cybercrime, and with good reason. Their complex projects, with myriad data exchanges among partners and subs, regulators and suppliers, software and systems—and now the internet of things—are tempting targets for hackers. The specific risks are too many to name and evolve constantly. They run the gamut from stolen or locked data to financial theft, sabotage, and destruction of hardware and equipment.

“Hacking is not just something happening in a distant land or like it is in the movies,” says Greg Young, vice president of cybersecurity at computer security firm Trend Micro. “Hacking today is not just getting free long-distance calls, it’s all about money.”

Young says that many hackers are trained for cyberwarfare by state-sponsored agencies and then go into business for themselves. “These guys are not paid well, so they go off at night and do ransomware, they do for-hire work. If someone wants something to fail, it’s easy to hire super capable hackers,” Young says.

Phil Weaver, senior director of IT at Warfel Construction, a construction firm with 230 employees and $235 million in revenue based in East Petersburg, Pa., thinks the industry is unprepared. “I don’t think GC’s and CM’s are worried enough about the impact a cyber incident can have,” he says. “I think there is just a lack of understanding or realization that it can happen to us.”

John G. Voeller, retired senior vice president, chief technology officer and chief knowledge officer for Black & Veatch, has a very big picture view, having been drafted over the years by think tanks and the government to help scope risk to critical infrastructure. And from where he sits, the view is bleak.

“Some construction executives are worried, but too large a number of them do not understand the situation well enough, and their risk managers are too often not technical enough, or connected to their [chief security officer] strongly enough, to really see how many holes there are in their dike—and how few thumbs they have that are effective,” Voeller says. “They do not realize how precarious their situation is.”

Voeller points to the growing activity of state actors and cyber warfare agents, whose tentacles are infiltrating industries and utilities, and whose actions are beginning to move from disruption to outright destruction.

Wire Fraud

At the moment, many security experts are focused on phishing attacks like the one at St. Ambrose and their potential to put companies out of business. “Phishing is the biggest risk because there are many financial transactions conducted over electronic communications,” says Everardo Villasenor, construction IT leader and chief information security officer at DPR. “Cyberattacks occur where there are bigger opportunities for financial returns.”

David Sheidlower, chief information security officer at Turner, notes the FBI reports that more than $1.2 billion was lost to email-centered crimes against businesses in 2018. “So, we know the risk is real,” Sheidlower says. “That’s why Turner devotes such a high level of attention to raising awareness of the risks among our employees and our partners.”

Taking Action

A cybercrime is often a trigger to action. In March 2016, a Turner employee fell for a phishing email and sent tax information on current and former employees to a fraudulent email address. “We notified federal, state and local law enforcement and involved legal, law enforcement, information technology and security experts,” says Chris McFadden, vice president for communications. “We secured identity monitoring services at no cost to all impacted employees, including their spouses or partners, for an original term of ten years. Since then, we expanded coverage to all Turner employees, who now have access to identity protection services, which are designed to recognize signs of unauthorized use of personal information and help our people respond.”

Turner also has put in place an employee resource site with answers to commonly asked questions, data security tips and links to training material and available external resources on the subject of cybersecurity and protecting personal information. The company also has a cybersecurity awareness outreach program for companies it does business with to arm them with information.

Security consultant Scott Takaoka, a vice president at Aon Cyber Solutions, says wire fraud incidents, like the theft of payments, often begin with hackers picking through stolen Gmail or Yahoo credentials, which can be bought in bulk on the dark web.

Takaoka says hackers use those credentials to peruse accounts and to find people mingling business with personal email, and sometimes using the same login credentials for both, which can let hackers into corporate email systems. Takaoka says hackers play a long game and research target individuals on sites like LinkedIn to suss out corporate hierarchies and identify people likely to be approving transactions.

“They will watch and monitor and wait for the right time,” Takaoka says. “To some extent they have to have the context of the transaction, but once they understand the context, they know when to strike.”

He says the emails that trick people into clicking on malicious attachments or links, or into rerouting payments to bogus accounts, often appear to be genuine and from people the victim is accustomed to dealing with. They also may come at just the moment a transaction is expected to occur—in the right context—with a message about the recipient having a new account number, and asking to route it there.

Takaoka says such phishing emails often show up late on a Friday afternoon when those who might verify the information can be expected to have left for the weekend, so the victim takes the bait and wraps up his or her workday by clicking “send.”

Says DPR’s Villasenor, “basically, someone is vulnerable and gets hacked, and you didn’t even notice. And all of the sudden you have someone in between. It’s very lucrative. They get in the middle and say, ‘By the way, we changed our account, can you send it to this one?’ Companies can even go out of business when they are victims of this.”

“I saw this kind of action first take place in real estate transactions with escrow accounts,” Takaoka says. “Then I saw that same play happening with heavy machinery—especially in international transactions with high transaction dollar amounts.” With high stakes like that, hackers are willing to invest the time to watch and find the best time to spring, Takaoka says.

The most sinister variant of phishing emails are not fake emails from outside servers disguised to look genuine — spoofs — but emails from genuine accounts that have been hacked. “It’s a hack, versus a spoof,” says Danielle Roth, a cyberclaims manager with AXA Catlin, a division of AXA XL Insurance. “Microsoft Office 365 mailboxes are controlled by password and credentials, and if a hacker can get that, they can use that to actually gain access from someone’s account. The email will look correct—and it is correct—but it is controlled by someone who is not the user.”

How Bad Is It?

Cybersecurity vendor Symantec, which claims to have the largest civilian threat-intelligence network in the world, issued its latest global internet security threat report on Feb. 20. The annual review finds that attackers are enhancing proven tactics, including spearphishing, hijacking legitimate software tools and distributing malicious email attachments. Ransomware infections—which make data unreadable—of individual computers are trending down, but enterprise ransomware attacks were up by 12% in 2018, “demonstrating ongoing threats to organizations,” the security vendor says in the report.

Theft drives most of the action, with the diversion of electronic payments to bogus accounts creating a significant threat for construction, the report states. The Symantec data reveals that one out of every 39 construction industry email users gets targeted by phishing, but the rate of phishing emails in construction is only one out of every 3,960 emails, which suggests it is being used selectively and with specific individuals in the crosshairs—spearphishing.

Symantec reported that one out of every 382 emails exchanged in the construction industry in 2018 had malicious content, but attackers are trending away from embedding malicious urls in favor of malicious attachments. The company found that Microsoft Office files accounted for 48% of the malicious email attachments tracked by its telemetry in 2018, up from 5% in 2017, and notes that small companies are most at risk from malicious content.

Another technique expanding rapidly is “formjacking,” in which malicious code infiltrates a web server used for collecting form data for financial transactions. The malware skims the account and payment information. Although primarily used to attack the retail sector, it is increasingly being seen as potentially jeopardizing any supply chain.

Symantec also found a growing interest among attackers in compromising operational and industrial control systems, “with the potential for sabotage,” its report said.

“I don’t think we know the size of the threat because it is not properly recorded” says DPR’s Villasenor. “I think the number of incidents is increasing, increasing risks to companies and projects.”

End Points

Security vendor Sophos, which specializes in end point detection and response technologies, or EDR, commissioned a global study by an outside research firm, Vanson Bourne. It surveyed 3,100 IT managers across the globe in December 2018 and January of this year, including 203 in the construction sector. It found that 68% had been victims of cyberattacks in the previous year—meaning they were unable to prevent the attacker from entering their networks and endpoints — with larger organizations seeing more attacks (73%) than smaller ones (63%).

The researchers suggested that there are two likely reasons for the difference: Larger companies are considered to be more lucrative targets, or larger organizations are just more aware that they have been hit and more likely to have to resources to detect and investigate.

The study also found that most threats were discovered at the server level. It noted that modern attacks tend to start at the endpoints and move to the servers, the more high-value target, and if the attacks were being detected there, “it suggests a lack of visibility into what is happening earlier in the threat chain, as well as endpoint security gaps.” When respondents were asked how long the most significant cyberattack they had been hit with dwelled undetected in the system, 1,744 responded, and the average dwell time was 13 hours.

The researchers acknowledge that the 13-hour average is at odds with other data-breach investigation reports, such as Verizon’s, which found that 68% of data breaches take months to discover. But they suggest the difference may be that their respondents, most of whom detected the intrusions at the server level, might simply be unaware of the full scope of their problems. It found that 17% of the IT managers didn’t know how long the threat had been in their environment, and 20% didn’t know how it got there.

DPR’s Villasenor says the sophistication of attacks and the inclusion of artificial intelligence takes threats to a new level, and keeping employees’ cyber awareness knowledge current is a continuing challenge. He also warns that the increase in state-sponsored attacks has the potential for wider disruptions.

“AI is interesting,” says Weaver. “It’s a new threat vector, but also can be leveraged to help in the cybersecurity fight. You need to try to guard against them all, [but] most of the threats we see are still social engineering based.”

What To Do

Aon’s Takaoka says a security assessment should come first. “Understand and have a third party come in and provide some guidance, based on your business [and] the size of the company, and come up with recommendation around the biggest areas of weakness,” he says. “Construction companies need to consider remediating these areas and do it in a risk-based fashion. It’s mostly about reducing the opportunities for damage, not eliminating them, and being ready if it does happen.”

Takaoka says contractors should make sure the basics, such as updating software, enforcing password policies and restricting approval rights and administrative privileges, are executed. “You stop forwarding emails to the outside, which is very simple and it doesn’t cost.” He also adds that they should get cyber liability insurance, “and if you work on anything, work on your backups. Make sure you have a good backup, retain a good incident-response provider and consider retaining outside counsel.”

Clients will gain confidence in contractors who manage cyber risk well, Takaoka adds. “That’s the reason you do that assessment by a third party, and share the results—which is basically a review of your processes and controls—and you provide that to the client. Either have that assessment done yourself, or expect that as time goes on customers are going to have third party assessments done of you.”

Turner’s Sheidlower says many owners have robust cyber risk management programs and review Turner’s cybersecurity protocols, which he says “mitigates the risk of attack on systems and information through a comprehensive approach to the technical, physical and administrative controls—coupled with training and policies that serve to raise awareness on a range of issues amongst the people who access and control the flow information.”

Sheidlower adds that controls are available to firms of all sizes, and those include staying current with updating software patches, requiring multifactor authentication and installing anti-malware software on all endpoints.

“Contractors should emphasize identifying information assets, finding vulnerabilities, employing protective and detective controls and, finally, having a plan for responding to incidents in an effective manner,” Sheidlower says.

“On the tech side, patching vulnerabilities is really the easiest way not to be the low-hanging fruit,” adds AXA’s Roth.

Scalable Security

When asked if large operations have a better shot at secure operations than small and medium sized contractors, responses varied. Voeller’s quick observation was “obviously not when the largest in the world have been hacked and damaged, from Lockheed to Google to Facebook to the NSA.” Disaster recovery service vendor Unitrends claimed that security is attainable with the right tools.

In its description of services, Unitrends recommends a multi­layered approach, but claims that “adding multiple layers to cybersecurity may look like you are adding many man-hours of labor to your already overworked IT department, [but] that does not have to be the case.” It says multilayered solutions can run and report findings automatically. “The only additional labor required is when a negative finding is discovered. Plugging an open security hole is labor you should be happy to invest,” the company says.

“The biggest issue I see here is small and medium-sized businesses don’t have the capital to properly address these issues, until they have a breach,” says Warfel’s Weaver. “For many SMB companies, they are much safer in the cloud than in their own environment,” he says, adding, “We are one of the SMBs I am talking about, but I like to think we are at least trying to do it right.”

DPR’s Villasenor says “Cybersecurity is scalable if companies start with simple controls and evolve with a good strategy. An evolving cybersecurity practice requires more investment, but based on the cyber threats, the ROI is there. Companies of all sizes have the opportunity to succeed on securing operations.”

Villasenor says DPR—a contractor with $6 billion in revenue and nearly 6,000 employees—uses collaboration platforms offered by service providers operating in compliance with privacy and security standards, including NIST, ISO-27001, CSA, HIPA, SOC and others. He says contractors need to adhere to cybersecurity best practices, such as those promulgated by the Center for Internet Security, a nonprofit that “works to identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace,” according to its mission statement.

Villasenor recommends starting with the first six of CIS’ top critical security controls, which include making an inventory and securing control of hardware and software, continuous vulnerability management; controlling the use of administrative privileges; securing the endpoints; and maintaining, monitoring and auditing network activity.

But Villasenor adds, “You have to enforce cyber awareness training. One of our biggest threats is our own people. They can become victims very easily.”

DPR uses a third-party security awareness training service, ProofPoint, also known as Wombat, for training software and materials, but schedules and runs its own sessions in house. Wombat’s tools include a phish alarm button that email users can click to automatically report suspicious email to IT, but it also includes a system to check whether the sender has already been checked and added to a whitelist of trusted sources. That can save IT from being inundated with false alarms. Phishing can also be reported directly to Microsoft 365, Villasenor says. “They react very quickly. The best thing is to always report such incidents.”

“You are only as good as the weakest link,” notes Weaver. “It’s why so many of the megabreaches you read about started with a third party connection. People, processes and technology: I always oversell the people side. You can have the best controls in place, but if you don’t have comprehensive security awareness and training, you are a sitting duck.”

But Black & Veatch’s Voeller points out that addressing unsafe personnel practices is not a simple matter. People change jobs and there is no motivation or reward for dealing with the drudgery of methodically cleaning up their digital traces.

“In the future, people using data will be bonded in the same manner that we bond people handling money,” says Voeller. “As you hear the calls for regulation, be aware that I have been campaigning with major cyber leaders for making major data holders and creators to be treated as regulated utilities in the same manner as power, water and telecom. It is an essence of life, just like water, power and communications. Credentials will follow.”

Cyber Insurance

Insurance broker Aon produced a U.S. Construction Industry Risk Outlook Report in February that claims cyber insurance options for construction are improving and, from the contractor’s standpoint, it is a buyer’s market.

The Aon report suggests “this is a good time to lock in baseline competitive pricing before any hardening of pricing occurs.” It says many construction-related firms are purchasing their first cyber policies because they are implementing technology to stay competitive and drive revenue, or are contractually obligated to have coverage, or their boards of directors are requiring it.

The report notes the ironic benefit that, despite the construction industry being hit with more ransomware leading to complex network business interruptions and rising incident response expenses, the resulting claims and loss data is leading to expanded coverage offerings and improved actuarial data for loss modeling purposes. “The stratification of risk enabled by improved data and analytics leads to better outcomes for the best specific risks,” the report states.

The report says this has led to average premium rates for cyber insurance dropping, on a year-over-year basis.

Takaoka says the end result is that “in ransomware situations there seems to be plenty of coverage. [Insurers] will pay ransom, and it’s pretty well known, but with wire fraud, it kind of depends.”

“Cyber insurance is a great risk transference tool,” says Weaver. “It comes in very handy if you have an incident. There are many regulation, notification, legal, and fine costs. Also, it provides you with training, policies and resources to prevent an incident.”

But looking across the whole construction industry, sources have a bleak view of the industry’s level of cybersecurity maturity, to borrow a term from Aon’s Takaoka.

While DPR’s Villasenor is confident that his company’s processes are performing well, on a scale of 1 to 10, he gives the industry as a whole dismal marks. “[Construction’s] cybersecurity score is low, perhaps 3 on a 10-point scale,” he says. “Many firms see cybersecurity as slowing operations or a high overhead cost versus perceived return on investment. Unfortunately, it has taken serious incidents for firms to truly understand the threat.”

Warfel’s IT director Weaver was even less sanguine. “Two,” he says. “I think it’s worse than most people know.”

Article Originally Published by Engineering News-Record

REQUEST A CONSULTATION
TALENT SHOWCASE
Purple geometric triangle pattern
facebook logo twitter logo linkedin logo rss logo