10 key questions to self-assess your construction business’s cyber risk
Published 13 September 2017
With mandatory data breach reporting coming into effect on 23 February 2018, now is the time to review your business’s cyber security. These questions are designed to help you identify weak points in your business set-up.
Anyone who has access to your business’s digital systems could be a point of entry for a cyber attack which, depending on your security systems, could lead to operations farther up the supply chain. Your exposure could be triggered by email messaging or lack of control over login credentials.
Check our quiz to assess your business’s vulnerability
Do your employees have access to a shared online project management system?
Do you or your team use their own personal devices such as mobile phones or tablets to remotely access your project management system or apps?
Do you use GPS location software for fleet management?
Do you store business information on the Cloud?
Do your clients have access to your business systems?
Does your business allow subs to handle purchase orders?
Does your businesses sell products or services through an online portal?
Do you keep personal information about employees on digital record?
Does your business store bank account or credit card details?
Does your accounts payable process involve advanced authentication to transact funds transfers?
Next steps to tighten your cyber security
If your business uses a shared online project management system…
Action: Shared systems on the internet should be protected by multi-factor authentication (MFA). MFA requires another factor of authentication in addition to a password, such as a code delivered to your phone via SMS or an app. Enquire with the provider of your online project management system to see if MFA can be turned on.
If you use your own personal devices…
Action: Ensure your personal devices such as PCs, mobile phones and tablets are running anti-virus software (Android and Windows), use a firewall for protection and always apply the manufacturer’s software updates as soon as they are available.
If you use GPS location software…
Action: GPS technology is used to enable telematics as a fleet management tool ‒ that can also provide entry points for cyber criminals. Only secured devices or systems should be connected to your in-vehicle systems.
If you use the cloud for business…
Action: Always make sure that when using cloud systems, you have multifactor authentication enabled (MFA). If MFA is not available, then protect your data with a strong passphrase. A passphrase is different to a password, in that it does not appear in a dictionary and could be a phrase, saying or words from a song. Add numbers and capital letters to your passphrase to make it even harder to guess.
If you allow your clients access to your business system…
Action: Review the level of access you provide your clients and make sure that they only have access to their own data. If you can provide your customers with multifactor authentication (MFA) then do so and make it compulsory.
If you allow subs to handle purchase orders…
Action: Make sure that you have a process to review all purchase orders to ensure that they are valid and legitimate before they are sent to your suppliers.
If your website includes an online portal…
Action: If you subscribe to a service, ask your supplier if they’ve had their website tested for security weaknesses. If they haven’t, request that testing be completed and that you receive a copy of the results. Make sure that your customers’ information is protected. If you run your own portal, when was the last time you have the site tested for security vulnerabilities? Make sure your site is tested at least once a year by qualified professionals.
If you keep personal information on file…
Action: Make sure that any personal information you hold is protected through safeguards and measures such as multifactor authentication if stored in the cloud. If you’re storing this type of information on your own computers make sure they are running up to date anti-virus, all software updates have been applied and you are using a firewall to protect the system. If your turnover is greater than $3 million you must comply with the Privacy Act. Breaches of the Privacy Act carry hefty fines and penalties if the personal information you hold is lost, stolen or misused.
If you keep bank account or credit card details on record…
Action: Make sure that any bank account details and credit card numbers stored in the cloud are adequately protected through safeguards and measures such as multifactor authentication. If you’re storing this type of information on your own computers, make sure they are running up to date anti-virus software, updates have been applied and you are using a firewall to protect the system.
If you are using advanced authentication for funds transfers…
Action: Cyber criminals are smart. Even with secure systems in place you may still be a target. If you’re unsure about the security of your systems and information consult a professional for advice and help.
Ensure your business financially survives a cyber attack by having the right insurance. Talk to one of our cyber specialist experts today by calling 1800 240 432 or visiting www.ajg.com.au/insurance-solutions for free of obligation advice.