Skip to Content
View site list

Profile

Pre-Bid Projects

Pre-Bid Projects

Click here to see Canada's most comprehensive listing of projects in conceptual and planning stages

Associations

What construction companies can do to protect themselves against cyber attacks

Angela Gismondi
What construction companies can do to protect themselves against cyber attacks

Cybercrimes are on the rise and no businesses are immune, not even construction.

“I get calls from small and medium size business owners and they describe a variety of cyber problems, everything from ransomware, to the loss of intellectual property, to losing personal identifiable information. Honestly, this just wasn’t part of their business planning,” said Larry Zelvin, head of financial crimes at BMO. “It’s not something they have necessarily experienced before.”

When it comes to who is attacking and why, he said there are five groups including nation states and criminal actors. One of the biggest threats and one of the hardest to deal with is insiders.

In terms of the motivations, in the construction industry, it’s predominantly financial.

“It’s really just about being on the Internet and bad actors, particularly nation states criminals, will go to the point of where they can see weaknesses,” Zelvin noted. “It’s sort of like water. Wherever it’s easiest to flow is where they go.”

He also said there could be a link to certain projects.

“There could be some places where multi nationals may actually use insider information for bidding to help the companies in their countries to have a competitive advantage,” he said.

The supply chain can also make companies vulnerable.

“Our companies could be impacted not because they were directly targeted but rather vendors, service providers etc. have been impacted and that can lead to downstream events,” Zelvin said.

In terms of the most prevalent type of cybercrime, ransomware is the biggest area of concern, Zelvin said.

“Bad actors will steal information, sensitive information, company data that they wouldn’t want to be made public, everything from payroll to potential health care to contracts etc. and then what they’ll do is they’ll put malicious software or malware on the computer to lock it up so you don’t have access,” Zelvin explained.

“It’s a two-punch kind of attack: you’ve lost information and then you will have your computers locked up. The challenge of all that is that the price of these attacks continues to go up. They could be in the tens of millions of dollars.”

There are others that are stealing information for competitive advantage.

“You have the insiders and environmentalists that are trying to impact reputation, trying to embarrass, impact status, the financial ability to raise money or to gain other contracts,” Zelvin noted. “It really depends on the actor and their motivation, but it’s everything from potentially extortion, to commercial espionage, to impacting reputation and the ability of the firm to either do business or attract new business.”

Cyber criminals will also use information that comes from social media and from the press.

“If there is a big contract awarded or something that is creating controversy that will make you an even bigger target,” Zelvin said. “When you look at philanthropy, if you’re giving money to a number of causes and the money is significant it just identifies you and your company in ways that you may not have thought of previously.”

What can businesses do to protect themselves?

“The analogy I use is hopefully you go to your doctor every year, hopefully you go to your dentist every year, you look at your finances every year,” Zelvin stated.

“One of the things you could do and should do….is get a cybersecurity company, a reputable one…to come and do a survey to let you know what your weaknesses are.”

The other thing companies can do is hire a penetration tester or a “red team.”

“These folks will literally attack your systems and networks to look for vulnerabilities,” he said. “There is no better way to know what’s going on than to have somebody emulate a bad actor and see if they can get in and if so, how and where you can strengthen your defenses.”

Companies can also look at cloud companies to store sensitive data.

“They can invest and put more resources towards security than most small and medium size businesses,” Zelvin said.

Cyber insurance is also something that is worth considering.

“You’ve got to read the policies very carefully because they are becoming more and more difficult, but it could make a difference particularly in a small company that has a ransomware attack,” Zelvin said.

“It gives them access to funds and a way to not only do incident response but if a ransom is going to be paid to pay it.”

He also encourages a lot of training and education for employees.

“Employees can be the weakest link by clicking on links and attachments,” Zelvin pointed out.

“Letting them know there is a threat, letting them know there is potential for harm here. For construction companies it becomes even more interesting because of the use of subcontractors, the use of short-term labour.

“Construction is becoming more technical each and every day, but as people get onto those systems and those networks they need to be trained as well because you are only as strong as your weakest link.”

Follow the author on Twitter @DCN_Angela

Recent Comments

comments for this post are closed