How SMEs can ensure cyber security

Construction firms are seen as easy targets for cyber criminals, with large networks of subcontractors and suppliers creating multiple potential points of access. How can SMEs protect themselves?


  • Brian Ward

07 June 2022

Business office table with laptop earth model on wooden table.

Many SMEs depend on their size to protect them from cyber criminals, assuming that hackers will only target large companies. But this is not the case.

Companies of all sizes are frequently targeted by competitors seeking an unfair advantage, by criminals who steal sensitive data and hold businesses to ransom, by malicious former employees, or even by nation state actors.

Organisations of any size are also susceptible to phishing emails, which are sent out indiscriminately to millions of individuals and businesses every day to solicit passwords and other secure information.

Even if you do not suffer a financial loss in a data breach or ransomware attack, such an incident could still shut down your operations, lead to data corruption or loss, and damage your business's reputation. It may also leave you open to an investigation and fine from the Information Commissioner's Office (ICO).

Setting up data management systems

The three key stages of construction – design, construction and handover – all involve multiple digital workflows, as well as many personal and corporate devices. Significant amounts of data are transferred on most projects.

It is therefore important to have a system in place to receive, track and store both electronic and paper-based documents. This system should keep records of what has been shared, when and with whom.

Having such as system in place helps prevent sensitive information being accessed by those who should not. Similarly, staff and third parties should only have access to the resources required to do their jobs.

Dealing with design data

The design stage is increasingly digitised and involves a wide variety of different software. It is important that all packages are kept up to date by implementing patches when they are released by the relevant software developers. This ensures they remain as secure as possible.

The creation of a common data environment (CDE) that is shared with relevant third parties may be useful on projects.

A CDE allows all involved parties to access the data that you want them to see, but without allowing them access to the rest of the company's data.

Related article

Why cyber security should be everyone's job

Read more

Construction stage complicates cyber risk

The construction stage usually involves the largest number of individuals and third parties working together on a project, which also increases the complexity of maintaining cyber security. For instance, drones and GPS equipment are increasingly common on site, but the data they gather must be handled and stored appropriately just as data on a laptop would be.

Digital equipment can itself be a target for thieves, either for its resale value or the data it holds. Even if the equipment is not intentionally stolen for the data contained, it could nonetheless constitute a breach of the company's duties under the General Data Protection Regulation (GDPR).

Equipment left on site may be less secure than it would be in an office, and may have limited or no connection to the internet. This makes it difficult or impossible to monitor devices if they are not in your possession. Businesses therefore need to be wary of keeping information on site, and check how devices are secured during the day and after working hours.

Securing systems for handover

Depending on the type of project, there may be a number of installed facilities to which the client will need access from the handover stage. These include:

  • lighting automation and control

  • heating, ventilation and air conditioning (HVAC)

  • motion detectors, CCTV, security and access control

  • lifts and escalators

  • industrial processes or equipment

  • shading devices

  • fire, smoke detection and alarms

  • energy management and metering.

All details of installation, operation and maintenance should be recorded during the construction stage and handed over to the client or building operator, including details of the measures taken to secure the systems from attack.

Any of these can be vulnerable to attack if not properly secured or isolated from the main building management system. Facilities are often targeted because they tend to be less secure than, but linked to, the system on which more sensitive data is stored. For instance, the US retailer Target was the victim of a cyber attack in 2013 that accessed its payment data through the HVAC system.

'Facilities are often targeted because they tend to be less secure than, but linked to, the system on which more sensitive data is stored'

Experts offer guidance for IT staff

The National Cyber Security Centre (NCSC) has partnered with the Chartered Institute of Building to produce guidance that will help SMEs protect themselves against cyber attacks.

The NCSC document outlines seven key measures that should be taken by staff responsible for IT. If you are an SME without a dedicated IT team, though, that responsibility likely falls on you.

Back up your data: Essential information should be regularly backed up in case of damage or an attack on your IT system or premises. Start by identifying the information that is necessary for your business to function and the data you are legally required to protect, such as personal details of staff and clients. Then create a back-up that is separate from your computer system so it cannot be compromised in the event of a data breach. If you are not familiar with backing up data or are unsure what platform to use, the NCSC provides information on these processes in Small business guide: cyber security and Cloud security guidance.

Protect against malware: There are a number of measures that you can take to protect against malware. These include simple processes such as locking your desktop when you step away, which ensures no one can access it, all the way up to the use of antivirus software, firewalls and encryption. The best products for these situations are not necessarily the most expensive and will depend on a number of factors, including who has access to your data, how sensitive that data is, and who you want to exclude.

Keep mobile devices safe: Just as desktop computers should always require a password to access, phones and tablets should have a password, PIN or other locking method to protect your data. Many phones and tablets come with apps installed that can help you track their location, retrieve a back-up and remotely erase the data, all of which are very useful in the event of loss or theft.

Use passwords to protect your data: Ensure that all default passwords are changed to something that is not easy to guess, and use different passwords for different accounts and devices. Two-factor authentication should be activated for services such as email and banking. This requires the user to sign in with their password and also answer their phone or enter a code sent by text. The additional layer of security this provides makes it much more difficult for someone to access data they shouldn't see.

Prevent phishing: SMEs may not have dedicated IT departments to investigate suspicious texts or emails, but some staff may take it on themselves to investigate instead, which can be dangerous as clicking on any links could lead to a cyber breach. Instead, you and your colleagues can relay suspect messages to the NCSC's suspicious email reporting service (SERS), while suspicious texts can be forwarded to 7726 free of charge.

Collaborate with suppliers and partners: Cyber attacks on your suppliers can be as damaging as a direct attack on your business, especially if it leads to your payment processes being compromised as well as the loss of your data or loss of client confidence. Moreover, an attack on a supplier could provide a way into your organisation if you have not implemented a CDE to cordon off information on a project from the rest of your company data. The NCSC suggests that you encourage suppliers to obtain Cyber Essentials certification. This scheme helps companies protect themselves against the most common attacks, and provides assurance to their partners. You can also test your business's readiness to deal with attacks using the scheme's questionnaire.

Prepare for and respond to cyber incidents: It is increasingly likely that every company will be targeted at some point in its lifespan. Developing plans to react to incidents and carrying out training and rehearsals can establish resilience, and ensure that individuals are less likely to panic when something happens. You are legally obliged to report data breaches and other incidents to the ICO, and a full list of such incidents can be found on its website. It is also important that you and your colleagues learn from the incident by reviewing what happened, identifying any mistakes and taking action where necessary to prevent it happening again.

RICS provides advice on client relationships and data handling which you can read here.  

Regardless of whether you are a sole trader or a large company, you have a duty to protect the data your business stores, and to keep both your records and your security up to date.

Brian Ward is the editor of RICS Construction Journal

Contact Brian: Email

Related Articles


go to article How drones support mountain search and rescue teams


go to article Getting through your post-APC lull


go to article Guidance issued on EV fire safety in car parks