Every day your real estate or construction company becomes a more tempting target for cyber attackers.
The rewards that appeal to cyber criminals include proprietary information such as proposals, engineering drawings and building designs; intellectual property such as design rights; financial information; personal identifiable information of customers and vendors; email accounts; ransom of files for money and much more. Cyber criminals are motivated not only by money, but also by espionage, extortion and even simple notoriety.
For real estate and construction companies, protecting operations, assets and people calls for effective cyber defences. Industry insiders refer to this as establishing a "strong security posture" and it necessitates adopting a proactive enterprise risk management approach to mitigate the most dangerous risks.
The first step involved in boosting cyber security for an enterprise requires understanding and accepting the fact that there is a good chance it could happen to you. There are increasing numbers of attacks on companies in this industry simply because too many owners and executives believe a cyber breach won't happen to them.
The size of an enterprise does not matter. Nearly half of all cyber attacks globally last year were committed against small businesses. Small- to mid-sized real estate and construction companies are seeing more cyber attacks for one simple reason: inadequate defences.
Preying on known vulnerabilities, attackers can compromise an organization within minutes. Moreover, cyber threats have evolved from the digital world into the physical world. There are now cyber attacks of infrastructure and systems targeting buildings.
As organizations in this sector increasingly integrate smart technologies and devices into building systems — power, life safety, HVAC, lighting, thermostats, telephone, internet, elevators — there are more opportunities for hackers and attackers to breach these systems and to cause more damage.
The impact of a database cyber breach can be punishing to finances and brand: business interruption, loss of customers and market share, costs of restoration, damage to reputation and possible liability claims. A breach of a property's security or life safety systems, however, could have catastrophic effects — even potential harm to human life.
The risk of a cyber breach happening to your organization is quickly rising. A study conducted by Ipsos on behalf of MNP in January 2017, revealed that half of Canadian C-suite executives and nearly a quarter of entrepreneurs say the cyber security of their business was breached in the past year.
As the volume and sophistication of cyber attacks increase, these statistics will continue rising. Attackers use a wide variety of approaches to disrupt or gain access to systems and networks and their tactics constantly evolve.
- Malware (malicious software) includes spyware, worms, viruses, botnets and Trojan horses that cause damage to systems and files. Ransomware encrypts networks or files until a fee is paid to unlock them.
- Phishing involves using emails or false websites to trick people into disclosing personal information and credentials or to install malicious software.
- Pharming places malicious code on computers or servers, redirecting people to fraudulent web sites without their knowledge.
- Distributed denial of service (DDoS) are attacks that disrupt systems and networks by denying service unless an organization pays a fee.
- Compromised credentials occur when criminals steal passwords and usernames via cyber attack and sell them on the so-called dark web (underground Internet).
- SQL injections involve criminals inserting malicious code into databases, enabling them to steal the contents.
Every real estate and construction company needs a comprehensive, dynamic enterprise risk management approach to security that focuses on identifying and mitigating the likeliest and most dangerous risks to protect vital operations, assets, infrastructure and people.
Incoming legislation makes this a pressing imperative. Canada's new Digital Privacy Act has introduced mandatory breach notification. In 2017 organizations will be required to notify the Office of the Privacy Commissioner as well as the individuals affected if the organization experiences the loss or theft of personal information that puts these people at "real risk of significant harm." Failing to do so could result in fines of up to $100,000 per offence.
To determine whether your company is prepared to deter and to effectively handle a cyber breach, consider the following questions.
- Is the management team confident about the overall security preparedness of your organization?
- Do you have governance mechanisms in place to ensure security controls are effective?
- Have you identified the organization's key risks and vulnerabilities and implemented strategies to address these?
- Has management taken any recent actions to protect the enterprise from growing cyber security threats?
- Does your company have clear roles and responsibilities for identifying, monitoring and responding to cyber security incidents?
- Have you identified and protected information "crown jewels?"
- Do you have governance mechanisms in place to ensure controls are effective?
- Have you scrutinized the security posture of key supply chain partners?
- Does an objective third party regularly test your organization's vulnerability to cyber attack?
- Do you have a crisis plan in place in the event of a cyber breach?
Without adequate protection, cyber security threats can put your customers and tenants, operations, reputation — even the survival of the business — at risk.
Protecting your company from cyber catastrophe first requires acknowledging a damaging cyber breach can happen to your organization. Then it requires building a strong security posture. MNP ‘s industry-leading Cyber Security team explain how in this series, created for the real estate and construction industry.
Lee Thiessen, MBA, is the National Real Estate and Construction Leader of MNP. Contact Lee at 403.263.3385 or lee.thiessen @mnp.ca.
Danny Timmins, CISSP, is the National Cyber Security Leader of MNP and a member of the firm's Enterprise Risk Services team. Contact Danny at 905.607.9777 ext. 230 or [email protected].
This is the first in a series of articles featuring MNP perspectives on cyber security for Canada's real estate and construction companies. Future articles will review essential components of a strong security posture, including maturity and threat analyses, penetration testing, managed services and cyber breach incident response planning.