Guest Column
BY G L E N M A N G O L D A N D C H A R L ES KO P P L I N
The Business Case for Cybersecurity
T
here are two types of firms:
those that have been hacked and
those that will be hacked. Just
because you don't hear about it
in the news, don't assume that
professional service firms are not
targeted by hackers.
The 2014 NetDiligenceĀ® Cyber Claims
Study found the professional services sector
tied for the third most claims out of 13
different industry sectors. In addition, 23
percent of all claims came from firms with less
than $50 million in revenue. All engineering
firms need to proactively address cybersecurity
and the risks associated with online data.
Small firms are targeted more because
they have fewer resources than large
firms. Information that needs to be
secure includes confidential project and
client information as well as employees'
personal information. There are costs
associated with securing a firm's information, but the cost of not securing it could
be higher.
Glen Mangold
If a data breach occurs, the firm will
need to notify the entities whose information has been stolen. There could be
credit and identity monitoring requirements as well as litigation. Federal and
state requirements for notifying victims
of a data breach are evolving and vary.
The firm will also incur the cost of restoring its network after the data breach.
Besides the direct monetary costs, the
Charles Kopplin
firm's reputation could take a hit from
both its clients and employees.
Threats have both external and internal origins. External threats
come from amateur hackers, often someone with a personal or
political agenda, and cybercriminals who are looking to make
money from selling the information. Internal threats can be either
intentional or unintentional. According to the National Institute of
Standards and Technology, internal threats account for 80 percent of
security issues.
Most firms allow employees to access their firm's network from a
38
ENGINEERING INC.
JULY / AUGUST 2015
remote location using a virtual private network (VPN) on a personal
computer. An emerging source of threats comes from "bring your
own device" (BYOD) policies that are increasingly common. These
devices include both smartphones and tablets. When the employee's
computer at work is included, a 30-person firm can have as many as
120 devices (four times the number of employees) that are connecting to the Internet and its computer system. Each of these devices is
capable of downloading malicious code and viruses that can easily be
transferred to the employer's computer system.
As the number of mobile devices has grown, so has the number
of apps and fake apps. According to a recent research paper by IT
security company Trend Micro, "It has actually become quite common to see fake apps, which appear as real apps, come out shortly
after legitimate mobile or PC versions come out." The paper found
almost 900,000 fake apps, and 44 percent of them were detected as
malware. An estimated 84 percent of all cyberattacks are happening
at the application level.
Firms are beginning to add cyber insurance to help share the risk
of their increased exposure to hackers and cybercriminals. Coverage
includes:
* Liability arising out of unauthorized access to confidential thirdparty data.
* Costs to restore design firm's data and extra expenses while recovering from the breach.
* Web content that is alleged to include libel, slander and accidental
public posting of private information as well as copyright or trademark infringement.
* Public relations assistance to protect the firm's reputation.
Some policies include risk management services, such as tools for
breach prevention and recovery. It may also include forensics coverage and incident response services. The insurance carrier will contract
with experts to assist the insured when a loss occurs. Cyber insurance
can be purchased for as little as $1,000 for $1 million in coverage. An
insurance broker can provide more specific information.
As the use of electronic devices and the reliance on electronic
information is increasing, a firm's risk of being hacked or having its
data breached is growing. Cybersecurity efforts need to be diligent to
combat the efforts of hackers and cybercriminals.
Glen Mangold, CPCU, is the managing director of the architects/
engineers program for Markel Corporation, a leading provider
of professional liability insurance. He has more than 25 years
of experience in the insurance industry. He can be reached at
gmangold@MarkelCorp.com.
Charles Kopplin, P.E., FACEC, has more than 40 years of experience
as a consulting engineer, including 14 years as the risk manager for
an ENR Top 500 Design Firm. He can be reached at cw.kopplin@
gmail.com.
Table of Contents for the Digital Edition of Engineering Inc. - July/August 2015