ORLANDO, Fla. — If you’re like most contractors, you have a desktop computer at your office, a laptop or tablet that you carry to jobsites and a smartphone that goes everywhere with you.

They’re all connected to the Internet, and they all put you and your company at risk of identity theft. 

That was the warning Paul Gouge, a risk consultant at mega insurance agency CNA, gave to International Roofing Expo attendees at his Feb. 18 session on privacy and security issues in the construction industry.

The industry is still trying to catch up with the criminals who work full time on stealing sensitive data.

“Their whole goal is to make a lot of money” selling your personal and business information, Gouge said.

Most standard liability insurance policies do not currently cover cyber theft, he said, adding CNA has paid out a lot of money to companies that do include riders for such incidents with their insurance.

“The average laptop theft is costing us about $50,000 — not because of the device, but because of the value of the information that’s on it,” Gouge said.
Typical information security threats include viruses; denial-of-service attacks, where your server shuts down; attacks by computer hackers, malicious hardware; theft of physical devices or media; accidental release of confidential information; and sabotage by rouge employees.

Gouge gave a few examples based on real events. A few years ago, a worker spotted an ad in the local newspaper’s help-wanted section placed by her employer for a job that sounded just like hers. Figuring she was about to be fired, she wiped the company’s servers of all project and client information. She was arrested and prosecuted. Her boss was actually only attempting to hire an assistant for her.

He pointed out that the well-known security breach of Target Corp. credit card information came from the lax security practices of an HVAC construction companies hired by Target to monitor its buildings.

Other examples Gouge mentioned included information “skimmers” being installed at bank ATMs and emails from people attempting to get recipients to click links that allow them to remotely access company computers.

He suggesting watching for emails with poor English or bad grammar as a sign that they might be malicious or “phishing” for sensitive information.
Construction companies need to know their risk, he said. Does your company ever:

  • Collect data?
  • Outsource any network operations?
  • Share data with partners or vendors?
  • Is your website hosted on a shared server?

If any of those apply, your company is potentially at risk. 

“Technology changes rapidly — daily — so you’ve got to keep up with it,” Gouge said. 

When choosing an insurance policy for cyber theft, he said CNA recommends it includes items such as all removable media (laptops, SD cards, etc.), all private or confidential information, rouge employees, alleged use of spyware or spam software and sabotage due to emotional issues.