Cyber security spans a wide
range of risks, including
threats to sensitive internal
company, customer or
supplier data, as well as actual
interruption to operations.
“privacy risk.” While there can be massive legal and reputational
impact in both cases, these two areas should not be confused nor
Cyber security spans a wide range of risks, including privacy risks,
threats to sensitive internal company, customer, or supplier data as
well as interruption to operations - digital risk with physical, real
world impact, something to which the construction industry is
particular susceptible. A recent Canadian threat report listed construction
among the five industries that have experienced the most
attack attempts. Small- and medium-sized enterprises (SME) can be
targets just as easily as larger organizations.
A recent study showed that approximately one in five Canadian
SMEs have fallen victims to such attacks.
The construction industry is one that faces the most significant
operational disruption risks and downstream legal risks.
Cyber-attacks are extremely devastating and costly. Some important
considerations to limit exposure are:
• A prevention, preparedness and incident response/mitigation plan
• Contractual safeguards when negotiating agreements, as well as
considering specific cyber insurance
• A cross-functional team including technical, legal and
communications expertise to execute the plan,
• decision plan to determine priorities and how to contain the
impact during an attack, manage crisis communication and
assess the resulting legal consequences.
Cyber-attacks exploit vulnerabilities
Cyber attackers come from a variety of sources and are motivated by
different factors. Nation states, organized crime, and activist hackers
may have a different agenda but the tactics are often the same.
One prominent example is the 2017 “NotPetya” attack on Merck,
which resulted in damages of $275M to $670M. Merck was not the
only multinational affected; other victims included shipping giant
Maersk, and the Ukraine as a country, where it is estimated that 10
per cent of all the country’s computers were completely wiped, including
banks and hospitals. Total losses of the 2017 NotPetya attacks
are estimated at more than $10B.
The construction sector is vulnerable for a number of reasons:
1. The data held by the sector is valuable (proprietary designs,
confidential customer information, etc).
2. The nature of the industry is such that information is necessarily
shared among a number of organizations and individuals
working together on any given project. Projects also require staff
to work remotely and using an array of telecommunications
devices which, generally speaking, increase vulnerability
3. The industry has considerable turnover making it more difficult
to instill an organizational culture of compliance as it relates
to cyber security – training and awareness standards are more
difficult to upkeep.
46 Think BIG | Quarter 2 2019 | saskheavy.ca