Bill Collins followed his career as a high-level executive in the roofing industry by becoming a consultant for companies looking for expertise in any of his varied fields of interest. In 2017, he broadened his scope and became intrigued by the developing buzz around cybersecurity. He began consuming information and among the things that stood out to him was an anticipated shortfall of cybersecurity jobs. So he got to work. 

“Knowing very little about IT and computers in general, I became worried about the vulnerabilities of my own computer and, more importantly, of my roofing industry clients,” said Collins, who recently graduated from a three-year program at Villanova University with a full master’s degree in cybersecurity. 

With major global hacks and ransomware attacks seemingly a daily occurrence, the timing couldn’t have been more opportune, or relevant, for business owners in the roofing space. 

“The most important concept that I got is that nothing is unhackable,” Collins told RC in a video/podcast series aimed at contractor cybersecurity at roofingcontractor.com. “What I learned was shocking.” 

Collins answered the following questions from RC.

RC: What shocked you about what you learned in your latest academic pursuits?

BC: The more I learned about legal aspects of e-commerce, cyber threats and defenses, computer forensics, risk assessments, etc., the more alarmed I became. This pushed me to learn about ethical hacking, network encryption, AI, ML, quantum computing, governmental regulations, and many new contacts. 

Like marketing, it’s a numbers game for the attacker. They go after everyone big or small — if they send out millions of attacks a day, it costs almost nothing, and if they only get a 3% hit rate (the FBI’s estimate), they get rich fast. As an internet user, it’s not a matter of if you will be breached, but when and how you respond, and unfortunately, the criminals look for easiest targets first, so you “don’t have to outrun the bear, you just have to outrun other targets.”

RC: You’ve said the most important concept is that nothing is unhackable. Why?

BC: There are even many ways to break into multi-factor authentication, which we all think is secure. Then I learned criminal and nation state attackers are usually after money, which these days means ransom dollars. They can and usually do buy preconfigured malware on the dark web that can break into your webpage or network in seconds with programs that get more sophisticated daily. 

RC: What are the biggest cybersecurity risks for contractors?

BC: The biggest risk is a breach that breaks into your network and gets to sensitive files through a phishing attack through an employee’s PC or phone that gives the attacker remote access. This may not only expose your sensitive business or competitive information but may expose third-party information that you’re required to protect, and that can create a legal liability. This can lead to higher ransom payments and fines. 

Once a phishing breach is successful via a Remote Access Trojan (RAT), it can lead the attacker to password information that can open up financial accounts and even allow an illegal funds transfer. 

RC: How critical is website maintenance?

BC: Badly designed, old, or poorly maintained websites can open what’s called a “watering hole” or cross-site scripting attack affecting your data or visitors to your website — planting malware on their devices when they visit your webpages or stealing their session credentials. A poorly designed webpage can also expose your own network to an SQL Injection server attack that can get into your most sensitive files to steal data. Finally, there’s a risk that a prior or disgruntled employee, or competitor with knowledge of passwords using an open or unclosed access permission, steals value business assets or information.

RC: What’s the latest trend on your worry list?

BC: Contractors should be aware that the attack vector is shifting rapidly to smartphone phishing attacks. There are three times more smartphones in use than PCs with more than 81% of Americans owning a smartphone and roughly 20% of American adults as “smartphone-only” internet users. 

Add to this, more effective mobile marketing — text messages have a 98% open rate and 90-second average time to respond — it’s easy to see why more than half the internet traffic worldwide is driven through mobile devices. 

RC: In the current climate, who’s more at risk, a company’s customers, or their vendors?

BC: With a proper security framework in place (such as NIST, SANS top20 or OWASP Top Ten Security Risks), which companies dealing with large vendors are required to use, the biggest risk is to your customers. However, your vendors can still be reached as a result of a successful phishing or spear phishing attack that can be very hard to stop. The weakest link is people, and they make errors. 

As an example, criminals target professionals with fake job offers tailored to them based on information from their LinkedIn profiles. I almost got caught by one of these asking me with references to my past roofing experience to be a paid advisor — just open a link on an email to confirm my interest. 

RC: How can overlooking cybersecurity impact sales?

BC: It’s really a matter of when, not if. Experts say that half the cyber-attacks are against small to medium size enterprises (SMEs) with under 500 employees, and most will eventually have a severe breach or face ransomware. If you’re breached and it becomes known, you’ll probably lose nine of 10 customers. It’s reported that 60% of SMEs suffering a cyber-attack are out of business within six months. Eighty percent (80%) of SMEs don’t have funds to recover from a breach with an average attack cost of $120,000, according to InsuranceBee, a cyber-insurance firm. Construction industries are particularly vulnerable and are the leading industry target for phishing attacks, according to eSentire, as they are considered to be “low hanging fruit” with access to bigger accounts by cyber criminals. 

RC: Where do contractors start in order to protect themselves?

BC: First, create a culture of security and awareness with operational security, continuous security awareness training, tabletop exercises and simulations. Work with security professionals to set up a security governance program. Lock down remote connections you don’t control, disable ports and channels that you don’t use. Document processes and implement controls. Find a security company to help your security maturity. Educate yourself and set the example.

Second, periodically identify all assets (physical or virtual) that need to be protected. Evaluate threats and vulnerabilities and the level of risk you are willing to tolerate. Your IT folks or MSP (managed service provider) may be able to assist with this. But, if you do go outside for help, make sure the people who do this for you teach your IT folks so they can learn.