Skip to Content
View site list


Pre-Bid Projects

Pre-Bid Projects

Click here to see Canada’s most comprehensive listing of projects in conceptual and planning stages


Cybersecurity threats for constructors the ‘second pandemic,’ says expert

Angela Gismondi
Cybersecurity threats for constructors the ‘second pandemic,’ says expert

As the adoption of new technology increases among general contractors and construction companies, so too do cybersecurity risks.

With the COVID-19 pandemic and the increased need to work remotely, cyber threats have grown exponentially in the last 18 months.

“What that did was increased the threat landscape of threat actors or malicious actors to benefit from,” said Ruby Rai, cyber practice leader, Canada with Marsh Canada. “If someone is using a remote connection which is not secure…what it does is it makes that organization a lot more vulnerable to being attacked.

“The risk is not going away any time soon,” she added. “Technology will keep getting adapted but at the same time we need to be conscious and recognize the use of technology creates risks.”

Rai was one of the speakers during the Ontario General Contractors Association’s Educate Me! virtual symposium’s panel, the Digital Transformation of the Construction Industry and how Cyber Risk will Change your Business.

Rai referred to ransomware as the “second pandemic.”

“It’s a bit of a double whammy because as organizations struggle to stay afloat, they are also now dealing with the additional expense of being attacked and exploited,” she noted.

Chris Johnson, SVP — national technology industry practice leader at Marsh Canada, said working from home is a weakest link solution.

“You really need to focus on that education piece for the staff, to better equip them to fight on your behalf against phishing attempts, cyber breaches or different attacks, because they become your frontline staff around defending your digital infrastructure,” he explained.

It is a misconception that cyber criminals only attack bigger companies.

“They absolutely go after the big fish for sure but they just as frequently go after the small ‘mom and pop shops’ who maybe don’t have the infrastructure, the knowledge or the support to handle anything other than to say, pay a couple thousand dollars…to unlock the system to regain business because they know they’ll do it quickly rather than risk the threat of being down for a month and most often going out of business,” he explained.

Cyber risk is not the responsibility of the IT department, it is an “every part of the business responsibility,” he added.

“It’s not simply ‘I need to solve a problem so I tick a box and walk away.’ There is an almost never-ending series of steps that need to be created and then maintained and secured for the life of the business.”

For small general contractors or organizations that don’t have an IT services team in house, there are third party companies that specialize specifically in walking through your system and looking for vulnerabilities, he pointed out.

“They can do things like mock situations where you act as if a breach occurs and a ransomware event is happening live and have the ability to walk through the processes you put in place to see if they will actually hold up in real time,” he said.

In addition to having technology in place to combat threats, it’s also important to have effective processes to protect a company’s information and data and to make sure employers are aware of them, he added.

Cybersecurity is a growing concern for organizations but also for their partners and clients.

“We’re definitely seeing a shift when we are bidding on projects that the client is asking what is your security framework? What certifications do you have? What protections and safeguards do you have?” explained Adam Templeton, vice-president of information services with Aecon.

“You are essentially becoming a technology security company when you are bidding on these projects because you have to safeguard your client’s data.

“It’s not just about safeguarding and protecting your own reputation it’s also the reputation potentially of your clients.”

“You need a breach coach or a data privacy lawyer, you need a forensic partner and you need a ransom first responder and maybe a crisis communication firm should you want to issue a press release or talk to your clients,” said Rai. “I always advise our clients to have their numbers at home because when systems go down and you’re not able to access your emails, you can’t access your incident response plan either.”

She added insurance companies can also provide support as it benefits them if the companies they insure are more secure.


Follow the author on Twitter @DCN_Angela.

Recent Comments

comments for this post are closed

You might also like