Hackers are no longer focusing their efforts on breaching technology, but instead focusing on the softer target of people and processes, cyber experts say.
Shane Troyer, a business risk services leader for Grant Thornton LLP gave his thoughts on cyber security and the threat it poses to the construction industry in a session for Buildex Vancouver. Troyer and his team even demonstrated how easy networks can be to breach and control with a live, controlled hack.
“A lot of people think about cyber security as protecting what is stored on your computer, but really it’s about protecting the broader system of communicating information, whether that is over the phone, by email, by scanner, by fax – all of these things have elements of cyber risk,” said Troyer.
He explained that in the past, cyber security was about hardening your network from attacks. But things like anti-virus software won’t protect one’s business from modern hackers.
“Technology is a piece of the puzzle, but these days I would say that it is more about processes and people,” said Troyer.
The consequences can be devastating. In 2019, cyber breaches cost Canadian organizations $3 billion and, on average, breaches weren’t noticed for 180 days. Troyer added that there have even been reports of ransomware software, programs that encrypt data until payment is made, running on networks for years to prevent backups from being made.
“That is someone sitting on your network and looking at what you are doing on a day-to-day basis,” said Troyer, noting that one of the most common ways a network is breached is through social engineering.
He explained that two common types of social engineering attacks are phishing and spear phishing. Phishing attacks send out emails to as many people as possible, often to try and get them to click on malicious links. These emails often appear to be from bank or the RCMP. Once access to the networking is gained, attackers collect private information to use or sell.
Spear phishing is more targeted. Attackers conduct research and try to trick a company using specific information.
Troyer recalled a client in the mining sector who had a CEO travelling in Africa to look at purchasing a mining site. Public information from the company’s website was used by attackers to replicate the CEO’s email format and address by using software. The attackers contacted the company’s accounts payable department asking for $8 million to be transferred into an account to purchase the mining site. But the company’s shrewd CFO saved the day by noticing the email was signed “Steven” instead of “Steve” and stopped the transaction.
But large mining companies making multi-million-dollar transactions aren’t the only targets. Troyer noted that smaller companies often have less sophisticated cyber security measures in place and still hold valuable personal information and intellectual property.
“They often don’t understand the crown jewels they have stored on their network,” said Troyer, adding that that organizations with less than 250 employees have 1 in 52 employees targeted each year.
Cyber insurance can be a great way to mitigate, but Troyer urged caution.
“Some policies are voided if you haven’t implemented appropriate cyber risk controls,” said Troyer. “And in a lot of cases they don’t cover key things, like regulatory fines, which can be substantial, especially if you have operations in the U.S.”
In construction, Troyer explained that because employees are often at various sites using laptops, tablets and phones on Wi-Fi networks, they have unique challenges. The data sharing with various subcontractors and stakeholders outside of the network can open one up to a breach.
“The more decentralized you are, the greater risk there is to your network,” he said.
And while the construction industry had been buzzing for years about the Internet of Things, the various cameras, control systems and even autonomous vehicles connected to a network can be easy prey for hackers.
Troyer demonstrated this with a colleague who showed how, once connected to a network, hacking into a camera system was easy to do without being detected.
In addition to doing an analysis of the gaps on one’s cyber security measures, Troyer said that the best thing a company can do is invest in training employees in cyber security.