6 Ways Roofers Can Protect Against Ransomware Attacks

Experts and increasingly dire reports seem to be shouting a warning at roofers about cybercriminals: They’re coming for you.

In fact, a recent report from NordLocker showed that construction companies are now the no. 1 target for ransomware attacks. Ransomware is a virus that takes over a computer or device until the victim pays a fee to regain access. If the fee isn’t paid the attacker destroys all the data. While this tactic had been used on larger firms in the past, it’s now being employed against smaller companies such as roofing firms, experts said.

“There are a lot of contractors getting hit with ransomware,” confirmed John Kenney, COO of Cotney Attorneys and Consultants. “It’s not very public. But the truth is no one wants to talk about it because you don’t want it out there.”

Kenney said he’s talked to at least a dozen contractors who have been hit with ransomware demands ranging from $20,000 to $1 million. Nick Ondo is a commercial risk advisor for Furman Insurance, which works with more than 150 roofing companies. Ondo said he’s working with a client who’s been hit with a $1.2 million attack. That firm has already spent $50,000 in conflict resolution, he added.

That’s just a small snapshot of what’s happening. Compared to the same time last year, ransomware attacks have increased globally 93% with the average loss growing from $3.8 million to $4.9 million, according to a report from Check Point Research. Ondo said the pandemic’s remote working conditions helped fuel that growth. Just in the last six months, he’s worked with several roofers whose ransomware attackers have demanded $50,000.

“A lot of our clients don’t have sophisticated IT departments,” Ondo explained. “These hackers know that, and then they get into the system and passively monitor it and track every move.”

What’s more, many roofers don’t realize how vulnerable their systems and their businesses actually are to hackers. “We talk to a significant number of roofing contractors each week, and typically when we talk about cyber insurance, they’ll say ‘We’re good there,’” Ondo said. “They really don’t know how exposed they are.”

Both Kenney and Ondo agreed that the main way hackers access computer systems is through phishing emails. Phishing emails look like legitimate emails but contain links and other tricks that get employees to reveal sensitive information and provide a way to deploy viruses and ransomware attacks.

So, what can roofers do? Here are six steps to take.

1. Educate and train. The first line of defense is educating employees about phishing emails, how to spot them and what to do if they suspect they received one. Ongoing training and testing are necessary as well. “Basically, your breach is happening by someone in your company who gets tricked,” Kenney said. “And the hackers only have to be successful a small percentage of the time because they’re hitting thousands and thousands of employees.”

2. Keep software updated. Ondo said it’s imperative to make sure all software is updated to the latest version and that there are protocols in place to ensure that updates occur regularly. That’s because software makers often update their products to thwart the latest cyber-attacks. So, outdated software only heightens hackers’ ability to hijack systems.  

3. Strengthen passwords. Ondo recommended ensuring that systems are protected with multifactor authentication and stronger passwords. As the name suggests, multifactor authentication requires two devices to gain access to company networks. Typically, a verification gets sent to one device that must be entered on another device. For stronger passwords, Ondo said it’s a good idea to start using a longer passphrase or sentence rather than a shorter, simplistic password that can be more easily hacked.

4. Encrypt data and back it up in the cloud. Encrypted data is harder to hack and less vulnerable to ransomware attacks. Backing up data in the cloud ensures that even if the local system gets accessed, the data can’t be held for ransom. But Kenney said cloud backup isn’t foolproof because companies still store a lot of information on local drives.

5. Get cyber insurance. Although the cost has increased anywhere from 50% to 100%, experts said the investment is well worth it. Ondo said depending on the number of computers and whether the firm as an IT department a $5 million to $10 million company can expect to pay $5,000 to $8,000 per year for cyber insurance. “Of all the ancillary coverages there are, cyber is by far the largest exposure that any contractor doing business with computers is exposed to,” Ondo said.

6. Consult with experts. Cyber security consultants and local IT companies with cyber divisions can come into your business, find the weaknesses and help develop security policies to address them—before it’s too late. Some insurance companies, such as Furman, will come in and do their own report as part of developing an insurance premium. Resources also exist online, such as the Cybersecurity Toolkit for Small Businesses from the Global Cyber Alliance.

“If you conduct business on the internet, your company is not too small for a potential cyber-attack,” Ondo warned. “And it’s worth at least having the conversation with an IT expert to understand how exposed you are and how to mitigate that.”

Kenney offered this final warning: “It’s not a matter of if, it’s a matter of when right now. The more aware and the protected you are, the less likely you are to get hit.”