How to ensure cyber security in construction

High-volume transactions and a lack of emphasis on digital defence mean that construction is one of the industries most vulnerable to cyber crime. What can you do to protect your business?


  • Phil Beesley

25 January 2023

Overhead picture of shared desk with people working across from each other - computers and paper files on the desk

A recent Hiscox report found that construction was fifth on the list of UK industries at risk of cyber attack, observing that the sector is not doing enough to prevent attacks.

All users are vulnerable – and it is important to be aware that people, not just technology systems, are a primary target. Even well-meaning users of technology can unknowingly be manipulated into enabling malicious activity through techniques such as social engineering.

Technology can be a risk, as well as an enabler for service improvement. But it would be wrong to suggest that technological developments are too risky to use because of security concerns. Rather, we should focus on securing information properly, and encouraging the prevention of breaches.

Digital attacks come from various sources

Attacks could come from any of the following sources:

  • cyber criminals interested in making money from fraud or the sale of valuable information
  • industrial competitors and foreign intelligence services wanting to gain an economic advantage for their companies or countries
  • hackers who find interfering with computer systems an enjoyable challenge
  • hacktivists who wish to attack companies for political or ideological motives
  • employees or other parties with legitimate access such as contractors or partners, who may accidentally or deliberately misuse this.

Why construction firms are targeted

Construction businesses and companies in related fields are generally seen as cash-rich but having little appetite to invest in cyber security – and thus can be easy targets. Large volumes of transactions are made from vendors of all sizes, throughout design, construction, and into handover. Consequently, mistakes can be made and malicious requests can slip through the net unnoticed.

As well as immediate gains for the attacker – such as money from your accounts and the damage caused to your reputation – there's also a risk to assets themselves, their users or their general purpose.

For example, a construction project for a financial institution or law enforcement agency will generate vital information such as floorplans or data contained in digital building services and management systems and, potentially, information about the people responsible for the asset, making the project an attractive target.

Related article

Why firms must stay on top of data protection

Read more

Cases illustrate range of danger

A quick search will reveal many recent stories of attacks on the construction industry in the UK. Three examples illustrate the wide variety of potential dangers.

In one case, hackers exploited a vulnerability in a construction services firm's website. By doing so, they were able to access its network and carry out a ransomware attack. This meant that organisation's files were encrypted, and a payment demanded before the hackers would restore access for users.

Another major contractor likewise suffered a ransomware attach on its computer systems. This impaired its operations, requiring a full restoration of the network.

Meanwhile, an infrastructure management company was hit by a cyber attack from a criminal group that leaked some of its data. This included contracts, financial documents, confidential partnership agreements and non-disclosure agreements.

'Construction businesses and companies in related fields are generally seen as cash-rich but having little appetite to invest in cyber security – and thus can be easy targets'

How to reduce your vulnerability

The National Cyber Security Centre (NCSC) has published guidance on how to protect sensitive data when it is being shared across a network. While primarily intended for a more technical information security specialist audience, there are some lessons for us all.

Someone who intercepts a communication may seek to gain an advantage in a number of ways. For instance, they may:

  • want to extract sensitive information directly
  • want to modify the communication to masquerade as a legitimate user and send malicious messages
  • look to resend previously transmitted information – such as requests for funds – for the sake of disruption. Commonly this could be in the form of seemingly legitimate communication letting an individual know that bank details have changed and funds should be routed to the 'new account', which actually belongs to threat actors
  • seek to prevent data reaching its intended recipient, causing a denial of service.

Mechanisms to protect systems against such attackers work in two main ways, aiming first of all to prevent information being intercepted in the first place, then, should that fail, trying to prevent breaches of confidentiality or integrity.

Strategically planning cyber security measures can feel as though it is a monumental task. The NCSC therefore advocates using a set of technology principles, each of which should identify:

  • what it is aiming to achieve and why
  • the threat that it aims to mitigate
  • protective measures, such as using encryption to protect the confidentiality of the data and ensuring that any messages modified in transit can be identified
  • a list of sample defensive measures – practical techniques such as using standardised algorithms to encrypt content at source and decrypting only at the destination, never en-route, and then verifying message integrity.

Table 1: NCSC principles

User education

Network perimeter defences

Password policy

Train all technology users to consider what they include in publicly available documents and web content. They should also be aware of the risks of discussing asset, financial or site access information, for example, and how these can increase the risk of social engineering.

Next-generation firewalls and web/app-traffic management tools can block insecure or unnecessary services, or only allow access to permitted websites. RICS members will need to access research material from resource pools such as RICS.

Stipulations such as a minimum length and a mixture of alphanumeric characters can prevent users from selecting easily guessed passwords, while accounts can also be locked after a small number of failed attempts to log in.

Malware protection

Secure configuration

Patch management

Dedicated software can block malicious emails and prevent malware being downloaded from websites.

The functionality of every device used to conduct business should be restricted to the minimum needed for business operation.

Unnecessary software should be removed. Ensure that automatic features that could activate malware are turned off.

When software vulnerabilities are discovered, patches should be applied at the earliest possibility to limit exposure. In lay terms, make sure you update regularly.

Device controls

User access


Devices in the internal gateway should be used to prevent unauthorised access to critical services, or inherently insecure services such as external software applications that may still be required within the company.

Well-maintained controls can restrict access to the applications, privileges and data to those users who need them.

Once preventative measures have been put in place, checking on their effectiveness is crucial. Cyber criminals are well funded and highly skilled, and they will continue to test your defences. Detecting a breach early enables prompt intervention and a reduction in the severity of the potential consequences.

Critical questions you should ask

Human behaviour is central to the majority of cyber attacks in construction. Therefore, organisations should reflect on some critical questions.

  • Are all users aware of the importance of maintaining cyber security?
  • Do they all know how to spot suspicious or malicious behaviour, and what to do about it?
  • Can the organisation say it is doing everything in its power to mitigate risks?

Phil Beesley is commercial director at cyber-security services provider Comtact

Contact Phil: Email

Related competencies include: Data management

Related Articles


go to article How to get through your post-APC lull


go to article Guidance issued on EV fire safety in car parks


go to article What key issues are SMEs facing this year?