Construction firms may have shifted some employees from the office to home but cyberthreats remain for small to mid-size businesses.
Victoria, B.C.-based Ron Borsholm is a member of MNP’s Technology Solutions cyber team and was a keynote speaker at the BC Construction Safety Alliance’s (BCCSA) Health and Safety Conference, presented virtually on Oct. 14.
Cyberthreats have “taken a backburner to everything from the U.S. election to the pandemic,” Borsholm said, but in the meantime, threats have shifted from big companies to small to mid-size businesses.
“Cyber threats aren’t restricted to the big players. Targeting is happening more to mid-size markets who can’t protect themselves, and most organizations don’t want to admit they’ve been breached,” he said.
Smaller firms are less prepared to fend off threats he said. Many are without a formal patching policy for their computers “which is the primary way bad actors exploit organizations.”
Many firms also don’t have anti-malware applications enabled or even cyber security training for employees.
“It only takes one person clicking an attachment and malware can move across the organization,” Borsholm said.
The move to work from home at the start of the COVID-19 pandemic was a major cause of cyber threats.
“It happened extremely quickly. People didn’t look at the security involved and that led to breaches as well,” he said.
Ransomware, which occurs when malicious actors take control of a computer or network and demand payment to restore it, also rose dramatically in the shift to work from home, Borsholm said.
Phishing, where bad actors convince users to give away their information through fraudulent emails are another major threat point, he added.
“The most used themes are new Microsoft Teams requests, COVID-19 alerts, Microsoft Office 365 expiry notices, deactivation of an old OneDrive account and OneDrive shared contact notifications,” Borsholm said.
In an MNP targeted phishing engagement for a client, he said, 500 employees were sent an initial email requesting they check their password strength by clicking a link for a password check page. A follow-up email was also sent with the same request.
“Fifty-one per cent click the link and 32 per cent provided their passwords,” Borsholm said.
Cybersecurity training for employees is key to keeping malicious actors at bay, he added.
“Users will always be the weakest link when it comes to information security. A training program should include leadership involvement and personalized training based on roles and access levels,” Borsholm said.
He also stressed the importance of patching as new security updates are released for operating systems.
“Patching is from an IT perspective probably the most important thing you can do. If you don’t have a dedicated IT staff managing your systems, then choose a managed service provider who can do so,” he said.
“Having unmanaged systems is not an option with the constant threats that technology faces today. Having assets and not knowing what they are is a recipe for disaster,” Borsholm added.
Hand in hand with a managed system is risk assessment and a plan for when breaches do occur.
“A threat assessment helps you understand where your business is at greatest risk and really does a 360 degree look at your organization,” he said.
Any plan should include an incident response plan dictating the actions of key employees, a legal team for guidance and to communicate cybersecurity matters within the court system if necessary, and a communications team to develop messaging both for clients and the media if needed.
Borsholm also encouraged companies to reach out to cybersecurity firms who can both help contain and eliminate threats and conduct digital forensics once an attack is resolved.
Follow the author on Twitter @JOCFrey.