CARM SUMMIT
Reducing the
Cyber
Rising Risk of
Attacks
No matter the sector of construction
operations, workers within
the construction industry will
be exposed to a multitude of
unique and potentially large risks. These
exposures can affect a company’s ability
to complete or deliver a project within the
expected budget if they are not effectively
managed and addressed.
One such exposure is cybercrime,
which is defined as an event or incident
carried out by threat actors with the intent
to compromise the security of a computer
network. The most common types include
data breach, malware, ransomware, denial
of service and phishing. Cybercrime has
graduated to the top five risks for most
organizations. Every business connected to
a digital network, even in the slightest way,
is vulnerable. An industry that uses cuttingedge
technology to help lower construction
costs, meet deadlines and allow competitiveness
and efficiency as the construction
industry does, is certainly not exempt.
Many companies feel that their exposure
to a cyber event is minimal because the only
Personally Identifiable Information they
store is that of their employees or their business
is too small; cybercriminals will not
target it or the impact on their business will
be minor. Statistics tell another story:
• Forty-three per cent of cyber events
target small businesses (less than 1,000
employees) (Ponemon Institute).
• Over 40 per cent of cyber events
reported in Canada were caused by
ransomware or theft of funds (CFC
Underwriting April 2019 Claims
data report).
• The average ransomware payment in Q4
2019 was $84,116 (Coveware).
• The average time to identify and contain
a system breach in Canada is 279 days
(Ponemon Institute).
• A ransomware attack causes, on
average, 16.2 days of business
interruption (Coveware).
As the statistics demonstrate, it is not
if a cyber event will happen, but when.
Motivated threat actors will find a vulnerability
and use whatever theme they can.
Most recently, amid the confusion and
uncertainty of the COVID-19 pandemic,
as management teams rushed to make
decisions and relocate employees to work
from home and were preoccupied with
how to keep their families, employees and
customers safe, threat actors launched
phishing campaigns through just about
every channel: emails, text messages, phone
calls, social media and websites.
While some businesses may be able to
survive a cyber event, it can be another financial
hurdle for most entities. Reputational
harm, the loss of revenue caused by
diminishing customer confidence and the
subsequent loss of business experienced in
the months following a cyber incident are
harsh consequences no business wants to
deal with.
What to do to protect
an organization
Step 1
Identify the risks the company and its
operations are subject to including asset
management, business environment, governance,
risk assessment and risk management
strategy. Avoiding implementation of concrete
steps to mitigate against cyber risk
can be construed as a failure of the directors
and officers to fulfill their duty of care to the
company and shareholders, and exposes
these directors and officers to potential
litigation.
Submitted by BFL Canada
POP NUKOONRAT/123RF 42 | Issue 1 2020 www.carm.ca
/www.carm.ca