By Ted McIntyre with Phil Fodchuk, Partner, Cyber Security & Privacy, MNP Digital
With the building industry so vulnerable to ransomware attacks, you need to take preventative measures
Last March was a tough month for cybersecurity, with both the municipalities of Hamilton and Huntsville attacked and held ransom. Even the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), the federal watchdog agency that oversees terrorist and organized crime financial activities, had to go offline because of a major breach.
If entire cities and national agencies are vulnerable, your office or home computer, along with all the corporate and client info contained within—are also ripe for the picking. And size doesn’t matter. In fact, 43% of cyberattacks target small and medium-sized businesses—with an average revenue loss per attack of $300,000 (and growing).
What’s worse, file encryption software provider NordLocker has recently cited construction as the industry at highest risk for ransomware attacks due to its reliance on computer programs such as CAD, BIM and other interconnecting cloud-based tools.
“Federally run Cyber Centre Canada estimates that breaches are growing 10-12% on average per year in Canada,” advises cybersecurity expert Phil Fodchuk. With more than 25 years of experience in the field, Fodchuk’s work has ranged from law enforcement consulting to serving as chief information security officer at multiple firms including, most recently, MNP Digital.
“We manage several hundred engagements per year for clients in Canada—responding to attacks and helping them take preventative measures,” Fodchuk says. And yes, that list has included Ontario home builders.
OHB: What do you say to modestly sized firms that think they’re too obscure to be targeted?
PF: “If anything has changed over my time doing this, it’s that everybody is now a target. Since everything we do now is digitized and connected, it’s almost irrelevant how big you are. If you’re connected to the internet, you’re a potential target. And for the vast majority of us, the attacks have become automated, so it really doesn’t matter who you are.”
Are home builders particularly vulnerable due to so much design software sharing?
“The more you are reliant on being interconnected, the more potential pipelines of attack. As an industry evolves towards requiring higher cyber security standards, attackers will look for an easier target. But for now, construction is one of the industries with a lower amount of regulation from a cyber security perspective. And unfortunately ransomware has really evolved. It used to be one-to-one, meaning an attacker would somehow get on your computer and infect it—usually through phishing emails, which is still the most common approach. Then they would lock you out until you paid a ransom. But now when an attacker gets on your system, they copy all your data first, and it then becomes a hostage negotiation. It’s not good enough that you have everything backed up. They’ll say, ‘We have your data and we’re going to release that data publicly and cause you reputational damage.’ Or they can potentially use your client’s private information against those individuals since you’ve given them these extra targets.”
Do most companies pay the ransom?
“Canada is actually near the bottom of the list globally for paying cyber ransom. I think we’re sitting around 8%, although obviously not everybody is reporting. The recommendation globally is not to pay. but it’s still a business decision. If your data is encrypted, you might not be able to get it back and need to pay. But about 30% to 40% of the companies who do pay will see another attack within a year. It’s not like it comes with a warranty guarantee!”
The work-from-home model can’t be helping this problem.
PF: “It has definitely exposed more of the threat landscape. Your home computer doesn’t have to meet a lot of the same standards as are required at work—you can do whatever you like and visit whatever websites you want on your home computer. But if you’re ‘remoting’ into your company, you’re introducing those risks to the company’s system. And it’s very difficult for companies to manage a staff member’s personal home computer.”
Phishing emails are getting better too, aren’t they? How would you get me to bite?
“I would start with social media. Whether it’s Facebook, Instagram, LinkedIn, etc., we intentionally give out a lot of information—our names, friends, where we work, our previous jobs, details of what we’re working on… All of that can be used in a phishing email crafted to get you to engage. As opposed to a typical spam email about something generic, where our mental filters usually guard us, I can send you a LinkedIn message or find your email online and write, ‘I saw that you worked at company X a couple of years ago and I’m recruiting for a really big project opportunity over here. Click on this link if you want to see more about the job. I think you’d be a great fit.’ This message immediately resonates with you because it’s so specific.”
Is a lack of companies backing up their data a consistent issue?
“We are seeing increasing backups, but a lot of that is driven by insurance companies putting out that standard when determining your rates, or even prior to providing cyber insurance. ‘Do you have firewalls? Do you have antivirus software? Have you tested your backup to make sure it’s working in case you need it? Do you have a Plan B?’”
So what should that Plan B entail?
“First, make sure you have an agreement or a retainer in place with a law firm. Have a plan with your IT or cybersecurity provider so that you can call them at 2 a.m. and they’ll respond within 30 minutes. But the biggest thing is to have an internal plan: ‘What are the first steps we as an organization will take? Who will manage it? Where’s the contact list of our IT or accounting/financial providers? Where are our backups and how do we recover them? If we need new computers, who’s the contact?’ Train your staff and have all those details at hand so that you can get back up and running as fast as possible. Your insurance coverage may also have built-in digital forensics or a cybersecurity expert on retainer.
“And finally, go through a simulated incident: ‘All our computers have been shut off—what do we do?’ And then test it! Call your IT provider. Is their number valid? Do they answer? Does your insurance provider have 24/7 support?”
Do you test a client’s website for vulnerabilities?
“As part of an assessment service, we can conduct a vulnerability or penetration test, where we act like a hacker and see how easy it would be to get in and what you could see if you did. An audit is a more formal, where we visit the company and go through everything, including processes and controls.”
And what preventative measures do you recommend companies take?
“What’s 80% effective is standard hygiene protocol. First is backing up data, whether offline or online in the cloud like Microsoft 365. The second thing is multi-factor authentication, where after logging in with your username and password you receive a temporary code via a text message or app that needs to be entered. It really reduces the volume of attacks by creating than extra barrier. On top of that is training awareness. There’s a lot of free training I promote from Cyber Centre Canada, which is really good—how to be aware of phishing attempts, how to look for fraud, etc. Some of it has even been adopted by U.S. Homeland Security.
“Also, have unique passwords for staff that also change every 30-60 days. For attackers to get their malware to work, they need your username, password and authentication to work. These are all things that any size company can do with minimal or no cost.
“And from a personal standpoint, advise staff not to use the same usernames and passwords. If one is compromised, the first thing attackers will do is try those usernames and passwords on all of your social media, banking and other sites. Helping your employees safeguard their personal lives helps you protect your company.”
Become a member of the Ontario Home Builders’ Association.