A guide to cyber security safety in real estate and construction

How to secure your business from the threat of cyber attacks

Scammers, hackers, and malicious actors aren’t always pursuing things we would assume are valuable like financial information or intellectual property.

Criminals will often take information that’s valuable to the operation of the organization and hold it for ransom – it might not be valuable to anyone else but it’s valuable to you.

Impersonation can be an area of concern, particularly for the construction sector. Back in 2017, Edmonton’s MacEwan University paid nearly $12 million to a criminal impersonating a construction contractor after the university fell victim to a phishing scam.

In that case, the university failed to verify an email request to change banking information. The scam was only discovered after the real contractor, Clark Builders, failed to receive three payments, including one for more than $9 million.

There are a few simple steps that any organization can implement to help boost safety and resiliency of their cyber security.

Here are five fundamental components that every organization should consider implementing to help protect against cyber attacks:

1. Develop a security culture and raise awareness: A culture where individuals play a part in the protection of the organization’s information is crucial. If employees are encouraged to spot and report security concerns and are rewarded or praised when they do so, they’ll be less likely to sweep something under the rug or pass it off as unimportant. A culture where individuals are punished for accidentally falling victim creates a sense of self-preservation and will result in security concerns going unreported.
2. Implement multi-factor authentication wherever you can: Multi-factor authentication (also known as 2-step or 2-factor authentication) is a simple process where an individual validates their authentication beyond a username and password when logging into a system or service. It can be as simple as a six-digit code via text message, an authenticator app (like Google or Microsoft authenticator), or a fingerprint scanner. This means if a malicious actor compromises the credentials of an individual in the organization, the MFA is an additional step that prevents them getting access.
3. Implement a zero-trust strategy to information: Individuals in your organization should only be given access to information on a business need-to-know basis. Consider employing the “trust but verify” approach everywhere, meaning when someone is carrying out a request (like changing account information of a vendor or supplier), a process exists to follow-up and verify the request. It’s important to not assume that any request, even from someone you recognize, it automatically legitimate.
4. Develop a simple process to identify and report a security concern: For more people, cyber security is a very complicated subject and implementing complex ways to report a concern or expecting individuals to understand all the emerging threats is unrealistic. Instead, implement a simple set of rules and a simple process to spot and report a concern, like a shared email inbox.
5. Use a password manager to improve the strength of account security: Finally, account security is paramount to maintaining a secure organization and passwords are right at its core. Implementing an organization-wide password management tool (like LastPass or Dashlane) will ensure every password is unique and complex enough to remain secure. It also makes it easy to give access to shared services and keep track of account information within the organization.

Focussing on the benefits of embracing the technology available, you’ll be able to better understand where a cyber security attack might come from and how best to protect yourself against threats.