A guide to cyber security safety in real estate and construction

July 12, 2023

A guide to cyber security safety in real estate and construction

July 12, 2023

person working on a construction site

Protecting against cyber security attacks is vital for any business that uses technology and it’s not as complicated as you might think.

Ian MacMillan

Ian MacMillan, CISM, is a risk management leader with MNP Digital, working with organizations from 10 to 110,000 employees to create meaningful learning experiences around security, and mitigate human and technology risk. Ian is also passionate about putting the human first and taking a culture-based approach to improving security awareness in an organization using gamification and engagement.

Cyber security is often one of the last things that come to mind when thinking about the real estate and construction sector. Trades and technology aren’t two things that typically coincide, but as businesses evolve and optimize their processes, adopting and integrating varying technologies is becoming more and more necessary.

Ever year, one in five small Canadian businesses is the victim of a cyber attack. More than one third of those businesses estimated the cost of the attack at more than $100,000 and 20 percent were unsure what the breach would cost them.

Fear, uncertainty, and doubt are often the tactics used to scare organizations into caring about cybersecurity. And while this can be an effective way to get businesses to act, learning more about what cyber attacks look like and how to safeguard against them allows for a more thoughtful approach.

Why you should care about cyber security

When trying to understand what it is and how it might impact you, it may be easiest to compare cyber security to workplace health and safety protocols.

There have been significant developments in the last 50 years in workplace health and safety that have drastically reduced workplace incidents and made organizations safer as a result. Health and safety protocols are now commonplace because their effect is evident and the culture, mission, and metrics for success within the business are dependent on the safety of their employees.

When an organization approaches health and safety as a core component of their business rather than an afterthought or in response to an incident, work is done more safely, and processes are developed with keeping people safe in mind.

The same applies in the cyber security space. Being proactive and taking the time to understand what aspects of your business might be vulnerable will help establish a roadmap for where to shore up your defenses.

How to secure your business from the threat of cyber attacks

Scammers, hackers, and malicious actors aren’t always pursuing things we would assume are valuable like financial information or intellectual property.

Criminals will often take information that’s valuable to the operation of the organization and hold it for ransom – it might not be valuable to anyone else but it’s valuable to you.

Impersonation can be an area of concern, particularly for the construction sector. Back in 2017, Edmonton’s MacEwan University paid nearly $12 million to a criminal impersonating a construction contractor after the university fell victim to a phishing scam.

In that case, the university failed to verify an email request to change banking information. The scam was only discovered after the real contractor, Clark Builders, failed to receive three payments, including one for more than $9 million.

There are a few simple steps that any organization can implement to help boost the safety and resiliency of their cyber security.

Here are five fundamental components that every organization should consider implementing to help protect against cyber attacks:

Develop a security culture and raise awareness

A culture where individuals play a part in the protection of the organization’s information is crucial. If employees are encouraged to spot and report security concerns and are rewarded or praised when they do so, they’ll be less likely to sweep something under the rug or pass it off as unimportant. A culture where individuals are punished for accidentally falling victim creates a sense of self-preservation and will result in security concerns going unreported.

Implement multi-factor authentication wherever you can

Multi-factor authentication (also known as 2-step or 2-factor authentication) is a simple process where an individual validates their authentication beyond a username and password when logging into a system or service. It can be as simple as a six-digit code via text message, an authenticator app (like Google or Microsoft authenticator), or a fingerprint scanner. This means if a malicious actor compromises the credentials of an individual in the organization, the MFA is an additional step that prevents them getting access.

Implement a zero-trust strategy to information

Individuals in your organization should only be given access to information on a business need-to-know basis. Consider employing the “trust but verify” approach everywhere, meaning when someone is carrying out a request (like changing account information of a vendor or supplier), a process exists to follow-up and verify the request. It’s important to not assume that any request, even from someone you recognize, is automatically legitimate.


Develop a simple process to identify and report a security concern

For more people, cyber security is a very complicated subject and implementing complex ways to report a concern or expecting individuals to understand all the emerging threats is unrealistic. Instead, implement a simple set of rules and a simple process to spot and report a concern, like a shared email inbox.


Use a password manager to improve the strength of account security

Finally, account security is paramount to maintaining a secure organization and passwords are right at its core. Implementing an organization-wide password management tool (like LastPass or Dashlane) will ensure every password is unique and complex enough to remain secure. It also makes it easy to give access to shared services and keep track of account information within the organization.

By focusing on the benefits of embracing the technology available, you’ll be able to better understand where a cyber security attack might come from and how best to protect yourself against threats. It’s time to start proactively protecting your organization’s most valuable assets.

Connect with us to get started

Our team of dedicated professionals can help you determine which options are best for you and how adopting these kinds of solutions could transform the way your organization works. For more information, and for extra support along the way, contact our team.