Construction/Property Management Breach-A Case Study

Overview

THE CHALLENGE: 

The CFO of a construction/property management company, with assets equaling over $4 billion, was initially alerted to check fraud. He was unsure if the fraud was internal, external or both. The company had also been hacked, leaving their server exposed including banking information, email addresses, private projects and more. Educating management on the current business risks  they faced from a cyber and information security perspective and convincing them they needed our services was the toughest challenge.

DISCOVERIES MADE: 

1. During a one-hour discussion with the Head of IT, it was learned  the company had been hacked multiple times and were victims of phishing attacks and malware. The CEO was also held for ransom, which he paid. Our professionals worked with the CFO and Head of IT to assess people, processes and technology to create a risk profile of the client.  We explained the security triad: Confidentiality, Integrity, and Availability of data. We also needed to gain an understanding of the current state of their external, internal and wireless infrastructure.

2. We learned there were no established policies, passwords, disaster recovery plans, or business continuity plans; anyone was allowed to access anything on the internet and access to desktops and laptops were not controlled.  Their wireless access was wide open and awareness to business risk was simply lacking.

3. We stressed the importance of performing an automated and manual penetration test and vulnerability assessment, and the reason for manual techniques.  Since their CEO was held for ransom, even more situational intelligence analysis was needed.

4. The senior management agreed with our plan and agreed to move forward with the development of their cyber and information security program.

RESOLUTION AND IMPLEMENTATION:
 
Our Team:
 
  • Remediated the critical and high vulnerabilities immediated
  • Started security monitoring for the network
  • Created necessary cyber and information security policies
  • Rolled out phishing campaigns and security awareness for the entire company

A commitment to cyber security in relation to business risk has been applied and will become part of the culture.  Since this is a drastic culture change, we devised a plan to ensure security while easing them into change.  

The following areas will be incorporated over a 12 month period: 
 
  • Risk and compliance management plan
  • Third party vendor risk
  • Policies and procedures
  • Business continuity and disaster recovery
  • Security awareness and Phishing
  • Physical and environmental security
  • Penetration testing

The Cyber & Informaiton Security team at Grassi & Co. ensures that you and your organization are successful at the intersection of building and maintaining a robust cyber and information security program, in addition to providing savings to the bottom line.