Skip Ribbon Commands
Skip to main content

Maturity and Threat Analysis


​​​​​Don’t Be Low-hanging Fruit for Cyber Criminals

What are the odds and what could it cost? These are often the first questions real estate or construction company owners ask when weighing the benefits of investing — or not — in new cyber security measures.

Consider these statistics, which can help to answer these questions: MNP found that nearly 60 per cent of executives and entrepreneurs in a survey the firm conducted in January 2017 believe, or suspect, external hackers accessed confidential information from their businesses.

The respected Verizon Data Breach Investigation Report, which presents an annual overview of global cyber security threats, vulnerabilities and trends, indicates the real estate and construction sector is among those industries experiencing a growing number of security incidents.

MNP conducts penetration tests, essentially cyber attack simulations, for clients in this sector to identify security weaknesses and eliminate vulnerabilities before criminals can exploit them. In numerous instances, the MNP cyber security team successfully gained access to critical systems and sensitive data. So the threats are real, and potentially very damaging for companies in this sector.

The fact is, cyber breaches are increasingly common and increasingly expensive. When an organization is breached, the average consolidated cost is about $4 million, including lost revenue and customers, possibly a fine, brand damage and perhaps litigation as well.

Along with sensitive data and confidential information of employees, tenants and suppliers, building automation and management systems are becoming frequent cyber targets. Progressively Interconnected systems such as those for physical security access, ventilation, lighting, power, communications, elevators, parking, fire alarm and extinguishing, are all vulnerable to cyber attack — with potential for damage to buildings and harm to tenants and customers.

Adding to the financial hit caused by successful cyber attacks, class action lawsuits are on the rise. As a business owner or executive, you have a responsibility to assure customers, tenants, lenders and other stakeholders that your real estate or construction company has appropriate security protections in place.

While no business leaders want their organization to be low-hanging fruit for cyber criminals, deciding on the best course of action can be challenging. Trying to install high-level protection for the entire organization would be resource-prohibitive.

This is why a maturity and threat analysis (MTA) should be the first step in cyber protection. An MTA assesses an organization's preparedness for key cyber risks. This analysis provides invaluable information: the most dangerous current cyber threats in your industry, how likely your organization is to be breached, how much damage might be inflicted, what controls you have in place to prevent this and how effective these controls are. It also prioritizes the areas to focus on and outlines protection options and the cost of implementing each one.

The insightful due diligence and guidance provided by an MTA can be used to:

  • Create a stronger organizational security culture;
  • Determine whether the controls used to manage risks are sufficient;
  • Ensure the organization is complying with regulatory requirements and
  • Update security measures following significant corporate change.

When embarking on an MTA, be sure to work with experienced, external cyber security professionals who can provide objective insights and expert guidance for the process. The process will include the following components.

Review of existing security controls by conducting interviews, workshops and tests with technical employees to examine critical security controls. These might relate to networks, data, hardware, software, devices, personnel skills, policies, employee education, access, maintenance, monitoring and incident management.

The goal of the review is to determine where the organization stands in terms of security stance to proactively pursue improvements. For example, security activities in an enterprise with low maturity would typically be ad hoc, weak and focused on information technology. Low maturity represents unacceptable risk.

At the highest end of the maturity scale, an organization would have a security-aware culture and defined security roles and responsibilities. Line-of-business managers would be accountable for security failures. Continuous self-improvement practices would be in place and updated frequently. The organization would be prepared to mitigate a cyber breach.

Assessment of current threat landscape by analyzing global threat surveys and statistics. This facilitates identifying the real estate and construction industry's current cyber threats, your organization's likelihood of being breached and the damage that could be inflicted.

Comparison of critical security controls for priority threats. Comparing current controls with an industry standard framework helps to clarify the organization's cyber security maturity. The framework comprises a recommended set of cyber defense actions to prevent or mitigate today's most pervasive and dangerous attacks.

Quantifying risk in financial terms. An international standard quantitative advanced risk model provides a framework for quantifying information risk in financial terms.

Creation of a strategic roadmap. After consolidating and analyzing all the information, the executive team receives a picture of where the organization stands and a roadmap for improvement. The current picture includes a dashboard with key metrics that enables management to quickly and clearly see the organization's current security posture, how it compares to that of its peers and what’s needed to strengthen it.

The roadmap prioritizes risk reduction strategies for the short, mid and long term, including quick wins targeting the most vulnerable areas that will have immediate impact. Budget and resource requirements are attached to each recommendation.

Facilitating successful execution. It's important to then bring together those responsible for overseeing security in your organization — the board of directors and executive team — to review and discuss the recommendations. This enables everyone responsible to ask questions and to consider differing views and priorities before making final decisions.

When it comes to your company's investments in cyber security, a maturity and threat analysis enables management to make informed decisions based on the likelihood of certain risks, the potential consequences and the cost of implementing controls.

In today's environment of accelerating global threats, real estate and construction companies must be prepared to protect operations, tenants, customers and buildings with a targeted, proactive approach to managing key risks.

No low-hanging fruit here for cyber attackers.

Jason Murray, MEng, CISSP, CCSP, QSA, is a Senior Manager, Cyber Security, with MNP’s Technology Solutions team. Contact Jason at [email protected] or 647.333.6241.

This is the second in a series of articles featuring MNP perspectives on cyber security for Canada's real estate and construction companies. Future articles will review essential components of a strong security posture, including how to build one, penetration testing, managed services and cyber breach incident response planning.