Security at construction sites may have tightened up in the last decade, but all it takes for a cyber attack is one fast-working interloper to nab an on-site tablet or laptop, or office staff who mistakenly click a bogus link or email. In both cases, critical company information has likely fallen into criminal hands.
While construction data may not seem as pivotal as big bank or health industry information, that perspective is misguided, said KPMG’s national cyber-security leader.
"There’s always somebody who wants your data," said Paul Hanley. "It’s valuable to somebody."
Hanley’s counterpart, Eric Rae, KPMG’s Vancouver leader for cyber security, said that the perception that construction information is less sensitive has meant that the industry has fewer data security measures in place. Attacks typically happen for two reasons: to make money or to defame or harm the reputation of companies or individuals, Rae said. The rise of the dark net, known as TOR (The Onion Router), has allowed criminals to anonymously conduct online business. Stolen data, simply one more commodity, is bought and sold. Valuable data includes budgets, bid information, trade secrets, employee information and acquisition/merger details.
As well, the industry has become more inter-connected, with multiple companies and trades working on a single project, producing a vast pool of information. Coveted is data from "smart" buildings, which is information that controls the structures, said Bradley Freedman, a nationally recognized IT expert and lawyer at Borden Ladner Gervais in Vancouver. Hijacking a prison’s access codes, a hospital’s temperature controls or an airport’s communication system could be catastrophic. While the small sub-contractor working on a project may not appear to be the likely target, the contractor could have information, such as access codes, that is valuable to many, Freedman said. When 110 million customer records were digitally stolen from Target Corporation in 2013, hackers used an HVAC contractor’s electronic billing connection. Cyber criminals usually target the weakest links in the chain, Freedman said.
A 2014 survey by the Ponemon Institute, a private-sector think tank that specializes in privacy and information security strategies, found that 36 per cent of the survey’s Canadian companies had experienced one or more cyber attacks in the previous year. Also troubling is that companies can be cyber attack victims and not know it. The "Beyond the Breach" report found that in 2013, it took 229 days before a business discovered that its system had been hacked. In one astounding case, a security breach wasn’t detected for 10 years, Hanley said. As Freedman said, two types of businesses exist: those that have been hacked and know it, and those that have been hacked and don’t know it. So, how does a company, faced with very sophisticated hackers who are usually one step ahead of them, safeguard its crown jewels? First, companies must understand that cyber attacks can be achieved by either strangers or "trusted insiders," he said. Trusted insiders can be employees, senior management, directors, suppliers or contractors. "Anyone let in, based on trust," he said. Trusted insiders can unwittingly cause problems by leaving passwords in the open, responding to phishing emails, using an infected USB stick or misplacing a handheld device. Other trusted insiders may maliciously launch cyber attacks based on jealousy, greed or power-grabs. To counter insider risk, a company needs to examine how it’s organized and to ensure that staff are trained to avoid hack attacks.Freedman advised that perimeter security is only part of the battle.
"It’s about managing risk. It’s a continuous event, he said. "Identify, manage, respond." Technical assistance, legal advice and insurance should all be obtained. He also said to document the processes. Hanley recommended having solid policies and procedures in place as well as rigid standards.
"Detect and react to security incidents in a timely manner. Have a good auditing system. Reaction is key. If you’re not responding, you’ll have a serious problem," he said. At construction sites, vigilance is key. "Call out those you don’t recognize at the site," Rae advises.
Use cables to attach laptops to immobile objects. Even safer, don’t store sensitive data on worksite devices, he said. In the office, phishing has become very common because it’s easier to manipulate users than to break into systems, Rae said. Staff must be well-trained to avoid clicking on unknown links or attachments. Password protection is critical. Part of KPMG’s work with clients is what Hanley called, "ethical hacking," where KPMG teams try to access company data.
"If our consultants can access your data, then the bad guys can," he said. If a company suffers a cyber attack, it needs to understand, contain and respond to the incident, as well as satisfy reporting requirements, Freedman said. Rae said its an ongoing struggle. "It’s a cat and mouse game," he said. "There’s always something new."
Recent Comments
comments for this post are closed