Although design and construction professionals rarely keep large amounts of intellectual property, personal information, trade secrets, and client lists on their internal computer systems, they are still targets for mercenary hackers and disgruntled former employees. Often, it is because of a lack of recognition that sharing information digitally can also allow entry into computer systems as internal controls and security systems provide inadequate protection.
Unlike retailers where personally identifiable information is available to hackers, the targeted attacks against professional service firms often are revenge disruptions. Or intrusions are focused efforts by malicious hackers looking to steal information on highly sensitive matters such as project design elements or infrastructure control information. Increasingly, firms have to respond to ransom requests where digital information is held hostage by hackers looking for an easy financial score.
There is no single approach to developing more secure operations as part of cyber risk management within a professional service firm. Every organization has its own unique system configurations and settings, contractual legal obligations, operational policies and procedures, and practice culture. But all firms need to engage in a comprehensive risk assessment of their cyber security program against best practices and standards to determine the baseline data that will guide them in risk management decision-making.
Firms that routinely consider digital security assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved. Threats to data may transform over time, but the fundamentals of sound security remain constant.
The Federal Trade Commission (FTC) has developed cyber security principles in its Start with Security: A Guide for Business. The publication’s guidance is based on the FTC’s data security settlements. Lessons from more than 50 FTC cases show how companies can improve their cyber security practices.
Some basic FTC tips include: 1) segment your network and monitor who is trying to get in and out; 2) make sure your service providers implement reasonable security measures; and 3) put procedures in place to keep your security current and address vulnerabilities that may arise. The business guidance lays out the following ten key steps to effective data security, drawn from the alleged facts in the FTC’s data security cases:
- Start with security.
- Control access to data sensibly.
- Require secure passwords and authentication.
- Store sensitive personal information securely and protect it during transmission.
- Segment your network and monitor who’s trying to get in and out.
- Secure remote access to your network.
- Apply sound security practices when developing new products.
- Make sure your service providers implement reasonable security measures.
- Put procedures in place to keep your security current and address vulnerabilities that may arise.
- Secure paper, physical media, and devices.
In addition to the Start with Security publication, the FTC has resources to help firms think through how security principles apply. There’s an online tutorial to help train employees; publications to address particular data security challenges; and news releases, blog posts, and guidance to help firms identify—and possibly prevent—pitfalls.