The CBC reports that leading Canadian general contractor Bird Construction was recently the victim of a cyberattack and ransom demand from a group known as Maze. The hacker group claims to have stolen 60 gigabytes of data.
Bird Construction was founded in 1920. Today it is a publicly-traded company with offices from coast-to-coast in Canada and annual revenue over $1.3 billion (2018). In addition to serving a wide range of institutional and commercial clients, Bird has undertaken multiple contracts at both the federal and provincial level. The CBC reports that between 2006 and 2015 alone, Bird won some four dozen contracts with the Department of National Defence worth more than $406 million.
In an email to the CBC, the company said, “Bird Construction responded to a cyber incident that resulted in the encryption of company files. Bird continued to function with no business impact, and we worked with leading cyber security experts to restore access to the affected files.” However, the company declined to say whether any ransom was paid.
The attack on Bird Construction represents a warning to the industry. The rapid adoption of technology at all levels of company operations is putting increased emphasis on protecting corporate and client information. In fact, according to accounting firm Grant Thornton, somewhere in the world a business is hit with a ransom ware attack every 14 seconds.
By the time a cyberattack is detected, however, the damage is done, leaving companies vulnerable to the potential illegal use of that data. Aaron Shull, Managing Director and General Counsel for the Centre for International Governance Innovation, told the CBC, “The problem, of course, is that once a company has been breached, it’s a little bit like trying to nail the barn door shut after the horse is already gone.”
In an advisory issued by global property and casualty insurer Chubb, authors Buonpane and Tanenbuam write, “Cyber risks have evolved rapidly and data breaches are now just the tip of the iceberg.” They identify four major areas of concern: malware and ransom ware; lost or stolen personal devices with access to corporate material and communications; phishing and social media scams; and the hacking of IoT devices of all types including wearables.
The authors advise companies to undertake three key internal steps to ensure their data is protected: employee education concerning “password hygiene” and information on the latest types of cyberattacks; maintaining up to date firewalls and security software; and making regular online and offline backups standard practice.
Some companies believe that moving files storage to the cloud somehow passes security responsibilities over to the cloud provider. While cloud-based technology may be the way of the future, this attitude can lead, however, to a false sense of security.
Grant Thornton warns, “a cloud subscription, on its own, doesn’t guarantee that your information is safe. The simple act of moving your information between your internal network and a cloud storage facility introduces new access points — points that could be targeted by hackers. The key is to identify new risks as they arise, and make sure you have the right coverage and protection to mitigate them moving forward.”
Grant Thornton suggests clearly identifying and building defense strategies around these risks.
First, decide what needs to be stored in the cloud, versus in-house storage or what can be disposed of entirely. “The nature of the safeguards will vary depending on the sensitivity of the information that has been collected; the amount, distribution, and format of the information; and the method of storage.”
Selecting the right cloud provider is also critical, Grant Thornton says. “As with most things, you get what you pay for, and low cost providers can often represent enhanced security risks.” Gain a clear understanding of what the provider is and is not responsible for in terms of security protocols, transparency, and legal liability in the event of an attack. “It’s important to ask the right questions upfront — and clarify any murky details.”
John Bleasby is a Coldwater, Ont. based freelance writer. Send comments and Inside Innovation column ideas to firstname.lastname@example.org.