We often hear from builders that they don’t need cyber insurance because they use Xero and have an IT provider that takes care of their system. Or, more fundamentally, that even if they are hacked it won’t affect their ability to work, since they can still build a house without access to email.

This thinking is flawed and ignores the significant risk to small building businesses of their systems being breached.

On our recent roadshow we had builders in Christchurch and Wellington share their own personal experiences of being hacked. They all involved the changing of bank account details on invoices and the loss of many tens of thousands of dollars. This is a real threat.

Small businesses are an increasingly attractive and easy target for hackers, where the process to attack thousands of entities all at once is facilitated by software tools and artificial intelligence. They only need one success in a thousand and if that’s your system you’re in big trouble. Added to that, building businesses often deal with high value transactions, with deposits and progress payments in the tens of thousands of dollars, if not more. 

While insurance is available to assist if you are hacked (and this will both pay compensation for losses and lead the recovery effort – often the most valuable part of the cover for clients who have no idea how to handle a hacking event) what is almost more important is ensuring you have the right risk mitigation measures in place.

  1. Strong passwords (long phrases are recommended)
  2. Different passwords for social media accounts, banking and accounting applications
  3. Don’t store passwords on your devices or anywhere online!
  4. Implement two factor authentication on key applications (banking and accounting in particular)
  5. Conduct regular training with staff on how to recognise social engineering and phishing emails
  6. Are staff using personal devices to access work systems? This is a vector for vulnerability
  7. Put in place processes and controls so that any changes to bank account details and payments must verified first
  8. Communicate with customers so that they know what your legitimate bank account is and that this won’t change
  9. Ensure your IT service providers have strong systems and back up processes in the event of an incident
  10. Evaluate how secure your other key systems providers are, such as project management applications, and have a back up plan

The CERT website has some useful guidance: https://www.cert.govt.nz/individuals/guides