Engineering Inc - July/August 2019 - 25

THE IMPORTANCE OF STAFF TRAINING

Because hackers rely so heavily on phishing and spear phishing to
steal credentials and penetrate networks, it is essential that staffers
be trained to distinguish legitimate emails from fraudulent ones-a
skill that has grown more difficult as hackers have become more
sophisticated. Whereas phishing emails were once littered with
spelling errors and grammatical mistakes, they now sometimes
contain official corporate logos and utilize detailed knowledge of
organizational charts.
Effective training sessions will also cover other, often overlooked,
aspects of cybersecurity. For example, hackers will sometimes set
up unsecured Wi-Fi connections in public spaces like airports, and
then use those connections to steal credentials and data from unsuspecting employees. Without cybersecurity training, some staffers
may not know that such an attack is possible.
"It all starts with education," Nelson says. "That is one of the
things we have really beefed up as an organization. We have cybersecurity as a module in our onboarding for our new employees,
and we conduct training on an ongoing basis throughout the year.
Everybody is exposed to all the tricks of the trade and the things
they might be asked to do. It has proven to be one of the most effective tools we could put in place."
Nelson's firm conducts its own training sessions, but he notes that
smaller firms can bring in outside consultants to educate staffers.
Herlihy says his company works with a consultant to put employees through cybersecurity training. The consultant even sends out
(harmless) phishing emails to staffers to see whether they click
on bogus links. "We were taught to hover over the sender's email
address to see whether there might be
something slightly different from the
real email address," Herlihy says. "That
training is critical."
Buchheit says there is one central
message to the anti-phishing training
that staffers at his firm receive. "Whatever you do, do not click on the attachment," he says. "Instead, we tell people
to forward the message to IT. They
have the ability to figure out where it
originated. They can extract metadata,
"Nearly all
then use that information to inform
businesses
our filters and block future attempts."

are at least
asking to get
quotes for
cybersecurity
insurance."

MIKE HERLIHY
EXECUTIVE VICE
PRESIDENT AND
PARTNER
AMES & GOUGH
MEMBER, ACEC
RISK MANAGEMENT
COMMITTEE

COVERING
AGAINST LOSSES

Only a few years ago, cybersecurity
insurance policies were nearly unheard
of. Some liability policies covered
firms if they accidentally shared
infected files with their clients, but
stand-alone cybersecurity policies that
cover a firm's own losses are relatively
new.
Still, Herlihy estimates that 60 to
70 percent of his clients are opting
for cybersecurity coverage. "Nearly
all businesses are at least asking to get

A 13-POINT RISK
MANAGEMENT CHECKLIST
When firms attempt to obtain cybersecurity insurance,
they will likely be asked if they have put the following
precautions in place:
1.

Up-to-date, active firewall technology

Patch management

Multifactor login for privileged access

Remote access limited to VPN

Incident response plan

Media and website content controls

Require service providers to demonstrate adequate
network security

Updated anti-virus software active on all computers
and networks

Intrusion detection software

10. Data backup procedures
11. Procedure to test or audit network security controls
12. Disaster recovery plan or business continuity plan
13. A person or department responsible for
information security

quotes for cybersecurity insurance," he says. "Certainly, when a
company is up for renewal, we are advising them that they should
be carrying it. Another factor driving the decision for engineering
firms to purchase cybersecurity insurance is that some clients
are insisting in their contracts that firms have standalone cyber
insurance policies."
Nelson says his firm began carrying cybersecurity insurance
three to four years ago. He recommends that firms not only buy
coverage but also carefully evaluate different providers and their
ability to help a company respond to a cyberattack.
"If you just buy a cyber policy, you can report back to your
board that you have it, but there is a lot of due diligence you need
to do to make sure the policy is meaningful," he says. "You are
hiring a partner-more so than almost any other insurance-by
way of someone who has a dedicated team that can respond to
an event immediately, help you sort out how it happened, and
remedy your system to get you back up and operating."
According to Herlihy, that type of partnership can help firms
not only to respond to attacks but also to prevent them.
"Even if you do not have a claim for a loss, there is a lot of
useful information [during the approval process] that helps people
figure out how to design a program to protect themselves," he
says. "You are getting a lot of upfront help, in hopes that you
never have a claim. It is definitely money well spent." n
Calvin Hennick is a business, technology and travel writer based in
Milton, Massachusetts.

JULY / AUGUST 2019

ENGINEERING INC.

Engineering Inc - July/August 2019

Table of Contents for the Digital Edition of Engineering Inc - July/August 2019