top of page

Are building companies really at risk from cyber-attacks?

Updated: Oct 31, 2022

After all, the industry's focus is on physical work with bricks and mortar. Surely digital activity is fairly minimal and unlikely to attract cyber criminals - isn't it?


Worker laying breeze blocks

Here on the Eastern Cyber Resilience Centre, we have seen that the construction industry has shown a significant reliance on technology over the last decade. There have also been seismic shifts in relation to project delivery and how organizations operate. From office operations to activities on-site, technologies such as cloud storage, email and smartphones are commonplace.


Digital tools, such as Building Information Modelling (BIM), are becoming increasingly commonplace at the design stage, along with technology such as 3D-printing, remote building monitoring systems, brick-laying robots, and other automated techniques. It is quite clear that the sector is unquestionably operating in a modern, digitized and connected way.


But as the industry progressively embraces modern technologies it cannot afford to ignore the corresponding risks. If unmanaged, cyber risk ultimately threatens to outweigh the benefits gained from continued technological advances.

It is a common misconception that because the industry doesn't regularly deal with personal data that it is not a target for cyber criminals. But unfortunately, this is not the case.

The industry presents a wide range of attractive opportunities for cyber criminals.

From controlling critical services, to the theft of trade secrets, there are many reasons that a construction sector organization could fall victim to cyber-crime. Tracking cyber incidents can be tricky, especially as a lot of incidents still go unreported. And while the construction sector may experience cyber-crime, unless a breach conforms to strict reporting requirements, the majority will not be publicized. This lack of knowledge-sharing can lead to underestimates of the true nature and scale of cyber exposures.


If the industry is unaware of common vulnerabilities, it presents low-hanging fruit for cyber criminals.

The average cost of a data breach currently sits at nearly four million US dollars. Imagine, for example, that your entire library of CAD drawings was encrypted and ransomed, or simply deleted. What would it cost to recommission and replace them all? Then, add the wide range of associated business interruption costs, such as delays to on-going projects and employee overtime. You then begin to see the true impact of a potential cyber incident.


What is incident response?

An organisation becoming aware that they have been attacked will often start with a member of staff asking, ‘Why can’t I open my files?’ But remember that most cyber-attacks are conducted by stealth, and they will not always want to be found. So, the first consideration is

‘Do we have a process to proactively look for cyber-attacks even when everything is operating normally?’

As a member of the ECRC you will receive free updates about vulnerabilities that have been flagged by other organisations specifically to help the wider community. Including you.


Unfortunately, the first time that an organisation discovers they need an Incident Response Plan often coincides with the realisation that they don’t actually have one. The plan itself is simply a document containing the details of key personnel who you can contact if you are worried that you have been victim of a cyber-attack. It also contains key information to help you move through the various stages of containment and then recovery. Having a good response plan means that you are more likely to come through the experience more quickly and efficiently and with less of your systems exposed to the hack. And the responsibility for establishing and maintaining a plan is down to the business owner and not the managed service provider you use for your IT.


If you find that you have been breached, you may never find out exactly how – what is important is that at that point the criminals still have access to your network. The wrong decisions now could have a devastating effect on your business, and you could face additional, financial, and reputational loss if you don’t make the right decisions next.


As can be seen in the below diagram you will start in the triage stage of the breach, trying to figure out what the scale of the breach is and the impact now and in the future.

Diagram showing incidnet management and incident response


What can I do now?

Frontspiece of the incident response plan template

Increasingly cyber experts are accepting that blocking all cyber-attacks is not an achievable outcome and that it makes sense to be prepared for when the breach occurs. Being well prepared for a breach is a key step in making yourself resilient in the online world. To save you the time of having to start one from scratch – go to our tools section and download an incident plan for free. All you have to do is read it and fill in the key bits of information and you have a document that you can rely on if the worst actually happens.


Practice, Practice, Practice

Once you’ve got an incident response plan prepared the next stage to establish your readiness is to try it out in a safe environment. The National Cyber Security Centre’s Exercise in a Box is an excellent starting point. This exercise will help you to check out how well you and your business can respond to a cyber-attack.


So, what should my company do now?

Here at the centre, we would advise you to do three things now

1. Join our free core membership by clicking here. You will be supported through implementing the changes you need to make to protect your business and your customers.


2. We would recommend that you look at improving you overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. As a free member we will take you as far as the CE accreditation process. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.


3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf.


4. Have a look at our construction company cyber guide that gives all kinds of hints and tips specifically for your sub-contractors.


Reporting Cyber Crime

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page