Engineering Inc - July/August 2019 - 24

Cyberattacks can be especially devastating for small and midsized businesses, which may lack the resources to bounce back after
a large financial or data loss. "Most engineering firms are small or
midmarket firms," Nelson says. "So that really hits home."
One of the most pressing cyber dangers facing engineering firms
is ransomware-malicious software that locks down access to
corporate data until a company pays a "ransom" to the hackers.
"We work on extremely large proposals, and their cost of preparation can be in the hundreds of thousands of dollars. A ransomware
attack that locked down the proposal documents immediately
before submission would present a significant risk," says John Buchheit, senior vice president and corporate risk officer
at Gannett Fleming, and chair of ACEC's Risk
Management Committee. "If we had a proposal
due today at 4 p.m., and hackers locked down the
proposal with ransomware, there would be more at
stake in not meeting that deadline than in paying
the ransom."
According to Buchheit, Gannett Fleming has
experienced one minor ransomware incident that
seized control of a single workstation, but files were
restored from a backup server.
Social engineering attacks such as phishing or
spear phishing are also prevalent-and potentially
costly. "Phishing" occurs when an attacker attempts
to trick targets into entering credentials such as
usernames and passwords via a phony link; "spear
phishing" attacks are similar but use personalization-such as the spoofing of a boss's or colleague's
email address-to fool victims.
Nelson says that an employee at his firm was nearly tricked
by an email that appeared to be from a manager, instructing the
employee to purchase gift cards for a fundraiser and then share the
codes on the cards. The scam was only caught because the company requires multiple people to sign off on such expenditures.
"We have even had attempts where attackers have
mimicked the writing style of our CEO," Nelson says.
"The level of sophistication of the phishing attacks is really
mind-blowing."

Engineering firms must put in place
cybersecurity tools such as firewalls,
endpoint security solutions, and identity
and access management tools. But processes are also important. For instance,
a policy requiring callback verification
for any changes to payment information
can prevent firms from disbursing funds
to fraudsters. And a policy requiring
employees to change their passwords
"We look at
at set intervals can limit the amount
of time that hackers the data from
are able to leverage
the attempts
stolen credentials.
"Cybersecurity
on our servers,
plans need to be
and there are
quite comprehensive," says Andrew
an awful lot of
Mendelson, chief
attempts on
risk management
officer of the proa daily basis.
fessional liability
I believe it is
insurance company
Berkley Design
happening to
Professional, and
everybody in
an ACEC Risk
Management
the industry."
Committee memTERRY C. NELSON
ber. "The goal is to
VICE
PRESIDENT OF
protect the confidentiality, integrity
RISK MANAGEMENT
and availability of data and informaFOTH
tion. In order to do that, you have to
VICE CHAIR, ACEC
address the people, policies, proceRISK MANAGEMENT
COMMITTEE
dures and technology."
Mendelson calls password
hygiene the "low-hanging fruit"
of cybersecurity and says that firms should not only require
employees to regularly change their passwords but should also
implement stringent requirements for password complexity.
For example, firms should require a certain number and mix
of letters, numbers and symbols. According to Mendelson,
firms should also regularly (not less than daily) back up their
data to limit the potential damage of a ransomware attack or
other cyberattack.

According to
the National
Cybersecurity
Alliance,
60 percent
of small and midsized companies
will go out of
business within
six months of a
successful hack

PUTTING SECURITY MEASURES IN PLACE

The phishing attacks that swindled Herlihy's clients out of
thousands of dollars could have been prevented through
technologies and procedures designed to boost cybersecurity.

CYBERSECURITY: BY THE NUMBERS
1.95 billion
The total number of records
containing
personal and
other sensitive
data that were
compromised
between
Jan. 1, 2017,
and March 20,
2018.

191
The average
number of
days it takes
for organizations to
identify a data
breach.

77 percent
The portion
of IT professionals who
say their
organizations
lack a formal
cybersecurity incident
response plan.

76 percent
The portion
of organizations that say
they would
likely increase
cybersecurity
spending
following a
breach that
causes significant damage.
SOURCE: TECHBEACON

ENGINEERING INC.

JULY / AUGUST 2019

64 percent
The portion of
organizations
who say they
would not
increase their
cybersecurity
budgets after
an attack that
does not cause
harm.

75 percent
The portion of
data breaches
caused by
external
attackers.

25 percent
The portion
of breaches
caused by
careless, negligent or malicious insiders
with legitimate
access to systems and data.

71 percent
The portion
of U.S. enterprises that
report suffering at least
one data
breach over
the past few
years.

56 percent
The portion
of IT decisionmakers who
identify phishing attacks
as their biggest current
cybersecurity
threat.

Engineering Inc - July/August 2019

Table of Contents for the Digital Edition of Engineering Inc - July/August 2019